Customers’ credit card information, passport data, purchase data and other Personally Identifiable Information (PII) was being sent unencrypted from smartphones when users are purchasing items from major brands’ mobile websites and apps.
Companies identified include easyJet*, Chiltern Railways, Aer Lingus, AirAsia, Air Canada** and 11 other companies, ranging from taxi firms (KV Cars in the UK and American Taxi in the US) to giftcard and event ticket providers (Sistic in Singapore). Security experts from Wandera, Tripwire and Lieberman Software have the following comments on this bif flaw.
[su_note note_color=”#ffffcc” text_color=”#00000″]Eldar Tuvey, CEO at Wandera :
“We believe there are two likely reasons why HTTPS has not been used, everywhere at all times.” “It could be a flaw in the coding, or it could be a case of relying on inadequate third party services or libraries. Either way, it’s astounding to me that these companies have failed to exercise sufficient care in the collection of their customers’ personal data.”
In one particular instance that Wandera has identified, a customer of Sistic, the Singapore-based ticket provider, purchased two tickets for Cirque du Soleil using the mobile app. Because he is an employee of a Wandera enterprise customer, Wandera secures his mobile device to protect against data leaks. In doing so, Wandera detected his entire credit card information, full name, address and transaction details being transmitted from the smartphone ‘in the clear’ and unencrypted. The employee was informed and has now cancelled his relevant credit cards.
Wandera has reported the issue to each company according to its responsible disclosure process prior to issuing this release. The company’s investigations are still ongoing and involve mobile users of other global brands, but it wanted to ensure users were alerted as soon as possible.
“The most alarming thing is that it is very likely that there are plenty of other brands who have made the same mistakes,” concludes Tuvey. “With lots of people booking journeys to go home for the Christmas holidays it is worrying how much sensitive data could be put at risk.”[/su_note]
[su_note note_color=”#ffffcc” text_color=”#00000″]Tim Erlin, Director of IT Security and Risk Strategy at Tripwire :
“Malware has moved from coming through an open door to being built into the foundation. It’s harder to detect, and harder to remove.
We should expect malware to evolve to defeat security controls. The industry is, and should be, working to develop new ways to detect and defeat evolving malware.
While it’s important to work on tools to detect specific malware, implementing tools to identify suspicious changes in the environment provides a solid defense in depth strategy. Even the most stealthy malware has an objective, most often making changes in the environment or moving data across the network to accomplish it. Security teams should be working to identify these behaviors, in addition to installing more basic detective tools.”[/su_note]
[su_note note_color=”#ffffcc” text_color=”#00000″]Jonathan Sander, VP of Product Strategy at Lieberman Software :
“When a developer is writing any application, even a mobile app, they have a lot of things to juggle. Anything they can do to make their lives easier is attractive. Skipping security has been one of the most popular ways for developers to try and make their lives easier for a very long time. So this news isn’t too surprising. What will change this over time is consumers demanding security be part of everything. Once it’s about competition and revenue, building proper security into applications will happen for sure.”[/su_note]
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.