These Are The Mobile Sites Leaking Credit Card Data For Up To 500, 000 People A Day

[Inga Goddijn <inga () riskbasedsecurity com>]

http://www.fastcompany.com/3054411/these-are-the-faulty-apps-leaking-credit-card-data-for-up-to-500000-people-a-day

It's e-commerce 101: A company has to encrypt your credit card data when
you buy something online. Yet security company Wandera just found at least
16 companies, with a combined 500,000 daily users, who are not always
encrypting data—specifically not on their mobile websites and, in some
cases, their apps. Offenders range from giants like airlines EasyJet and
Aer Lingus to the San Diego Zoo and the TriBeCa Med Spa in Manhattan. Data
sent "in the clear" include credit card numbers, birth dates, and passport
numbers. The kicker: Wandera <https://www.wandera.com/> has had a difficult
time getting in touch with several of these companies to warn them ahead of
announcing the vulnerabilities today. (Wandera confirms that easyJet has
since fixed the vulnerability.)

"We were very surprised when we found [the vulnerability] in the first
place," says Wandera CEO and cofounder Eldar Tuvey. " His two-and-a-half
year old company provides mobile security services for very large clients
including Bloomberg, Office Depot, and NATO by channeling all Internet data
through Wandera's servers. Artificial intelligence algorithms analyze the
data for patterns that indicate a cyber attack or employees going to NSFW
destinations, like porn or gambling sites. Faulty website encryption wasn't
even on the company's radar, he says, but it showed up in their analysis.
"We had been looking for man-in-the-middle attacks or jailbroken
phones…password leaks or username leaks," says Tuvey. "We didn't think we
would find any credit card data."

Tuvey suspects that the problem may go well beyond the 16 companies they
have found so far (listed at the end of this article). With a few hundred
clients, he estimates that Wandera sees only about 2% of the world's mobile
traffic. "If in our data that we do see we found this much, I'm assuming
that in all the other data that we don't see there's just as many if not
more," says Tuvey.

The rookie mistake is that these companies are using the regular http
protocol for web traffic instead of the encrypted https version that's
standard fare in the world of e-commerce. (It's required by the PCI
Security Standards Council
<https://www.pcisecuritystandards.org/organization_info/index.php>, a body
made up of the major credit card companies.) Many people have probably
heard the admonition to look for "https" at the beginning of a URL, and a
padlock icon signifying encryption near the address bar, before entering
credit card info into a web form.

"I think just because of the screen sizes it's a difficult thing," says
Tuvey. Mobile versions of browsers like Chrome and Safari do show the
padlock icon, but it's only a few pixels across; and both mobile and
desktop browsers sometimes hide the gobbledygook of web addresses, like
"http://"; and even the "www" parts. And mobile apps don't have a standard
way to show if they are using an encrypted connection.
How Dangerous Is Mobile, Really?

So this sounds bad, but how dangerous is it, really, to send sensitive data
unencrypted over the Internet? The biggest hazard is often in the immediate
physical proximity, through what's called a man-in-the-middle attack.
Someone gets between a computer or cellphone user and their Internet
connection, allowing them to comb through all the data that passes to and
from the person's device. This can happen with public Wi-Fi, in which the
attacker is logged on to the same network that everyone else is. Or a
hacker can create their own network with a mobile hotspot that fits into a
backpack. "You can set one up in a coffee shop," says Tuvey," call it Free
Coffee Wi-Fi, and you'd be amazed how many people just go onto it."

Companies like Wandera protect users from this danger by encrypting every
bit of data that goes between their device and the Internet, regardless of
whether it's Social Security numbers or pictures of cats. If you don’t work
for NATO or Bloomberg or some other giant entity that subscribes to such a
service, you can do it yourself with encryption services and apps such as
Cloak <https://www.getcloak.com/> or TunnelBear
<https://www.tunnelbear.com/> that range from free for a certain amount of
data to about $10 per month.
Why Don't Companies Respond To Security Risks?

Everyone makes mistakes, but if you were an IT officer alerted to a major
security breach, why wouldn't you respond? Tuvey says that Wandera started
notifying the 16 companies on Sunday, once he felt confident that he
understood the vulnerability enough to alert them. That gave them just two
workdays before Wandera put out its press release on Wednesday, but this
seems like the kind of thing that would move to the top of someone's to-do
list.

The answer could be that the right people at some of these companies still
don't even know. "We've done our best to call them," says Tuvey. "But
mostly it's through email and online forms, because that's all that's
provided." This isn't the first time I've heard a security company say that
it had a hard time getting through to a company with a vulnerability, so I
decided to try for myself on Tuesday with a half-dozen companies on
Wandera's list—four in the U.S. and two in Europe. One company's phone
system dropped my calls, and I left messages with three others.

The San Diego Zoo called me back, and the press officer told me that its
mobile website doesn’t take ticket orders. When I tried it, however, it
featured a "Tickets" icon right on the home page. Clicking through took me
from " http://zoo.sandiegozoo.org/tickets"; to "
http://tickets.sandiegozoo.org/Mobile/"—which had the exact same design and
took down all of my order information, including my credit card specifics.

Tuvey says he sees mixed results with contacting companies about
vulnerabilities. Some tech firms such as Apple (which he has contacted in
the past) are very responsive, he says, often with at least a dedicated
email address for reporting vulnerabilities. But he says that general
retailers, such as e-commerce and ticketing sites, are usually not so easy
to reach. "I think some of these companies are—how do you put it—careful
not to overly publicize their phone numbers," says Tuvey.

The affected companies, so far, are:

Aer Lingus
Air Canada
AirAsia
American Taxi
Chiltern Railways
CN Tower
Dash Card services/parking
easyJet (recently fixed)
Get Hotwired
KV Cars
Oui Car
Perfect Card.ie
Robe.fr
San Diego Zoo
Sistic
Tribeca Med Spa

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!