EasyJet*, Chiltern Railways and Aer Lingus amongst 16 companies that have exposed credit card data during payments to their mobile websites and appsWandera has identified a vulnerability – dubbed CardCrypt – where customers’ personal data is being transmitted unencrypted from mobile devicesLONDON, 9th December 2015: Customers’ credit card information, passport data, purchase data and other Personally Identifiable Information (PII) was being sent unencrypted from smartphones when users are purchasing items from major brands’ mobile websites and apps.Companies identified include easyJet*, Chiltern Railways, Aer Lingus, AirAsia, Air Canada** and 11 other companies, ranging from taxi firms (KV Cars in the UK and American Taxi in the US) to giftcard and event ticket providers (Sistic in Singapore). Notes to editors – each company has been notified about the vulnerability and a full list is included below the releaseWandera has detected payment information leaking unencrypted from smartphones when users were accessing these companies’ mobile websites and apps during the purchase and upgrade processes, for example when booking a ticket or choosing a seat. The data includes complete credit card details, CVV security code, customer names, full addresses, transaction amounts and contact details. The exact information that was being leaked varies according to what details the individual company requests in order for the transaction to take place, but in nearly all cases, complete credit card data was detected ‘in the clear’ and in one case even detailed passport information was also revealed. The 16 companies that have been identified have a combined 500,000 passengers and customers per day.Examples:Complete credit card data and customer billing addresses were sent unencrypted to the Aer Lingus website during the booking process. Aer Lingus has 10.6 million passengers a year. Complete credit card data and passport details such as name, date of birth, passport number, expiry date and issuing country code – were unencrypted when sent to Air Canada’s mobile website during the booking process. Air Canada has 38.0 million passengers a year. Complete credit card data, customer addresses and transaction details were unencrypted when sent to San Diego Zoo’s mobile website during the main purchase process. San Diego Zoo has 5 million visitors a year. Complete credit card data and transaction details were unencrypted when sent to AirAsia’s website during the check in process. AirAsia has 45.6 million passengers a year. Dubbed ‘CardCrypt’ by Wandera, the flaw in all of the vulnerable websites and mobile apps is that they have not used a secure protocol (HTTPS) to secure and encrypt data connections between the browser or app on the user’s smartphone, and the company’s website, mobile website or backend web services. This means that the credit card information was instead transmitted ‘in the clear’, or unencrypted, over standard web connections i.e. HTTP. This weakness made the data freely available to be easily intercepted and used in wide-ranging identity theft and fraud. It is a fundamental requirement of PCI DSS (Payment Card Industry Data Security Standards) to encrypt transmission of cardholder data across open public networks: “Sensitive information must be encrypted during transmission over public networks, because it is easy and common for a malicious individual to intercept and/or divert data while in transit”. Notes to editors – Reference Requirement 4, Page 46 of the latest PCI DSS v3.1 most recently updated April 2015. “We believe there are two likely reasons why HTTPS has not been used, everywhere at all times.” comments Eldar Tuvey, CEO Wandera, the company that discovered the data leaks. “It could be a flaw in the coding, or it could be a case of relying on inadequate third party services or libraries. Either way, it’s astounding to me that these companies have failed to exercise sufficient care in the collection of their customers’ personal data.”In one particular instance that Wandera has identified, a customer of Sistic, the Singapore-based ticket provider, purchased two tickets for Cirque du Soleil using the mobile app. Because he is an employee of a Wandera enterprise customer, Wandera secures his mobile device to protect against data leaks. In doing so, Wandera detected his entire credit card information, full name, address and transaction details being transmitted from the smartphone ‘in the clear’ and unencrypted. The employee was informed and has now cancelled his relevant credit cards. Notes to editors – this user is available for commentWandera has reported the issue to each company according to its responsible disclosure process prior to issuing this release. The company’s investigations are still ongoing and involve mobile users of other global brands, but it wanted to ensure users were alerted as soon as possible. “The most alarming thing is that it is very likely that there are plenty of other brands who have made the same mistakes,” concludes Tuvey. “With lots of people booking journeys to go home for the Christmas holidays it is worrying how much sensitive data could be put at risk.” ENDSNotes to editors:The 16 identified brands are:UK & EuropeeasyJet*UKAir travelAer LingusIrelandAir travelChiltern RailwaysUKRail travelDash Card services/parking****UKParking servicesKV CarsUKTaxisPerfect Card.ie***IrelandGift card1 Robe.fr FranceDress retailerOui CarFranceTaxisUS & CanadaAir Canada**CanadaAir travelSan Diego ZooUSTourist destinationCN TowerCanadaTourist destinationAmerican TaxiUSTaxisGet HotwiredUSBroadband providerTribeca Med SpaUSHealth spaRest of WorldAirAsiaMalaysiaAir travelSisticSingaporeEvent ticket provider* We are pleased to say that as of 9th December, 14:05, easyJet has confirmed there is no ongoing issue.** Did not include the CVV code but did include Passport details*** Only included card number and CVV **** Included car registration, email address, mobile phone numberMore information:CardCrypt Full ReportCardCrypt Threat AdvisoryCardCrypt InfographicAbout WanderaWandera is the leader in mobile data security and management, protecting enterprises with real-time threat prevention, compliance and data cost management. Wandera’s multi-level architecture, which includes a pioneering cloud gateway for mobile, offers unrivalled visibility and control. With the industry’s largest mobile dataset, Wandera analyzes billions of daily inputs across its network in real-time to detect emerging mobile attacks and protect sensitive company data. Founded in 2012, Wandera is headquartered in San Francisco and London. For more information visit the website www.wandera.com CONTACT DETAILS:Will Gardiner/Sarah Walkerwandera@ccgrouppr.com 020 3824 9209Source: RealWire

Leave a Reply