Mobile apps leaking credit card data

Security vendor Wandera has released a blog detailing what it has termed the CardCrypt security flaw.

As part of the blog it has called out 16 companies who it claims have failed or are still failing to encrypt traffic between mobile devices and the company websites. This traffic contains credit card data and personal information of customers that can be easily intercepted and used by hackers.

Who is Wandera accusing of leaking data?

The full list of companies contains some large names which highlights a complete failure in the testing of their mobile applications:

1. 1Robe.fr
2. Aer Lingus
3. AirAsia
4. Air Canada
5. American Taxi
6. Chiltern Railways
7. CN Tower
8. Dash Card Services/Parking
9. easyJet
10. Get Hotwired
11. KV Cars
12. Oui Car
13. PerfectCard.ie
14. San Diego Zoo
15. Sistic
16. Tribeca Med Spa

Since the release of the blog less than 24 hours ago a number of the companies listed have contacted Wandera and reported that the problem has been resolved. Those companies are easyJet, Chiltern Railways, San Diego Zoo, CN Tower and Aer Lingus.

What data has been/is still being leaked?

The amount of data being leaked varies by company. In all cases the credit card data is available unencrypted. Some companies send even more data with information such as passport details, vehicle registration numbers, email addresses and mobile phone numbers exposed.

The data is a treasure trove for hackers and with information such as Passport Numbers being included it means that hackers could sell that data on to anyone creating forged documents. Many border agencies check the credit card number and passport information as part of their risk assessment for passengers. Having both would make the holder of forged documents a little less likely to be pulled for secondary screening.

What is CryptCard?

In a 5 minute video (hosted by vimeo) Wandera give a behind the scenes look at what CryptCard is and how it is happening. Where all these companies have failed is in the basic configuration of their website. Instead of requiring traffic to be encrypted they are sending it in clear. This is one of the basic configuration settings that any company should be using and it is a shocking failure by all those listed above.

Internet sites that start HTTP do not encrypt any data passing from the end client to the remote site. The solution is to use HTTPS which is what all banking websites, the vast majority of shopping sites and even corporate websites use. It is also associated with the padlock that you will see when browsing a secure website.

What this means is that the companies affected were allowing customer transaction data to be captured. As highlighted above this includes the credit card data, PII, usernames and passwords. Ironically not all pages were unencrypted.

The big issue here as pointed out by Wandera is that developers can end up making changes to pages but forgetting to check security settings when the pages go live. As a result it is also possible to see the problem at these 16 companies not as being one of a failed deployment process rather than a catastrophic security failure.

What this means is that to prevent being caught by CardCrypt it is important that companies review their deployment procedures and implement better testing and sign-off processes.

How many customers are affected?

Wandera says that as they only detect when their customers’ employees connect to these sites they are unable to say how many people are affected. So far none of those companies affected has given any indication of how long the problem had been ongoing and therefore how many customers have been affected.

While four of the companies have responded quickly to the announcement of the problem and have moved to fix it, the other 12 have not. Many people are looking for holiday bargains over the festive season and it is likely that the problem will have affected thousands of individuals.

What is also not yet known is how these companies intend to respond to affected customers. It is becoming common practice to offer to pay for fraud monitoring services for customers where this type of data has been leaked but that does not guarantee that they will not be subjected to fraud or that their credit rating will not be impacted.

How can you protect yourself?

In the blog, Wandera has provided a five point checklist for customers so that they can protect themselves from this type of threat. While the last one is partly a sales pitch we have left it in because it makes a serious point.

The five points are:

1. Check the URL is secure – look for ‘https’ in the URL, the ‘s’ stands for secure
2. Avoid public Wi-Fi – if the network is open and not password protected, hackers can can easily intercept your transactions
3. Strengthen your passwords – use complex passwords including symbols and numbers and change them regularly
4. Beware of scams and unfamiliar websites – don’t purchase anything from a suspicious or unfamiliar site no matter how tempting the deal
5. Use a good security solution – protect your personal and corporate data with real-time threat prevention like Wandera.

Conclusion

2015 has been a significant highpoint for hackers. More data breaches have occurred than ever before. The Dark Web is now awash with so much stolen personal and financial data that the value is dropping rapidly. To counter this criminals are putting together more comprehensive records around people and often have more data than people realise is possible.

It is time that retailers and customers both accepted their responsibility for data security. While the major fault is with those gathering and holding sensitive data, users also need to carry out basic checks before using online sites or responding to emails.

Will the situation get better in 2016? Unlikely. The European Commission has just required mandatory data breach notification for companies. Over the next few years we are likely to see a continual increase in data breach reports as companies become more compliant. This means that it is important that people do their own checking before using a site.