Ctrip Leakage incident Reason: core IT staff only 六、七名

Source: Internet
Author: User
Keywords Ctrip
Ctrip Leakage incident (TechWeb map) Yeyaming never thought, he ctrip gets technology upgrade to its OpenStack team caused great pressure. Since taking office, the Ctrip new technical vice president has made sweeping changes to the entire technical framework. Chengye, Xiao. A credit card payment loophole disclosed on the cloud's vulnerability platform has tripped the ambitious Yeyaming. This vulnerability hash is: bf9165488f5e2ea3ca02ec6b310446b0. Although in the past, cloud network has been continuously disclosed Jingdong Mall, Alipay, NetEase and other domestic famous Internet enterprises in the user information security protection of high-risk vulnerabilities. However, the detailed description of the Ctrip Vulnerability-through credit card payment Ctrip user name, ID number, bank card category, bank card number, bank card CVV code and other information has probably been read by hackers provoked the public's sensitive nerves. For this blockbuster flaw in the credit card has been a media exposure, online OTA website without card without a password to pay the industry is a common problem, but it makes Ctrip Lok. Ctrip's technology research and Development Department and Information Security Department in the industry has a reputation, completely self-built Ctrip IT system including website system, online trading system, procurement system, such as child business system, from the complexity, can be comparable to the only Taobao. But the key is that there is a subtle game relationship between the Technology Development Department and the Ministry of Information Security, and Ctrip's loophole originates from the accidental mistakes of the department employees, and is the inevitable result of the vicious competition of OTA (online travel agent) enterprise. Their interpretation of the online tourism market multifaceted, the largest market share of Ctrip as a pioneer once lead, leading a single big day. However, as the Art Dragon, where to go to the rise of competitors, its leading position is already in jeopardy. Business model, Ctrip still relies on the establishment of the first more than 10 years ago to establish a call center business volume, and the old rival art Dragon has long been in the revolution, cut off the line card issuing channels to fully develop online sales. And Ctrip remained on the stand until the Yeyaming appeared. As the boss of OTA industry, after more than 10 years of development, Ctrip gradually build their own moat-a powerful IT system. And this core department has been quite mysterious, financial weekly reporter to find insiders also refused to media interviews. Financial Weekly reporter So many inquiries, trying to uncover its little-known corner. The IT system of Ctrip is complex and huge, and it is built entirely on the inside step by step. Yeyaming, after the arrival, in Ctrip completed several important technical improvements. According to the China Software Development Alliance CSDN Public data show, Ctrip technical upgrading is arranged in the front and rear side respectively. At the front of the Web site to make the page revision, the Open API (open application programming Interface) in the background opened the platform resources, at the same time set up a data center for large processing. Cloud technology is just Yeyaming's small test, his greater ambition in the company's technical framework of innovation, the current Ctrip has adopted OpenStack this cloud computing platform toBuild。 He is in a long-term bureau. In Yeyaming eyes, the wireless end of the business growth in the future will be far more than the call center. Under the new architecture, the entity machine can be completely virtualized. For example, add 300 people, generate 300 virtual machines on it, although the number of increase, but the number of management machines has not changed, which will improve efficiency. Can imagine, if all this is foolproof, this is called Yeyaming in Ctrip's great campaign. However, the financial weekly reporter access to the Chinese Software Development Alliance CSDN Public Information found that Ctrip OpenStack team total of less than 20 people, of which the core technical personnel only six or seven, compared to the huge call center and wireless terminal business staff is bucket. Sink, ruined in the nest. This is the building of a large system of departments, but not long ago because the technical staff were not careful, hackers caught the handle. On the afternoon of March 22, cloud Platform released a message that the system has technical loopholes, can lead to user personal information, bank card information and other leaks. 11 o'clock that night, Ctrip technicians to confirm the vulnerability. 23rd Morning 7, Ctrip official said the loophole has been repaired. According to Cloud network, Ctrip will be used to deal with user payment of the service interface to open the debugging function, so that part of the bank to verify the card owner interface transmission of packets are directly stored in the local server. and Ctrip public relations for the cause of the event to accept the financial weekly reporter said: "The loophole is Ctrip technicians in a server for system problems, leave the temporary log was not deleted in time." Regarding the technical investigation, the related website technical personnel has carried on the detailed description to the financial weekly Reporter: All websites at this point are similar, the website technician will periodically scan each server, mainly in order to discover the latent loophole, and carries on the patching. Such scans, some of which are done by themselves, are scanned by Third-party agencies, which issue lists of vulnerabilities and fix opinions. The Department of this scanning vulnerability is also known as the Ministry of Information Security or risk control department, within Ctrip has an independent information safety department specifically responsible for vulnerability scanning and troubleshooting, but the vulnerability of the third party platform Cloud Network released. Ctrip Public relations to the reporter said: This part of the information is also in the encrypted state, even if you get the information to be read through the crack. This is not a difficult task for hackers. At the same time, the financial weekly reporter call another OTA enterprise, in its Web site with the same as Ctrip without card without a secret can be successful. Its CEO said: We are not in clear, we are encrypted save, Ctrip this case we also looked, but the specific situation is not very clear. For the customer information not paid at the time, there is no provision for the preservation of customer sensitive information 7 days, specifically by the research and development and audit law of the Wind control department. The Thumb + cement Ctrip event is just the tip of the iceberg. Credit card payments without a card without a password are a common phenomenon. Whether you are in the Ctrip, or in the same process network, art Dragon Net, mango nets, such as Ota website, the use of credit cards to pay the same only need card number, effectivePeriod