CardCrypt vulnerability: Aer Lingus and others hit by serious credit card leakage

Security isn't 'plane sailing' by all accounts

Data leak

(The article has been amended to carry the statement below: "As of a call with easyJet that concluded at 14.05 on Wednesday 9th December, Wandera is pleased to say that it easyJet has confirmed that this is no longer an ongoing issue." – Eldar Tuvey, CEO and co-founder Wandera.)

Another major security hole has been discovered, and this time it involves financial information as well as personal data, with the leakage of credit card details during purchases from certain firm's mobile websites and apps.

Wandera discovered this vulnerability, which it has named CardCrypt, and observed that unencrypted payment information is being leaked from smartphones when users are completing transactions via the mobile web or when using apps.

The companies affected include Chiltern Railways and Dash Card services in the UK, and Aer Lingus in Ireland, along with Air Canada, AirAsia and American Taxi to name a few (16 companies are affected in total).

The data spilled includes complete credit card details (including the crucial CVV security number on the back in some cases), as well as customer names and addresses, along with contact details and of course details of the transactions.

Wandera notes that the exact data being leaked varies from company to company, depending on what the organisation requires from the customer to process the transaction, but in almost every case complete credit card data was picked up unencrypted (and apparently detailed passport information in one case).

Yes, that's a highly worrying situation indeed, particularly for the customers of these 16 companies which number around half a million per day.

If you use one of the companies, then you probably won't be comforted to hear that in Wandera's tests, complete credit card data was leaked unencrypted.

HTTPS failure

Perhaps even more worrying is the basic nature of this vulnerability, as the leak is occurring because these organisations' sites and apps are not using HTTPS to encrypt the data being sent from the phone to the company. Instead, the sensitive financial details are simply being transmitted over a standard HTTP connection, leaving them open to interception and subsequent misuse.

Isn't HTTPS a requirement in such transactions? Indeed it is stipulated by PCI DSS (Payment Card Industry Data Security Standards) that any sensitive information must be encrypted when being transmitted over public networks, for obvious reasons.

Eldar Tuvey, CEO of Wandera, commented: "We believe there are two likely reasons why HTTPS has not been used. It could be a flaw in the coding, or it could be a case of relying on inadequate third-party services or libraries. Either way, it's astounding to me that these companies have failed to exercise sufficient care in the collection of their customers' personal data."

There could well be other companies afflicted by the same flaw, too. Meanwhile, the above firms have already been notified of this problem, and are hopefully taking action (or have already taken it).

Article continues below