Customers’ credit card information, passport data, purchase data and other personally identifiable information (PII) is being sent unencrypted from smartphones when users are purchasing items from major brands’ mobile websites and apps, according to a new report by mobile data security and management firm Wandera.
Companies identified include Chiltern Railways, Aer Lingus, AirAsia, Air Canada and 11 other companies, ranging from taxi firms (KV Cars in the UK and American Taxi in the US) to giftcard and event ticket providers (Sistic in Singapore). Wandera says each company has been notified about the vulnerability.
(The article has been amended to carry the statement below: “As of a call with easyJet that concluded at 14.05 on Wednesday 9th December, Wandera is pleased to say that it easyJet has confirmed that this is no longer an ongoing issue.” – Eldar Tuvey, CEO and co-founder Wandera.)
The security firm has detected payment information leaking unencrypted from smartphones when users were accessing these companies’ mobile websites and apps during the purchase and upgrade processes, for example when booking a ticket or choosing a seat. The data includes complete credit card details, CVV security code, customer names, full addresses, transaction amounts and contact details.
The exact information being leaked varies according to what details the individual company requests in order for the transaction to take place, but in nearly all cases, complete credit card data was detected ‘in the clear’ and in one case even detailed passport information was also revealed.
The 16 companies that have been identified have a combined 500,000 passengers and customers per day.
Dubbed ‘CardCrypt’ by Wandera, the flaw in all of the vulnerable websites and mobile apps is that they have not used a secure protocol (HTTPS) to secure and encrypt data connections between the browser or app on the user’s smartphone, and the company’s website, mobile website or backend web services. This means that the credit card information is instead transmitted ‘in the clear’, or unencrypted, over standard web connections i.e. HTTP. This weakness makes the data freely available to be easily intercepted and used in wide-ranging identity theft and fraud.
It is a fundamental requirement of PCI DSS (Payment Card Industry Data Security Standards) to encrypt transmission of cardholder data across open public networks, Wandera reminds.
The 15 identified brands are:
UK & Europe
|Aer Lingus||Ireland||Air travel|
|Chiltern Railways||UK||Rail travel|
|Dash Card services/parking***||UK||Parking services|
|Perfect Card.ie**||Ireland||Gift card|
|1 Robe.fr||France||Dress retailer|
US & Canada
|San Diego Zoo||US||Tourist destination|
|Air Canada*||Canada||Air travel|
|CN Tower||Canada||Tourist destination|
|Get Hotwired||US||Broadband provider|
|Tribeca Med Spa||US||Health spa|
Rest of World
|Sistic||Singapore||Event ticket provider|