Half a million users' credit card data left wide open

Customers’ credit card information, passport data, purchase data and other personally identifiable information (PII) is being sent unencrypted from smartphones when users are purchasing items from major brands’ mobile websites and apps, according to a new report by mobile data security and management firm Wandera.

Companies identified include Chiltern Railways, Aer Lingus, AirAsia, Air Canada and 11 other companies, ranging from taxi firms (KV Cars in the UK and American Taxi in the US) to giftcard and event ticket providers (Sistic in Singapore). Wandera says each company has been notified about the vulnerability.

(The article has been amended to carry the statement below: “As of a call with easyJet that concluded at 14.05 on Wednesday 9th December, Wandera is pleased to say that it easyJet has confirmed that this is no longer an ongoing issue.” – Eldar Tuvey, CEO and co-founder Wandera.)

The security firm has detected payment information leaking unencrypted from smartphones when users were accessing these companies’ mobile websites and apps during the purchase and upgrade processes, for example when booking a ticket or choosing a seat. The data includes complete credit card details, CVV security code, customer names, full addresses, transaction amounts and contact details.

The exact information being leaked varies according to what details the individual company requests in order for the transaction to take place, but in nearly all cases, complete credit card data was detected ‘in the clear’ and in one case even detailed passport information was also revealed.

The 16 companies that have been identified have a combined 500,000 passengers and customers per day.

Dubbed ‘CardCrypt’ by Wandera, the flaw in all of the vulnerable websites and mobile apps is that they have not used a secure protocol (HTTPS) to secure and encrypt data connections between the browser or app on the user’s smartphone, and the company’s website, mobile website or backend web services. This means that the credit card information is instead transmitted ‘in the clear’, or unencrypted, over standard web connections i.e. HTTP. This weakness makes the data freely available to be easily intercepted and used in wide-ranging identity theft and fraud.

It is a fundamental requirement of PCI DSS (Payment Card Industry Data Security Standards) to encrypt transmission of cardholder data across open public networks, Wandera reminds.

The 15 identified brands are:

UK & Europe

UK Air travel
Aer Lingus Ireland Air travel
Chiltern Railways UK Rail travel
Dash Card services/parking*** UK Parking services
KV Cars UK Taxis
Perfect Card.ie** Ireland Gift card
1 Robe.fr France Dress retailer
Oui Car France Taxis

US & Canada

San Diego Zoo US Tourist destination
Air Canada* Canada Air travel
CN Tower Canada Tourist destination
American Taxi US Taxis
Get Hotwired US Broadband provider
Tribeca Med Spa US Health spa

Rest of World

AirAsia Malaysia Air travel
Sistic Singapore Event ticket provider