A Major Blip in Blippy's Security
23 April 2010
Jacob Jegher
If only it were just a blip. Mashable just reported that a simple Google search reveals Blippy users' credit card numbers. As much as I love the social web, I could never wrap my head around the concept of folks providing their credit card number in order to share info on what they are purchasing. While this may be fun and "cool," it is a great example of what not to do. This is obviously a major error on Blippy's part, but I also blame users who so easily give up confidential info. If this type of practice continues, card companies are going to stop reimbursing customers. It's one thing if a merchant or a processor is a victim of fraud. It's another issue if a startup does something inexcusable, even if it is unintentional. Interestingly, just yesterday Techcrunch announced a new round of funding for Blippy, bringing their valuation to a whopping $46.2 million. [caption id="attachment_1387" align="alignnone" width="640" caption="Image courtesy of Mashable"][/caption] Update 2:06pm EDT. Blippy issues a reply. Celent believes that this issue is far more serious than Blippy is making it out to be. Pointing fingers at Google's cache and claiming that consumers are protected is not the right approach. I am sure Blippy will improve their security efforts, but this is nonetheless an incorrect approach to take with the public.
Comments
-
Thanks for your comments Guillaume. Agreed, fault could lie elsewhere. However the public goes to Blippy.com and that is all they care about.
-
[...] off - is it secure to provide my banking credentials to this site ? I think the Rudder and Blippy mishaps have taught us enough about this. This startup doesn’t have the bank-level security that [...]
Jacob, this blip actually begs the question of who is responsible for this non-PCI compliance? The data exposed seems to be the transaction memo. So who is responsible? Blippy or their back end provider (Yodlee) or the bank/bank processor?