Customers’ credit card information, passport data, purchase data and other Personally Identifiable Information (PII) was being sent unencrypted from smartphones when users were purchasing items from major brands’ mobile websites and apps.
Companies identified include easyJet*, Air Canada**, San Diego Zoo, AirAsia, Aer Lingus and 11 other companies, ranging from taxi firms (KV Cars in the UK and American Taxi in the US) to giftcard and event ticket providers (Sistic in Singapore).
Wandera has detected payment information leaking unencrypted from smartphones when users were accessing these companies’ mobile websites and apps during the purchase and upgrade processes, for example when booking a ticket or choosing a seat. The data includes complete credit card details, CVV security code, customer names, full addresses, transaction amounts and contact details. The exact information that was being leaked varies according to what details the individual company requests in order for the transaction to take place, but in nearly all cases, complete credit card data was detected ‘in the clear’ and in one case even detailed passport information was also revealed.
The 16 companies that have been identified have a combined 500,000 passengers and customers per day.
Examples:
- Complete credit card data and passport details such as name, date of birth, passport number, expiry date and issuing country code were unencrypted when sent to Air Canada’s mobile website during the booking process. Air Canada has 38.0 million passengers a year.
- Complete credit card data, customer addresses and transaction details were unencrypted when sent to San Diego Zoo’s mobile website during the main purchase process. San Diego Zoo has 5 million visitors a year.
- Complete credit card data and transaction details were unencrypted when sent to AirAsia’s website during the check in process. AirAsia has 45.6 million passengers a year.
Dubbed ‘CardCrypt’ by Wandera, the flaw in all of the vulnerable websites and mobile apps is that they have not used a secure protocol (HTTPS) to secure and encrypt data connections between the browser or app on the user’s smartphone, and the company’s website, mobile website or backend web services. This means that the credit card information was instead transmitted ‘in the clear’, or unencrypted, over standard web connections i.e. HTTP. This weakness made the data freely available to be easily intercepted and used in wide-ranging identity theft and fraud.
It is a fundamental requirement of PCI DSS (Payment Card Industry Data Security Standards) to encrypt transmission of cardholder data across open public networks: “Sensitive information must be encrypted during transmission over public networks, because it is easy and common for a malicious individual to intercept and/or divert data while in transit”.
“We believe there are two likely reasons why HTTPS has not been used, everywhere at all times.” comments Eldar Tuvey, CEO Wandera, the company that discovered the data leaks. “It could be a flaw in the coding, or it could be a case of relying on inadequate third party services or libraries. Either way, it’s astounding to me that these companies have failed to exercise sufficient care in the collection of their customers’ personal data.”
In one particular instance that Wandera has identified, a customer of Sistic, the Singapore-based ticket provider, purchased two tickets for Cirque du Soleil using the mobile app. Because he is an employee of a Wandera enterprise customer, Wandera secures his mobile device to protect against data leaks. In doing so, Wandera detected his entire credit card information, full name, address and transaction details being transmitted from the smartphone ‘in the clear’ and unencrypted. The employee was informed and has now cancelled his relevant credit cards.
Wandera has reported the issue to each company according to its responsible disclosure process prior to issuing this release. The company’s investigations are still ongoing and involve mobile users of other global brands, but it wanted to ensure users were alerted as soon as possible.
“The most alarming thing is that it is very likely that there are plenty of other brands who have made the same mistakes,” concludes Tuvey. “With lots of people booking journeys to go home for the Christmas holidays, it is worrying how much sensitive data could be put at risk.”