In this regard, Ctrip said in an interview with reporters, in the discovery of problems, the company has immediately launched a technical investigation, and in two hours to fix the loophole. March 22 Night to March 23, Ctrip has informed the potential risk of 93 users to replace the credit card. By the bank feedback, up to now, no Ctrip user credit card stolen the situation.
However, a lot of Ctrip users are still very concerned about the sound of card change, there are users in the interview that the bank has also expressed understanding of this situation, and actively cooperate with customers to change cards.
Nanfang Daily reporter Zhong
Use key information such as card CVV code or be leaked
Ctrip's vulnerability quotes households worried
Ctrip will be used to deal with user payment of the service interface to open the debugging function, so that all the banks to verify the card owner interface transmission of packets are directly stored in the local server. At the same time because the server that holds the payment log does not have a strict baseline security configuration, there is a directory traversal vulnerability, which results in all the debugging information in the payment process can be read by any hacker.
On the night of March 22, dark clouds on the internet, a "bug writer" called "the loophole author" broke the material of Ctrip, and in the story of these rather obscure technical language, the other side directly gave the result of this loophole. Customers who carry out payment activities in Ctrip may disclose their own series of core information including "cardholder name, cardholder ID card, the type of bank card (such as merchant bank credit card, Bank of China Credit card), bank card number, bank card CVV code, bank card 6-bit bin ( 6 digits used to verify payment information) ". In today's very common electronic payment, this information is undoubtedly the core information of the card users.
However, the reporter also learned yesterday that because of the existence of factors such as payment quotas, it is still not easy for those who steal the information to make profits. "Many banks have a payment limit on their credit cards online, and a lot of payment behavior over a certain amount will verify the dynamic verification code on the customer's phone, so from now on, even if someone steals the information, it is difficult to overdraw the client's personal account on a large scale." "A bank industry personage said, but the user credit card CVV code namely the bank credit card The three bit authentication code is leaked, this is troublesome, on some third-party payment platform, may directly verify CVV code can carry on the consumption, this also can bring the loss to the card person.
However, at the moment, people who steal information are at best able to carry out small-scale consumer behavior such as mobile phone recharge, and too frequent payment behavior will let it be monitored by banks.
93 Potential risk users have been notified to change their cards
Ctrip undertakes to bear all the losses
Ctrip still make a lot of people frightened, in this, Ctrip in an interview with reporters, has been found in the problem within two hours to fix the loophole.
After investigation, Ctrip technology developers in order to troubleshoot the system before the doubt, leaving a temporary log, due to negligence did not delete in time, at present, this information has been deleted. By Ctrip, only the vulnerability found people did the test download, the content contains a very small number of encryption card information, a total of 93 involved in the potential risk of Ctrip users.
Ctrip said that the company's customer service has notified the relevant users yesterday to replace the credit card, the bank will also help users to deal with the card transfer procedures as soon as possible. As of March 23 22:00, did not receive Ctrip customer service Exchange card notification users, personal information is safe, need not worry. On the other hand, Ctrip has informed 93 of potential risk users to change their credit cards. By the bank feedback, up to now, no Ctrip user credit card stolen the situation.
Ctrip at the same time committed to the future, if there are customers due to security vulnerabilities caused by user losses, Ctrip will assume full responsibility and pay compensation. In order to better protect users and website security, Ctrip will invite information security guards, together to strengthen the system information security.
Many users online call for card replacement
Experts advise keeping tabs on the bill
However, a lot of users in the response to Ctrip is still not assured that, for a while, the voice of the online Exchange card. and a successful card-changing interviewer also said the bank is also very fit.
"How frightening ah, this kind of thing who said clearly, I still change the card first." A friend of the reporter said, oneself is Ctrip "heavy user", still feel some worry, simply change card for, and many people around also have the same idea.
"Ctrip leakage incident, one night transpiration up, have nose have eye." The first time last week in Ctrip pay, can't help guilty Ah! Prefer to believe it. Another friend of the reporter said that yesterday had tried to contact the Bank of China Merchants Bank Credit Card Center, "I would like to consult, the results, people listen to the story, immediately reply can immediately abolish the old card, change the old two-day service." How fast this reaction is! This shows that the banks have also been very compatible with this.
In this regard, network security experts also suggested that, if the majority of customers do not trust, you can always pay attention to check credit card bills and consumer text messages, if found abnormal, the timely contact with the bank and Ctrip to reduce losses. When the cardholder has determined that the credit card transactions have been found to be abnormal, and suspect that his card information has been leaked, it is necessary to contact the bank in time to replace the new card.
Expert: Beware of using Ctrip to defraud
Related reports
Recently, the vulnerability Report Platform cloud Network published a network security vulnerability information, the paper points out that Ctrip's security payment log can be downloaded, resulting in a large number of users ' bank card information leakage (including cardholder name ID card, bank card number, card CVV code, 6-bit card bin), and said the details have been notified to the manufacturer and waiting for the manufacturer to process. In addition, Ctrip is also exploded a source code package can be directly downloaded (involving database configuration and payment interface information). For such a sudden disclosure of information, 360 mobile phone security experts Zhu Yipeng remind users need to pay more attention to credit card information security, at the same time need to be highly vigilant fake Ctrip or bank credit Card center in the name of the implementation of fraud telephone, SMS, if you receive similar phone, SMS, do not be credulous!
According to the response of Ctrip, may be affected by the vulnerability for the March 21 and March 22 part of the transaction of customers, and said that if a user because of this loophole caused property damage, Ctrip will compensate for the loss. As the incident was directly related to property issues, it caused a lot of public panic. And some fraudsters are using the public's panic mentality, the opportunity to implement telecommunications fraud, forged similar SMS or customer service phone: "Ctrip is a burst of security loopholes, can lead to your bank card information leakage, please login to the following URL: http://xxx change the bank card password to ensure that the bank card funds security." Please contact: 400***** "
360 Mobile phone security experts, the link in the message can be forged into a phishing Web site, fraud users enter credit card number, password and other personal private information, resulting in the bank card key information leakage, resulting in the bank card funds stolen.
Experts remind, because Ctrip is directly related to the vulnerability of users bank account security, so users pay attention to the high, once received a reminder to modify the bank card password SMS or telephone, do not be credulous, do not easily access the message within the site. Call back to the phone in the SMS, but also with the credit card card customer service phone check to ensure that the correct, at the same time can use 360 of mobile phone guards to intercept such scams SMS, if confirmed as a fraud message, please report it in time.