Today, Wandera announced the discovery of the CardCrypt security flaw affecting sixteen companies, including four major airlines – Air Canada*, easyJet*, AirAsia and Aer Lingus*. Each of the companies has been failing one of the most basic of security requirements by not fully encrypting the traffic to the payment portion of their mobile web site or app. This means that customers who use these services unknowingly may have had their credit card information sent ‘in the clear’, and have been at risk of having that information stolen.
* UPDATE: We are pleased to say we have learned that easyJet, Chiltern Railways, San Diego Zoo, CN Tower, Aer Lingus, Air Canada and SISTIC have now confirmed there is no ongoing issue. We will continue to assist others in trying to swiftly resolve this issue.
CardCrypt: A Global Problem
Which companies were leaking credit card information?
The sixteen companies represent seven countries and the travel and leisure industries and all perform e-commerce over an app or mobile website. The sixteen companies that have been identified have a combined 500,000 passengers and customers per day.
The 16 identified brands are:
UK & Europe
|Aer Lingus||Ireland||Air Travel|
|Chiltern Railways||UK||Rail Travel|
|Dash Card Services/Parking***||UK||Parking Services|
|KV Cars||UK||Taxi Services|
|1Robe.fr||France||Wedding Dress Retailer|
|Oui Car||France||Taxi Services|
US & Canada
|San Diego Zoo||US||Tourist Destination|
|Air Canada*||Canada||Air Travel|
|CN Tower||Canada||Tourist Destination|
|American Taxi||US||Taxi Services|
|Get Hotwired||US||Broadband Provider|
|Tribeca Med Spa||US||Health Spa|
Rest of World
|SISTIC||Singapore||Event Ticket Provider|
* Did not include the CVV code but did include Passport details
** Only included card number and CVV
*** Included car registration, email address, mobile phone number
What information was exposed?
Every one of the companies has exposed the full credit card number unencrypted. All of the companies, except for Air Canada, also exposed the CVV number. But the CardCrypt flaw is not limited to just this information. Alarmingly, the amount of additional information that was exposed by some of the companies has been significant and included card expiration date, full name, billing address, email addresses and even passport information.
How did Wandera detect CardCrypt?
Because Wandera sits in the path of the mobile data it is uniquely positioned to detect and block security threats, such as these, in real time. For more information on How Wandera Works, click here.
Wandera’s technology detects security threats that may otherwise go unnoticed because of its multi-level architecture. The Wandera App sits on mobile devices and provides device-level security, while Wandera’s Cloud Gateway is a proxy that scans the traffic of its customers’ mobile data for security threats as it travels from the device to the website or app service.
Wandera’s Threat Research Team identified the CardCrypt flaw when testing new scanning and blocking techniques for security threats. Our researchers were skeptical at first because these companies use encryption elsewhere in their website and apps, so we were surprised that encryption was not used everywhere at all times. After further investigation, we understood that this flaw placed the general public’s PII (Personally identifiable information) at risk.
Is this worse than the NFL App leak Wandera disclosed last year?
Yes, this is far worse. First, the information is far more dangerous because credit card information was sent from the mobile device unencrypted. Second, the NFL App leak was limited to one app while CardCrypt is global in nature.
Read more about NFL App Threat advisory
What are the commonalities amongst the affected companies?
First, the flaw is associated with sites that are accessed mostly via mobile. We see it because the Wandera platform is ‘mobile first’. There are probably many more sites out there that we haven’t seen yet on our platform that are just as bad, if not worse.
The second theme is that most of the companies are in transportation (including planes, trains and automobiles) or ticket services for tourist attractions, which you are more likely to access using your mobile device, and not from your office desk.
The third theme is that the communication is not always with the full website, in some cases it is limited to a small number of pages within the site that are unencrypted, and seemingly have slipped through the development process, such as the upgrade payment pages. Cardcrypt demonstrates weaknesses, even within large companies, in securing the whole end-to-end service, and not just the front door, or the main site where users buy tickets. They need to consider the entire mobile site or app.
How many people are affected?
Wandera detected this unencrypted data being sent by phones used by Wandera’s customers’ employees. The reality is that only the 16 companies, that run these apps and mobile web properties, can disclose how many customer records were exposed unencrypted. In addition, only they know how long that vulnerable code has been deployed and used. To illustrate the scale of the potential exposure the combined companies service 500,000 customers or passengers each day.
What were people using on their phone to access the sites?
The majority of incidents detected were performed using the browser, however we did see some through apps.
For the apps that were affected, are they available in app stores?
Yes, some of them are. Security is not the overriding consideration for successful submission to the major App Stores. App Stores are also concerned with user experience and design rather than just the security of the data that passes through the app.
Why would a company not encrypt credit card information?
There is no good reason to not encrypt this payment information. It is bad practice. Indeed, best practice today is for most companies to encrypt everything. This is most likely an unintentional error. We can only hypothesize on what happened:
What should these companies do?
The fix is simple and inexpensive. They need to encrypt all their payment traffic.