We take security seriously and want to assure Blippy users that this was an isolated incident from many months ago in our beta test, and doesn't affect current users.
While it looks super-scary and certainly sucks for those few people who were affected, and is embarrassing to us, it's a lot less bad than it looks.
This could have been phrased a bit better to include an actual apology. It's pretty easy to do: "Several months ago Blippy's limited beta test leaked data about four customers, including their credit card numbers. That is totally our fault. We have apologized to those four customers personally and have taken steps to make sure it cannot happen again. The site currently does not leak data, but those four customers' numbers are still visible on Google searches. We are working with Google to correct this and expect it to be resolved in a few hours.
Here are the improvements Blippy has made to deserve our customers' trust:"
[Edited to add:
The Japanese salaryman in me would suggest that the CEO sign this post. Phrasing might include "This was ultimately a failure of our internal quality controls, because it should have been caught several times before this data was exposed publicly. I take full responsibility for the lapse and have begun..."]
A quick elaboration on the CEO thing, because I didn't want to give the impression I'm grinding anybody's nose in it: Tactically I think it is a good idea because it demonstrates that the company has no higher priority than the users' security and their trust. (And if your business is publishing folks' info, that is probably true. Heck, everybody on the Internet who takes credit cards, in any capacity, has a built-in "Are they going to scam me?" objection to address.)
Culturally, in Japan, the title for the CEO (often) literally means "Person With The Highest Responsibility." (最高責任者 -- all the other CXOs are "Person with the Highest Responsibility For [Information, etc]") Within the company, I'm sure some junior engineer is going to get a royal chewout today, but to the rest of the world, the company is an impenetrable mass. When an employee screws up, the company has screwed up, and when the company screws up, the CEO (or division chief or whomever) apologizes because his job is managing the business such that it does not screw up.
When done well, I think this is one of the most emulation-worthy bits of the Japanese corporate culture. It sends a message internally that you will always back your people come what may, and externally that you're worthy of the trust your customers, shareholders, and business partners place in you.
It's amazing how many companies still don't get it.
You made a very public mistake -- apologize, wholeheartedly and genuinely, and accept responsibility. That's it!
Making it seem like it's not a big deal makes it come off defensive, unprofessional, and like an excuse..
Now is not that time for that -- use the mitigating details in a follow-up post that highlights your progress and what you've implemented to ensure it never happens again. Don't do it now.
Too bad there isn't a couple of mandatory classes in Evolutionary Psych. 101 and Cognitive Biases 101 for the people in charge and those who advise them. Knowing about very common human flaws could help these people avoid these same mistakes that we see over and over when these types of situations happen.
Phil Kaplan is the guy most associated with Blippy (and with the biggest reputation of the 3 people at Blippy from before Blippy). I'd consider his statement more meaningful than the CEO's. The other two blippy guys are mid-2000s graduates with 1-2 smaller projects to their names.
Phil is non-CEO due to historical accident (I think he was CEO of adbrite still when blippy was launched and maybe it would have looked bad?).
Whoa, I didn't know until just now that Phil Kaplan was at both AdBrite and Blippy. I think of him as the FuckedCompany guy, so wouldn't have thought he'd be part of something so close to the kinds of things FuckedCompany used to ridicule...
pud is a very smart guy, and I actually think the blippy concept could be successful; I just don't like the implementation.
I was thinking of doing a "sharing your amazon purchases" startup (as a way to give people advice about their own purchases; e.g. if you buy a printer, a laptop, etc., have a single place you can go to with info on your purchases -- stuff like where to get toner, owners manuals, repair services, etc.). Someone mentioned blippy, and I met him in person a few times at Founder Institute.
Yeah, I still might build it (a friend of mine from FI was interested in it, but I had to go to war at short notice). It's still not the big project I want to work on though.
Yeah, I don't know. My lizard brain wants to see them writhing on the ground pleading for mercy, but the teeny tiny rational part of my brain wonders what I expected them to say instead of this.
If you get past your expectations about their attitude, they are being pretty forthright about what actually happened; in many more contrite disclosures, you don't get this level of detail. I appreciate the detail.
I'd like to see something other than the standard "now we're getting third-party security audits" platitudes. For instance, I'd like to know that they have a software security person on staff now, since they're clearly dealing with credit card information that they don't fully understand.
