It has been reported that 16 companies from around the globe have exposed credit card data during payments to their mobile websites and apps, including Aer Lingus, Chiltern Railways, EasyJet, San Diego Zoo, Air Canada, Sistic and AirAsia.
Reports suggest the leakages seem to be being caused by not using HTTPS secure protocol to secure and encrypt data connections between the mobile device and the company’s website, mobile website or backend web services. Instead, the data is being transmitted unencrypted or ‘in the clear’ and available for anyone to intercept.
IT Security experts from Imperva and ESET explain what happened and what the companies and users can do now:
Itsik Mantin, Director of Security Research at Imperva:
- What happened?
“Most of today’s mobile applications are connected to web servers, where sensitive data such as the user’s personal or financial information is stored, and made accessible. According to the researchers, the communication between the mobile client and these web servers was not protected, allowing attackers access to this data. With the application providers refuting the claims, it is hard to tell what sensitive data was actually at risk.”
- Being nearly in 2016, surely all major retailers should be using HTTPS, what could be the reasons for not using it?
“This incident is another example to the saddening fact that web interfaces that serve mobile applications in many cases fail to provide the most basic protection measures. I think the main reason for that is the exaggerated focus of mobile security community from the client side, despite the fact that the data of all users resides in the server. This leads to consistent overlooking of the security of these servers and the risk of user data being leaked.”
- What should customers do to ensure their mobile transactions are safe?
“Unfortunately there is not much a user can do to protect personal and financial information accessible through his mobile application, except for counting on the provider to take adequate measures to protect the servers.”
Mark James, Security Specialist at IT Security Firm ESET:
- What happened?
“A massive amount of useable and identifiable data has potentially been compromised from companies using mobile apps to make transactions for the end users. Whenever financial data is being transmitted back to servers it is imperative these days that it’s sent over a secure method to stop people listening in and capturing that data.
If it’s not sent in a secure method, the data in theory would be as easy to read as plain text on a document. We often hear about data breaches where snippets of information are breached like the last 4 digits of your credit card or some of your personal information. However, in a lot of these cases full information is leaked that could easily be used to make purchases like CVV and full credit card numbers along with in some cases complete passport information.”
- Being nearly in 2016, surely all major retailers should be using HTTPS, what could be the reasons for not using it?
“Absolutely in this age of digital technology any financial data should be sent over a secure connection, there is no excuse these days. The possible reasons why it would not happen are; replacing existing infrastructure to accommodate the newer technologies at huge costs, subbing out the communication systems and trusting someone else with security or possible vulnerabilities in the software being used.”
- Can you see any trends/similarities in the affected companies?
“The end user wants everything delivered to their mobile devices, data on the move is massive and quite often these days you have to keep up or get left behind. Getting mobile apps out to the public as quickly as possible might appear to give you the edge in a competitive market but you have to invest heavily in security and protecting the end user against compromising that data.”
- What should customers do to ensure their mobile transactions are safe?
“The biggest problem is you have no control over how others protect your data, if you want the ease and availability of doing things on the go then you have to trust the companies you’re using to keep it safe.
To protect yourself you could allocate credit cards for online use only, segregate your payment systems so if something goes wrong you can limit the damage caused to your whole finances. Also, keep a close eye on your financial statements so you have the best possible chances to find and stop any transactions before they get out of hand.”
- What lessons can other retailers learn from this?
“You absolutely have to send financial and critical private information over secure channels, you cannot afford to wait and chance it not happening to you. Sooner or later your business will be the victim of cybercrime, making sure it’s not successful should be your highest priority.”
[su_box title=”About Imperva®” style=”noise” box_color=”#336588″]
Imperva® (NYSE:IMPV), is a leading provider of cyber security solutions that protect business-critical data and applications. The company’s SecureSphere, Incapsula and Skyfence product lines enable organizations to discover assets and risks, protect information wherever it lives – in the cloud and on-premises – and comply with regulations. The Imperva Application Defense Center, a research team comprised of some of the world’s leading experts in data and application security, continually enhances Imperva products with up-to-the-minute threat intelligence, and publishes reports that provide insight and guidance on the latest threats and how to mitigate them. Imperva is headquartered in Redwood Shores, California.[/su_box]
[su_box title=”About ESET” style=”noise” box_color=”#336588″]
Since 1987, ESET® has been developing award-winning
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.