Social sharing networks meet the credit card industry – in a new way this time. Although, I’m sure a recent new venture would have preferred a more favorable type of news release.
Blippy, a new social sharing network site which allows users to share their credit card purchases, unintentionally exposed the financial information of some of its members.
How It Works
The site operates like Twitter, where members can follow other members. Members sign up one of their credit cards to the site and any time a purchase is made with that card, the information is streamed, like a tweet or Facebook post, on the member’s page.
A member gives Blippy access to a card account (i.e. provides Blippy with access to the online bank account). Blippy then obtains the transaction data, or raw data, from the card purchase and cleans it up for the web post. For instance, “Starbucks USA 00075424 04/25 CARD # Purchase # Newport Bch, CA”, would be converted to just “Starbucks”.
Members can also add accounts that Blippy has signed on (i.e., iTunes and Zappos), which can also include more details of the card purchase. With some accounts, a member can choose to show full product details:
Michael purchased 1 app from iTunes (and then a graphic of the app, i.e., the iTunes song, is displayed below the stream)
Or just the amount spent:
Michael spent $3.75 at Starbucks
Members are using Blippy to find hot deals, compare costs (i.e. cable, utilities, cell phone), share restaurant experiences or post their own movie reviews. Like Facebook, members and followers can comment on the post or hide posts from certain people. (Maybe you don’t want a friend to know that you spent $80 golfing when you cancelled previously scheduled lunch meeting during the same time.) Some see the revelation of spending habits as a conscience for shoppers. Others see it as sharing too much information. Certain purchases and excessive spending can be potentially damaging to someone’s reputation. For consumers who want to share everything and have nothing to hide, this is perfect for them.
“Users who share information online are becoming slowly aware of the risks of this new technology.”
Like any social networking site, retailers and manufacturers could use the posted information to get feedback on products, shopping experiences and consumer behavior in general. On the flip side, it could create more competition. If full details of a purchase are posted, a competitor could lower prices to steal future business.
Privacy Concern and Security Risks
Information sharing and web collaboration were made possible with Web 2.0 technologies. Users who share information online are becoming slowly aware of the risks of this new technology. Companies who promote the sharing of information online need to ramp up security and take responsibility to help protect their users.
The exposure of members’ credit card data on Blippy was discovered during the site’s beta phase, when some raw data could be viewed on the HTML source page of a Blippy member’s page. Experienced (and certainly determined) web users could see the raw data, which Blippy claims was mainly harmless (i.e. store numbers, etc.). After that issue was discovered, the glitch was fixed quickly.
According to Blippy cofounder Philip Kaplan, there was a “’technical oversight’ in February which resulted in raw transactional data showing up within the HTML code on some Blippy pages for half a day.” Because of the indexing power of Google, the HTML data, which included full card numbers of four Blippy members, turned up in close to 200 search results. Even though Blippy’s site went through several modifications since then, the Google snapshots of these pages were not updated. Blippy worked with Google immediately to remove the indexed pages.
Blippy then discovered another member’s card number in a web search on Saturday, which turned up in 20,000 pages. The company again worked with Google to remove the data. In both cases, Blippy also contacted – and apologized to – the members affected.
Blippy – and its members – were quite lucky. The damage could have been a lot worse had the site been in a more viral stage, ala Facebook or Twitter.
Who is in Control?
Social networking has given people the power to open up that privacy door – all on their own. At the same time, secure data is at risk when financial information is released into the air.
Amazon was leary of Blippy in the beginning, as it blocked buyers from publishing their purchases. Blippy went around the roadblock by requesting members who used Gmail for access to their accounts to obtain the purchase data that Amazon emailed to them. Other retailers have joined Blippy without as much concern, seeing it more like a promotional tool.
Even though a cardholder would not be responsible for fraudulent charges, it doesn’t help our economy if retailers are left holding debt as a result of credit card fraud. As discussed in a previous two-part blog, when data is compromised, fingers are usually pointed to the merchant receiving the card information. However, all parties involved are responsible for ensuring data security. On the top, merchants need to be extra careful about business relationships which may affect the data protection of their customers. Unfortunately – for banks and retailers – if a cardholder volunteers access to his or her account, and card information is jeopardized, the cardholder is still protected.
While Blippy thought they were on top of security on their site, the recent data exposure has changed their course. In their April 26 blog, they outlined a new security plan which includes hiring a chief security officer and conducting regular security audits to protect members.
On the positive side for Blippy – the company has certainly gained more exposure since the data security issue hit the news. Oh, and Blippy will soon have company in this playing field as Swipely is soon to go live.