I have never used this service and from reading what it does, I probably never will. BUT, if were the kind of person into these type of things, I would feel pretty good about them. The explanation sounds sincere, honest and heart-felt. They have done their research and discovered what caused the problem. The credit card numbers were only in the source-code of the HTML, not actually diaplayed on the HTML page (I know it only takes 2 clicks to see the source, but how many people check out the source code of every page we see through the day ?). And they are telling us that they are well-funded to dedicate more resources on security. I feel pretty good about them.
I'm pretty sure there are much easier ways to get credit cards online than randomly looking at webpages. Can't you buy them in bushels from Romanian hackers? I hear the going rate is much less than a dollar a number.*
*I hear this from a person who used to work in e-commerce stopping illegitimate transactions, not from illegal activity, btw.
Credit card numbers alone can be generated, no need to steal them. Only in combination with the expiry date and cvv do they have any value, newer cards are protected with a pin code for that reason.
The whole reason the VBV program exists is to make the numbers alone worthless.
Why would you single out the Romanians?, there are people doing that sort of thing all over the world.
Either you want businesses to communicate with the public like normal human beings or you can complain and nitpick their statements for not being perfectly phrased. Not both.
I'm glad they candidly told us about what went wrong. There's an important lesson to remember about how everything put on the web can be indexed and stored even if it was only up for a short time.
Wow, I would have thought they would have at least made a motion to apologize. Instead they've basically said "hey, this isn't a big deal, stop complaining".
Seems like they apologized to the four users involved. I don't know that they owe the public in general an apology. They basically explained why this is less scary than the headlines (including the one here on HN) makes it look and said that they were committed to keeping this from happening again, including giving examples of steps they were going to take.
What would you have liked to see from them? Prostrating themselves before you for revealing someone else's credit card data?
I would have liked to have seen "a lot less bad that it looks" replaces with "one would have been too many" and "we will work very hard to regain your trust". It's okay... but the public is their target audience! Simple phrases, big impact.
Leaking 4 of thousands of credit card number IS a huge deal. It's a disservice to their users (even the ones who weren't affected) for them to downplay it.
I'm personally getting the feeling that downplaying it was more of a trip up on their part. They wake up, find they are suddenly being viewed as the devil, and for some strange reason want people to believe that things are not as bad as they look. The problem, though, is they should never have said that directly. They should have given us every reason to believe that things are not as bad as they look and have us come to that conclusion for ourselves. They should also get some PR people on pay; they probably need them more than the added security.
But technically speaking it really isn't a big deal, if you take any one of your own credit cards, extract the 'bin' and generate the rest of the numbers to be valid (http://en.wikipedia.org/wiki/Luhn_algorithm) you can make credit card numbers until you drop, with a high probability that they are currently in service (if your number is active, so are a lot of other numbers in your bin).
But those numbers alone will not allow you to do anything.
* Someone finds a small isolated mistake,
assumes the absolute worst
* Rumor, misunderstanding, exaggeration, sensationalism
* Opinion, how could they be so stupid, it's *so* simple!
* Over-reactionary moralistic boycots start
"Well I for one won't stand for this, who's with me!"
* One-upmanship starts "Well I for one want the CEO to apologise"
"I think the only decent thing is for them to cease trading".
"Lets start an anti-<company> website!". This is war.
* Sheep all join in and circlejerk for a while.
* News that the original premise was in fact wildly exaggerated
or just plain incorrect, gets lost in all the noise.
Sadly it's the way of the internet... Just look at most posts on Reddit these days... Just a shame it seems to have come
to HN.
I'm not really sure what you're referring to. I haven't assumed anything, publishing credit card numbers is about the worst thing you can do when dealing with people's financial credentials. Maybe you don't think it's a big deal, but I'm sure you're not one of the people who's card information was being plastered on the internet.
Additionally, I don't think I was being sensationalist - when this posting first went up there was no apology, just a long explanation of why this wasn't a big deal.
I wasn't being moralistic, made no demands, nor did I exaggerate anything.
I've been here just as long as you have (longer, actually; but who's counting, right?) so you can save the reddit comments.
They published the "DESCRIPTION". They did not know that sometimes banks put full credit card numbers in that field.
Personally, I'd be angry at the banks for doing something so stupid. Do you think your bank should ever give out your credit card number in such a stupid way?
>> "publishing credit card numbers is about the worst thing you can do when dealing with people's financial credentials."
