EasyJet and Chiltern Railways have acted quickly to close a security vulnerability found to be affecting 16 companies worldwide, according to security firm Wandera, but EasyJet says it has yet to see proof of the vulnerability on its systems.
The security firm claims that the 16 global companies had failed to effectively encrypt traffic to the payment portion of their websites and apps, potentially exposing payment card details to hackers.
According to Wandera, the affected companies serve a combined total of around 500,000 customers a day, which means hundreds of thousands of payment card details may have been exposed.
Wandera’s threat research team identified the vulnerability when testing scanning and blocking techniques for security threats.
The company said its researchers were surprised by the discovery that payment card data was sent from mobile devices without encryption because the affected companies used encryption elsewhere in their website and apps.
“We were surprised encryption was not used everywhere at all times,” the research team said in a blog post.
The researchers found that unencrypted communication was not always with the full website. “In some cases it is limited to a small number of pages in the site that are unencrypted and have seemingly slipped through the development process, such as the upgrade payment pages,” the research team said.
According to Wandera, the vulnerability demonstrates weaknesses, even inside large companies, in securing the whole end-to-end service. “They need to consider the entire mobile site or app,” the research team said.
In addition to EasyJet and Chiltern Railways, the affected companies include Dash Card Services and KV Cars in the UK; Aer Lingus and PerfectCard in Ireland; 1Robe and Oui Car in France; San Diego Zoo, American Taxi, Hotwire Communications and Tribeca Med Spa in the US; Air Canada and CN Tower in Canada; AirAsia in Malaysia; and Sistic event ticketing in Singapore.
Wandera said that since being alerted to the vulnerability, EasyJet, Chiltern Railways, San Diego Zoo, CN Tower, Aer Lingus and Air Canada have confirmed they have removed the vulnerabilty.
But EasyJet has told Computer Weekly that it has found no evidence that the alleged vulnerability ever existed on its systems.
“All passenger data is transmitted using HTTPS encryption. We have retested all our mobile channels overnight in light of Wandera’s claims and can confirm that this is the case. In addition, no EasyJet customers have reported payment security issues based on their use of the EasyJet app,” the airline said in an emailed statement.
“Our security experts have contacted Wandera and they are yet to provide us with sufficient information to validate their claims,” it added.
Wandera said it would continue to assist all affected companies in trying to resolve the issue swiftly by implementing effective security controls and encryption in their services.
Personal details potentially exposed
It is unknown whether an unauthorised third party has accessed any credit card information, but Wandera said customers of the affected companies should monitor their accounts closely.
In addition to payment card details, Wandera said passport details, vehicle registration information, email addresses, billing address and phone numbers may have been exposed.
The research team said there is no good reason to not encrypt this payment information. “Best practice today is for most companies to encrypt everything,” they said.
The vulnerability, they added, was likely to be unintentional as a result of either poor coding because the affected firms have not considered the whole purchasing process or because affected companies were using a service to fulfil the payment and that service has a vulnerability.
The most recent versions of the Payment Card Industry’s Data Security Standard (PCI DSS) have added requirements around encryption, but some industry pundits say they still do not go far enough.
In the face of increased data breaches in the retail industry, there have been calls for PCI DSS to require encryption to be implemented in accordance with international standards.
In particular, there have been calls for improvements in requirements relating to encryption key management.
In January 2015, the Payment Card Industry Security Standards Council (PCI SSC), which administers PCI DSS, told Computer Weekly the standard covers encryption and key management.
“PCI addresses both key management and encryption, not only in the PCI DSS, but also with standards covering specific areas where key management and encryption controls are specifically used in the transaction process, such as point to point encryption, PIN security requirements, and PCI terminals security standards,” said Jeremy King, European director of the PCI SSC.
“PCI takes security extremely seriously and works with all relevant organisations to ensure we utilise or reference the most up-to-date security requirements for all aspects of protecting cardholder data throughout the transaction lifecycle.
“As part of this, PCI DSS references specific external documentation when it is appropriate. For example, the glossary definition for ‘secure cryptography’ clearly points to the Nist [National Institute of Standards and Technology] standard which defines acceptable levels of cryptography,” he said.
However, critics say PCI DSS compliance does not necessarily mean merchant operations are secure. Critics believe PCI DSS assessments should require proof of thorough and effective encryption, not only by the merchants themselves, but also any suppliers they use to handle payments.