Hello, SW. Habrayuzer! An interesting story happened to me, just for the “Information Security” blog.

So I decided to read the news that my favorite Google Reader collects, the day turned out to be informationally poor and there was little news. When the news from my subscriptions ends, I use a section called “Recommended Records”, where you can find different news from channels you are not subscribed to, but which are thematically the same as your interests.

So I'm sitting, flipping through ...

No signs of trouble...

Probably what your Reader looks like?

')
InPic.ru - Useless ability
Privat24 extracts: -5.00 UAH
Demotivators: Masha
Most juice! Yudash * TYDYSCH * ... and then the brain realizes that the incident has just happened!

- Privat24 statement: -5.00 UAH ???

Something is not right here, I do not have a PrivatBank card and never have, and indeed, these are not my subscriptions - these are “Recommended Records”!

This “news” seemed interesting to me and I decided to subscribe to the channel.
What can I tell you? PIN and CVV codes are certainly not lit there, it would be quite stupid, many "news" look somewhere like this:

Description:
Available balance: -4587.25 UAH

Even the card number cannot be recognized from such a message, and the channel itself is called " Privat24 statements: Visa (**** 0205 ) balance: 10063.75 UAH ". The first message in this channel is dated April 13, 2010 and there are 170 messages in total, so there is something to see.

Ding-ding-ding !!!

Description: 24: . FAMILIYA A UA GOROD 18, 16( 123456789123 0205 1234567891234567) .
Available balance: -4997.99 UAH

According to this message is not difficult to guess that the card holder number: 123456789123 0205 , and even the last name in Latin. ^{The seller of the EuroSet sold the soul to the devil and the little bag.}

What next?

And then I continue to view the "news" and watch for this message:

Description: 24. 123432123: . :+380671234567. : 06.01.2011 21:22:23. IDPAY: 1234567( 123456789123 0205 ) .
Available balance: -4329.56 UAH


A little later - is:
Description: , "" (BLA1). : . I I [DAMDG55566677788899] : ( 123456789123 0205 )
Available balance: -3587.25 UAH


Total:
Payment card number.
Phone number.
Full name.
Photos, interests, friends. Thanks VK.

That's not all!

I contacted the bank and told about this situation, accepted for consideration. But then it dawned on me!


I went to the channel and clicked "show details"

Channel Subscribers: 2

Further googling allowed to establish that PrivatBank previously had a function of exporting statements to RSS, but due to the new interface of Privat24, this function is not yet available. Although it is not particularly important.

Apotheosis

The cardholder turned out to be an advanced person, and wanted to control the status of his account not only through the Privat24 interface but also through the RSS feed, which he collected in Google Reader.
What's bad about it? It is a modern approach of a modern person, then the stream itself can be obtained only if you know the secret key, and the stream is inside SSL!
Verdict: Safe.

But then Google set it up and maybe not only him ...

All that is written below is just my guess.
It seems to me that as soon as you add a stream to Google Reader - the link by which the stream is available becomes like-be publicly available, that is, Google can offer this link to an outsider as news, recommended entries, etc.

What, in general, is sometimes NOT SAFE!

I'm in shock!

After talking with the bank, I decided to call this person and tell about the situation. Summarize the communication:

- (I) Hello, my name is Dmitry! Is this your last name?
- (He) Yes.
- (I) Sorry, I don’t know how to tell, you are using Google Reader.
- (He) Yes.
- (I) And he collects from you an RSS feed with PrivatBank account statements?
- (He) Yes.
- (I) You understand it so happened that I can view all your operations, and other people are possible too.
- (He) So what?
- (I) Well, how is this “so what?” There your phone number, your card, etc.
- (He) So what?

Further description of communication I see meaningless.

Everything.