True enough. But that's not the full story of what happened. They published the transactions description as given to them by the bank.
FWIW, I have never used their service, and have no ulterior motive to defend them. I just hate over-reactionary mob mentality at work.
I read their response. Their response is precisely why this is a big deal. They should have known that credit card numbers might have been in the description field - anyone who deals with bank feeds with any regularity would know that.
Banks and merchants have been doing stupid things for decades; but what they haven't been doing is publishing those details for all to see.
One would hope that Blippy had done some due-diligence and had some concepts about the kind of data they'd be dealing with when they decided to take transaction feeds and publish them. They've clearly figured that out now.
My point was that it didn't seem like they were treating this as something truly serious.
It's not the bank's fault because that wasn't meant to be public information when they built their system. It wasn't the consumer's fault (any more than signing up for a questionable service) because they aren't supposed to know the details of what's inside a transaction feed. By default, it's Blippy's fault because they should have known better.
Nobody is asking them to fall on their sword over this; but it would have been nice to get some indication that they thought it was a big deal.
>> "it would have been nice to get some indication that they thought it was a big deal."
It could have been a big deal, if it had affected more than 4 beta users, or if they hadn't noticed and hadn't fixed it.
I'd rather base level of outrage on what happened rather than what could have happened. Obviously you take all precautions you can possibly think of, but shit happens.
If the onus is soon going to be on the user having to explain why he sees a problem with his private details being shown to the whole world, there are going to be lots of problems and incidents which people are in no way ready for.
I was chatting with someone about the language used in a lot of these apologies. This has come up in a lot of issues - like in the Justin.tv suicide case.
I think companies fear legal repercussions. If you use certain words, you might be taking blame onto yourself in a legal sense and might have someone use that against you in a lawsuit.
I'm not sure about this incident but I definitely sensed that was the issue with the Justin.tv apology.
Sorry, but this blog post indicates that Blippy is in no way serious about security. Blippy handled sensitive data (credit card numbers) in a highly insecure fashion, and rather than treating it like a full-scale emergency, which it is, regardless of the number of people affected, we get this "hey, it's no big deal" blog post.
What other massive security mistakes are lying around in their codebase? Why does this sort of reply give me absolutely no faith that they'll deal with those problems seriously when/if they arise?
Everyone and every company makes mistakes, so it's not a matter of whether or not you screw up (because you will), but rather how will you deal with it when it happens. I think Blippy dealt with it pretty well.
Having said that: I think Blippy was a dumb idea to begin with, and this dumb mistake may have been the final nail in the $11-million-Series-A-funded coffin.
now that this whole thing has blown over, i'd love to hear from someone at blippy regarding how this affected their subscriber count. i have a feeling it went up today despite the negative press.
15 for American Express. 14-16 for various kinds of Diner's Club. 16, 18, or 19 for Solo and Switch.
It would not have occurred to me that the number might even be in the raw data. Sounds like the supplier is violating PCI. (That doesn't apply if the supplier is the card company or issuing bank--PCI is just something they require others to follow. They hold themselves to a much lower standard).
It might be a useful heuristic for companies anywhere remotely in this space to use during early alpha/beta periods though. There aren't that many legitimate cases where you're going to be sending 14-to-19-digit numbers in HTML, so at least during the early phases, flag them and make sure they're not CC#s that somehow got there.
"That's why it's okay to hand your credit card over to waiters, store clerks, and hundreds of other people who all have access to your credit card numbers."
I don't like this attitude. Anyway who cares when you have $11.2 million funding
While it looks super-scary and certainly sucks for those few people who were affected, and is embarrassing to us, it's a lot less bad than it looks.
This could have been phrased a bit better to include an actual apology. It's pretty easy to do: "Several months ago Blippy's limited beta test leaked data about four customers, including their credit card numbers. That is totally our fault. We have apologized to those four customers personally and have taken steps to make sure it cannot happen again. The site currently does not leak data, but those four customers' numbers are still visible on Google searches. We are working with Google to correct this and expect it to be resolved in a few hours.
Here are the improvements Blippy has made to deserve our customers' trust:"
[Edited to add:
The Japanese salaryman in me would suggest that the CEO sign this post. Phrasing might include "This was ultimately a failure of our internal quality controls, because it should have been caught several times before this data was exposed publicly. I take full responsibility for the lapse and have begun..."]