"Ctrip in hand, said go away." "The seemingly relaxed advertising language hides the risk of credit card leaks," he said.
On the evening of March 22, the national famous ticketing service company, in the United States Nasdaq-listed Ctrip Travel network met a "dark clouds." According to the domestic vulnerability report Platform Cloud Disclosure: Ctrip Travel Network Payment log loopholes, user bank card information can be arbitrary read by hackers. For a time, the public's sensitive nerves about privacy were once again being provoked. And the Internet Big Data application's information security problem also is pushed to the cusp.
A security expert has illustrated that hackers can register a third party payment account through the user's mobile phone number, bank card number, and credit card verification code, thereby skipping the user and bank-bound phone and stealing the brush. "This data can be used to create or correlate third-party payments to domestic third party payment companies up to hundreds of, and there are many points available." Victims are vulnerable to the theft of funds. ”
It is reported that the current Ctrip has established a Security emergency response center, and set up an Information security incentive fund, rewards for Ctrip to find loopholes in information security guards.
Ctrip high hazard loophole or consumer information disclosure
22nd night, many users found in micro-Bo and micro-letter friends Circle, "There is no Ctrip credit card", "quickly to write off all in Ctrip used credit card", "ICBC has opened Ctrip on the relevant credit card cancellation card green channel" and other news. The cloud platform, a description of the technology, is thought to be a major cause of the storm.
Dark Cloud Platform disclosure information shows that "because of Ctrip to deal with user payment of the Secure Payment server interface has debugging functions, the user pays the record with the text saved." At the same time because the server that holds the payment log does not have a strict baseline security configuration, there is a directory traversal vulnerability, resulting in all payment process debugging information can be read by any hacker. It is reported that this is classified as "sensitive information disclosure," the high level of vulnerability, is alleged to lead to a large number of Ctrip user cardholder name ID card, bank card number, card CVV code, 6-bit card bin and other information leaked.
Although Ctrip announced that the March 21 and March 22 of some of the trading customers may be affected, but has been part of the use of Ctrip booked tickets and hotel consumers for insurance purposes, the choice of immediately reported the loss of bank cards or modify the password.
Many Ctrip members worry that the information on the credit card is at risk of being compromised when it is tied to a credit card or traded on its own credit card. And once the user information has leaked, Ctrip is not enough to make up for the user has no meaning.
Suspected violation of information security management standards
"The first time you use a credit card to pay, you need to provide a credit card type, card number, CVV2 code (that is, credit card verification code), such as a series of complete information, and then submit payment. However, the second time when Ctrip use this credit card, only provide the card number four digits and CVV2 code, Ctrip will complete the payment operation. "This means that Ctrip stores the relevant credit card information of the user," said Ms. Zou, an Ctrip member. If leaked out, it would be terrible! ”
Reporters in the China UnionPay Risk Management committee issued in 2008, "UnionPay Card receipt Agency account information security management standards" see the following expression: The system can only store the receipt of transactions for transaction clearance, error processing necessary for the most basic account information, must not store bank card track information, card verification code, Personal Identification code and card validity. Clearly, Ctrip's approach has clearly violated these standards,
A security professional who declined to be named said in an interview with the Daily economic news reporter that, like Taobao, Jingdong Mall will not record CVV information, the user is directly to the bank card data submitted to the bank. "Ctrip's approach is clearly illegal, a potential risk, whether or not there is a leak," he said. In particular, Ctrip disclosed 93 users who are likely to be affected, and their bank card information is sufficient for credit card replication, cloning. ”
He suggested that if the user in a week to use Ctrip, especially 21, 22nd two days of users, you can choose to change the card, and wait for Ctrip further public information. "A year to a week of users, personally think that the risk is not very small if not frozen, then you can choose to open consumer SMS reminders and other information to help strengthen security management." ”
93 users have been notified to request a card change
On the evening of 22nd, Cloud Net posted a message that Ctrip technicians had confirmed the loophole and repaired it within two hours. In this respect, Ctrip said that the vulnerability of users affected by the recent partial transaction customers, there is no user is affected by the vulnerability and caused by the corresponding property losses found that the user in Ctrip's transaction is still safe. In addition, if a user due to the loss of property caused by this loophole, Ctrip will be awarded compensation.
Yesterday afternoon, Ctrip again said that a total of 93 users of the payment information there is a potential risk that these users have been notified to replace the credit card. It was explained that the flaw was due to the failure of the company's technical developers to remove the temporary log in time when they were troubleshooting the system. Currently, all of this information has been removed. Then Ctrip said that the customer service staff yesterday to inform the relevant users to change the credit card, and said that the bank will also assist users to handle the card transfer procedures. As of 23rd 22:00, if you do not receive Ctrip customer service card notification users, personal information is safe.
Mediav CTO (Chief technology Officer), the original Google Technical Director Junin Analysis, May Ctrip did not intentionally store cvv information. However, "The disclosure of user credit card information is not as simple as making low-level technical mistakes." Sensitive information to encrypt storage, online debugging functions need to be cautious, system log to clean up in time, server security to meet the standards, this is common sense. "Junin said.
While other sites have not exposed the same crisis as Ctrip, the security of Internet information in the big data age has been tortured and overshadowed by the burgeoning network payments.
Online travel industry is shaken
Ctrip's "safety door" incident triggered a public discussion, but also to the growing online tourism (OTA) Internet industry has brought a big shock.
"Online tourism industry is the earliest in the air tickets, hotel areas to achieve credit card licensing industry, in Alipay and micro-letter payment is not popular before, Ctrip and art as the representative of the online tourism industry, has been on-line payment through the mode of credit card to make more popular, Many high-end business travelers are using their services because they have convenient credit card payment capabilities in Ctrip and the Arts Dragon. This event will undoubtedly have a greater impact on the business traveller Group. Zheng, senior analyst in the tourism industry, told reporters.
"Ctrip exposure will also be a warning to other electronic platform, especially OTA should be rapid self-examination, to avoid similar incidents occur again, affecting consumer rights." "The Wei Changren, the chief executive, said.