How I exposed my card details within 30 seconds of ordering it

Today (as in: 15 minutes ago), I did a little oopsie and exposed the card details of my new card on Twitter.

The thing is: I know not to share my card details online. It still happened to me. But I’m getting ahead of myself.

Revolut’s pride rainbow card design

On Friday, June 28th, Revolut announced a new card design (available July 1st) on their Twitter:

Looks great, right?

So I ordered one through the Revolut app on my iPhone. I got one and was really excited about it. So without thinking twice about it, I posted a screenshot of the card on Twitter:

Because, well… it never occurred to me that the data that Revolut shows on the order confirmation page could be real data.

For comparison, here’s what the American Express app looks like:

Completely made up data in the American Express App

That data is not real. It’s definitely not my name and the number fails every single credit card validator that I tested.

Lessons learned

I think there are two major lessons here.

The one lessons for me is: Don’t be oblivious and assume that ̶e̶v̶e̶r̶y̶ ̶g̶u̶n̶ ̶i̶s̶ ̶l̶o̶a̶d̶e̶d̶ every data presented to you is live data.

The other lesson is for Revolut: Your users are idiots. Don’t present sensitive data where it’s not necessary. And better ask them twice before you show it for good measure. Just like Stripe does for the secret API token:

Stripe hides your secret key

I don’t want to bash on the Revolut dev team — far from it. It probably never occurred to them that anyone could be so stupid to post the order confirmation screen to social media.

Well, there’s a joke about the eternal race between programmers and the universe: Software engineers are trying to build bigger and better idiot-proof software, while the universe is trying to build bigger and better idiots.
As you can see, the universe is winning.

Conclusion

It looks like nothing bad happened (My friend alerted me within minutes — thanks again, Benedikt!). I immediately set a low limit on the card, then locked it and got the support to cancel everything.

Use my experience as a cautionary tale and stay safe out there!