(The article was modified to carry on as follows: “as a call with EasyJet which was completed in 14.05 on Wednesday December 9, Wandera pleased to say that this is EasyJet has not confirmed that it is not a constant problem “- .. Eldar Tuvey, CEO and co-founder Wandera)
Another important security hole was discovered, and this time it includes financial information, as well as personal data, to drain credit card information when you shop with mobile websites of some companies and applications.
Wandera discovered this vulnerability that he called CardCrypt, and noted that unencrypted payment information leakage from smartphones when users completing transactions via mobile internet or using applications.
companies affected include Chiltern Railways and dashes card services in the UK and Aer Lingus in Ireland, along with Air Canada, AirAsia and American taxi, to name a few (16 companies in total are affected).
These shed includes a complete credit card information (including a decisive CVV security number on the back in some cases), as well as customer names and addresses, along with contact information and details of the course of operations.
Wandera notes that accurate data leaked varies from company to company, depending on what the organization requires the client to process the transaction, but in almost every case, the full credit card information picked up in the clear (and apparently passport details in one case).
Yes, it is very worrying situation indeed, especially for the customers of these 16 companies, among which about half a million per day.
If you are using one of the companies, you probably will not be comforted to hear that the tests Wandera, complete credit card information was leaked in an unencrypted form.
Perhaps even more disturbing is the basic nature of this vulnerability, because the leak is due to the websites of these organizations and applications do not use HTTPS to encrypt the data sent from the telephone company. Instead, sensitive financial details is simply passed through the standard connection HTTP, leaving them open to interception and subsequent misuse.
non-HTTPS request in such operations? Indeed, if it is provided for PCI DSS (Payment Card Industry Data Security Standard), that any confidential information must be encrypted during transmission over public networks, for obvious reasons
Eldar Tuvey, CEO Wandera, commented: “. We believe that there are two possible reasons why HTTPS is not been used. It may be a lack of coding, or it may be the case, relying on inadequate outsourcing or libraries. In any case, it’s amazing to me that these companies have did not show sufficient care in the collection of personal data of their customers. ”
There may be other companies suffer from the same drawback, too. Meanwhile, the above-mentioned firms have about this issue, which we hope, and take action (or have already taken it).
- top 10 data breaches over the last 12 months