Drippy Blippy

The transaction-sharing site Blippy.com has sprung a leak, exposing full credit card numbers for a few users, and even after the company removed the exposed information, more data trickled out.

The scope of the leak was small — initially believed to be four credit card numbers belonging to three people — but produced 127 search results on Google Inc.'s search engine, repeatedly displaying full card numbers in the summary text of each search result, the news site VentureBeat reported last week. The linked Web pages did not display full card numbers when properly rendered by a Web browser.

Blippy's service allows participants to broadcast and discuss their spending habits by creating an automatic and public Twitter-like feed. Blippy's site shows the merchant, transaction amount and in some cases what was purchased, but was not supposed to share sensitive bank details.

Once news of the exposure began to spread, Blippy Inc. quickly began to work with Google to remove the sensitive information. On Friday the information appeared to have been removed from Google's system, but on Saturday VentureBeat reported that the problem was not yet fully resolved.

"Both Blippy and VentureBeat found another credit card number and name in Google earlier this morning," the Saturday article said. "It was only one, but it proves Blippy can't say with certainty that all numbers have been found."

Blippy's co-founder, Philip Kaplan, told VentureBeat that "we still have multiple people working on it. We're not saying we're done."

In a blog post Friday, Blippy explained how the numbers were exposed. Blippy's system takes in raw transaction data and cleans it up for display online. In an earlier version of Blippy, this data was retained in the coding of the Web page but invisible to most users.

In a follow-up blog post Monday, Blippy co-founder and Chief Executive Ashvin Kumar said that Blippy stopped including the raw data, which was visible for just half a day, when the company realized it contained airline flight information.

"Up until that day in early February … we incorrectly considered raw data fairly harmless. It typically is," Kumar wrote. When Blippy became aware of the flight data, "which in combination with a user's last name could be used to check someone into a flight … we quickly patched the issue and took extra precautions to never, ever expose raw transaction data again," Kumar wrote.

In rare cases, that raw data included full card numbers, Blippy said. Google scanned the data before Blippy removed it. This had the effect of preserving the sensitive information in Google's system even after Blippy believed it had vanished.

Malware on the Go

A new malicious program targets users of mobile devices — but does not target the device itself.

Scammers are trying to dupe owners of Apple Inc.'s iPad tablet into running a file purported to be an updated version of iTunes, the software used to manage data on the device, according to a report from the security software maker BitDefender.

The scammers promise that the file will add features to the iPad and improve its security, but if victims run the program, it instead provides unauthorized access to the users' home computers, BitDefender said. It also attempts to steal passwords and software serial numbers.

Though the malicious program targets iPad users, it does not infect the iPad itself, nor does it work on Apple's Mac computers; only users of Microsoft Corp.'s Windows are vulnerable, BitDefender said.

McAfee's Mistake

Businesses may be less trusting of their security software after an update from McAfee Inc. disabled users' computers.

McAfee's software pushed out an update to corporate customers last week that mistakenly considered a critical Windows file to be an 18-month-old Trojan horse, MSNBC.com's Bob Sullivan reported in his "The Red Tape Chronicles" column April 22. When the antivirus software removed that file, the systems could no longer boot up without being fixed by a professional.

The deeper issue, Sullivan wrote, is that businesses may now be wary of their security software and may switch off the software's ability to implement automatic updates. Ten years ago, such updates came out infrequently enough that they could be handled manually, but today the onslaught of new virus attacks has grown incessant — Symantec Corp., a McAfee rival, estimates that 20,000 new threats emerge each day, compared with 10 to 15 a week a decade ago.

Even 10 years ago, "the vast majority of PC users wouldn't bother manually installing software patches and antivirus protection," Sullivan wrote. "That made them easy prey." Today, he wrote, new virus updates come out so frequently that manual updates are no longer practical — it has to be handled automatically.

And the scammers wasted no time in exploiting fears over the McAfee goof.

"Even this incident, while ultimately harmless for victims (outside of lost time), created a big opening for the bad guys," Sullivan wrote. "Consumers affected by the bug who went to Google looking for answers last night found fake Web pages offering help that were loaded with booby traps."

SSN (Not) RIP

A 1990 federal law makes the Social Security numbers of the dead available to any buyer for $18 each.

The law requires the Social Security numbers to be printed on death certificates, The Boston Globe reported April 17. Massachusetts, where the law took effect in 1998, charges $18 for death certificates at its Registry of Vital Records and Statistics.

This is a risk to banks because even after death, an individual's Social Security number could live on for several months, State Auditor Joseph DeNucci explained in a letter to Rep. Stephen F. Lynch, D-Mass.

There is "a gap of several months before deaths are reported to the Social Security Administration," DeNucci wrote. "The ability of individuals or entities to acquire multiple Social Security numbers by a simple request is an open invitation to identity theft."

In response, Lynch wrote that he would pursue "either a legislative or regulatory fix" to the issue DeNucci raised, the Globe reported.

Security Watch is a weekly roundup of news and developments in data security and their impact on financial services companies.
Please e-mail us any comments, ideas, and suggestions about this column.