Ctrip Credit card door again alert the world, information leakage why?

Security issues will become a big problem in the internet age, Ctrip card door once again alert the world.

At the weekend, China Merchants Bank's service phone was blown up: Many users are consulting their own Ctrip in the transaction whether the need to freeze credit cards? Many people choose to change the card first, then freeze the credit card for safety. Other users in the social circles say "never go to Ctrip."

March 22 Night, the vulnerability report platform Cloud Network disclosed Ctrip security Vulnerability Information, the vulnerability of the discovery of "pig" said because Ctrip opened the user Payment service interface debugging function, payment process debugging information can be arbitrary hacker read. Because Ctrip security payment log can be downloaded, resulting in a large number of users bank card information leakage, including cardholder name ID card, bank card number, card CVV code, 6-bit card bin and so on.

Why is this happening? Ctrip in charge of the 21st century Economic report reporter interviewed said: After the investigation, Ctrip technology developers in order to troubleshoot the system, leaving a temporary log, due to negligence has not been deleted in time, at present, this information has been deleted.

An enterprise in charge of IT security said to the 21st century Economic report that using directory traversal exploits could allow an attacker to exceed the server's root directory to access other parts of the file system, access restricted files or resources, or take more dangerous actions.

In addition, Ctrip may violate the previous ban on the recording of CVC code, may face heavy penalties.

Non-international standards

The person who has the credit card payment experience in Ctrip knows that the first use need to provide a series of complete information such as credit card type, card number, validity period, CVV code (i.e. credit card verification code), and then submit payment. But the second time when Ctrip use this credit card, only provide the card number four digits, Ctrip will complete the payment operation.

And CVV is almost the core message: If you quote the card number, name and expiration date, how does the merchant confirm that the card is actually in the user's hands? The standard of judgment is whether the CCV number can be quoted. If some way to intercept the user's name ID card, bank card number, card CVV code, and other information, the most serious consequence is to rely on these full card information to reproduce a credit card, online or physical merchants consumption.

In fact, in the case of the retained CVV code, the standards are not the same in each market, for example, in the United States, Target, retailer, Amazon and other companies also require to retain the CVV code when the credit card is paid, but in China, UnionPay requires that credit card payment cannot be retained CVV code.

Security has been a big problem in the internet age. 2006 in response to the security of payment, Visa, MasterCard, Anglo Express, Discover Financial Services, JCB, the world's top five international card organizations launched the PCI Safety Standards Committee, and set up a set of protection of cardholder data technology and operation of the basic security requirements measures, namely PCI DSS standards.

Beijing Aerospace billion Exhibition Technology Co., Ltd. is a PCI DSS in China's partners, the company in 2007 with Visa and CCB, such as the introduction of the standard system into the country.

Space billion staff told reporters that the PCI DSS is the security of the payment gateway to make the standard requirements, including security management, policies, processes, network system results and so on. According to the introduction, the current foreign transactions in accordance with the annual trading volume of four levels. The first level is the annual trading volume of more than 6 million merchants must access this system; the second level is annual trading volume of 1 million to 6 million, the third level is annual trading volume in 1 million to 2 million, the second and third level of merchants can ask the relevant personnel to the company to do business compliance, compliance merchants will get the relevant reports The level four is the annual volume of 20,000, not mandatory.

At present, the Southern Airlines, net silver online, Alipay, fast money and UnionPay and other companies and third-party payment companies have access to the certification. Space billion exhibition staff told reporters, such as Alipay introduced the system, it is required to access the large merchants have to do PCI DSS certification, "Our specifications will be updated every once in a while." ”

and online travel site, only where to go has introduced the certification standards. The above-mentioned staff told reporters, prior to Ctrip has the intention to access the system, but the company staff to investigate after found that Ctrip system to rectify the difficulty is too large, many types of business and cross more, if the system access and rectification will make the structure will change.

"Not Ctrip does not want to do, but its own technical conditions, this in the PCI also has provisions, you can apply for approval." "And for Ctrip to do business compliance, the above staff said not clear."

And Ctrip responded to reporters that the system is not mandatory system, in Ctrip's view, the system and whether the online payment does not have any relevance, but the commercial certification qualification, not the industry access standards, and can not represent any problems. "Just like if I'm a food company, I don't have ISO9000 certification, can you say I'm not safe?" ”