Ctrip to pay information leaked experts advise users to immediately stop the card

Today the cloud platform continuously discloses two Ctrip security vulnerabilities, the vulnerability found that because Ctrip opened the user payment service excuses debugging function, leading to Ctrip security payment log can be arbitrary also readable, the log can disclose including cardholder name, identity card, bank card category, bank card number, CVV code and other information. Now Ctrip has confirmed the vulnerability, experts advise users immediately to the corresponding bank application for a stop card. The vulnerability submitter said that Ctrip turned on the debugging function of the service interface for processing user payments, so that all packets to the bank verifying the card owner interface were stored directly on the local server. At the same time because the server that holds the payment log does not have a strict baseline security configuration, there is a directory traversal vulnerability, which results in all the debugging information in the payment process can be read by any hacker. The information contained in the security log includes: cardholder name, cardholder ID card, type of bank card (e.g. merchant bank credit card, Bank of China Credit card), bank card number, bank card CVV code and 6-bit bin of bank card (6 digits for payment). In this case, Ctrip official in the Cloud Vulnerability platform confirmed the vulnerability information, said that the problem has been fixed within two hours of the release of the vulnerability, may be affected by the March 21 and March 22 part of the trading customers, there has not been found due to related problems caused by customer information leakage and loss of the situation occurred. And said that if a user because the loophole caused property damage, Ctrip will compensate for losses. However, a senior network security personnel said, has not caused the loss of property does not mean that the user's account and bank card information security, it is recommended that users call the corresponding Bank of the customer service call to apply for a stop card, or directly for reporting losses. At present, there are users on micro-blog said that the relevant credit card for the loss of processing. According to the China UnionPay Risk Management committee issued in 2008, "UnionPay Card billing institution account information Security management standards", each receiving system can only store the most basic account information necessary for transaction clearing and error processing, and shall not store bank card track information, card verification code, personal Identification Code (PIN). And the validity of the card. The information stored in the Journal of Ctrip has exceeded the allowable range of the standard.