and CVV code, do not require a password and card. No card without secret this payment method is reasonable, is the industry regulation. Like hotel bookings, as well as Ctrip and similar business travel websites are usually used. In principle, the travel website should not keep information such as CVV, which is illegal, but the bank does not understand the site is not doing so. CCB Credit Card Department office staff Shaorijuan told the Financial weekly reporter. The bank's credit card Commissioner also affirmed the claim, saying that there are many channels for this payment, and a complete list is not available at this time. Most of the foreign trading site is also through the card number, card face validity, back after three-bit code can be completed. However, some websites require MasterCard or Visa authentication Service, and will require the input of a query password to verify. But Ctrip's mistake is to keep sensitive information such as CVV code, which is in violation of the central bank regulations. According to the central bank's "bank card receipts Business Management measures" 28th stipulates that the receiving institution shall not in any way store the bank card track information or chip information, card verification code, card validity, personal identification code and other sensitive information. And the effective measures should be taken to prevent the special merchant and the outsourced service organization from storing the sensitive information of the bank card. In this regard, Ctrip to the financial weekly reporter said: "We will be completed after the transaction to delete the customer's CVV information, no longer save." The previously saved CVV information is being deleted. Once-retained credit card information is always encrypted at the time of transmission and preservation, and no unauthorized person can access the information. But why does Ctrip keep the sensitive information about customers ' credit cards illegally? Record information in the thinking level will be more, user-friendly is one of them, to facilitate their own to do some debugging and other purposes are also some, but we also have a hard time to know what other purposes it specifically. You can be sure that Ctrip will not steal the user's card. Supposedly, these well-known sites related to payment are credible, they do not do harm to the user's behavior, but some regulations do not perform well, is their work mistakes. China's first proposed web site security cloud monitoring and cloud defense of Beijing know Chong Yu Company director of the research Department of the cosine so told the financial weekly reporter. The Ctrip flaw is because developers have turned on debugging, leaving a temporary log that leads to the possibility of leaking information. What does it mean for developers to turn on debugging? Because in program development, if debugging function is turned on, it is helpful for programmers to pinpoint some problems in the whole payment link, which may benefit their business improvement. Not only to develop new products, including existing payment links, there may be some logic flaws, such as bugs. Debugging helps programmers or developers further improve their work. The cosine explains this way. This involves a common paradox between research and development and the security sector: development to meet the business may be negligent. While the security services may require developers to enforce some security standards, they may also affect development progress when implementing these standards. They are two complementary departments, if they can match each otherThe good words will not appear ctrip events. Cosine to the financial weekly reporter said. To this end, there are industry analysts believe that Ctrip's user information disclosure event, may be the wireless research and development to promote too quickly disguised as a result. Once visited Ctrip's public comment Network Technology department responsible also for Ctrip product development Update speed expressed admiration. Ctrip CEO Liang Jianzhang in the last year after the return of the first focus is the introduction of thumb + cement strategy, more resources to the mobile Internet, all the latest rich tourism products are preferred in the mobile field. Liang Jianzhang said that the wireless client represents the mobile internet will be a key point of Ctrip breakthrough. Within the Ctrip, the wireless business is called two times. But Cosine believes that the relationship with the market competition is not large, which is related to the safety awareness of developers, Yu said. Ball-edge gene since no card without password payment is the industry normal, this credit card payment loopholes have been exposed to the media, but why is a loophole in ctrip caused so much attention and discussion? One is related to the property of the citizens, the user is very concerned about; the second is the fast payment of credit cards is very convenient, unlike the bank card, credit cards do not even use the password; Three is this thing has a lot of black PR hype ingredients in the inside, wantonly exaggerated, irresponsible to enlarge the matter. Have you heard of anyone who has been stolen a brush these days? Cosine such a rhetorical question reporter, as a member of the security circle, he bluntly hackers will not steal brush hype people do not know things. As the leader of the online tourism market, Ctrip has a wide range of users. It is reported that the number of Ctrip tickets per day about more than 800,000. From the 2012 Yi long provocative ctrip caused domestic OTA price war began, Ctrip is passively located in the small OTA company's joint encirclement and suppression, has invested in this war has the Art dragon, the same journey, where, Mango and so on. After more than a year, OTA's pattern has not changed. Ctrip Although the break will, but still remain in the boss status, 2013 earnings also quite bright, according to earnings show: Ctrip 2013 net operating income of 5.4 billion yuan (about 890 million U.S. dollars), compared with 2012 growth of 30%. and art Dragon 2013 net loss of 168 million yuan hit a record high. In addition to the real gold and silver price war, the war of words has hardly stopped. Ctrip this is such a low-level error, but also a rare opportunity to counterattack. Aside from the industry competition in the environment, Ctrip itself to carry a violation of the gene may have been buried in the event of the foreshadowing, seemingly accidental events also highlighted the inevitability. Ctrip was born from the violation. 10 years ago, from the industry, across the region to buy tickets is against the rules, but Ctrip dare to launch a nationwide network booking platform. This violation is a manifestation of the immaturity of the business rules. Why reform, is to get rid of these unreasonable, looks legitimate, in fact it is really a violation of things. So Ctrip made such a breakthrough ten years ago. The day before Ctrip's credit card payment loophole, CEO Fan said openly. It is this sweetness that makes fan bolder. According to people familiar with the matter, before 2009, Ctrip server andDoes not retain the user CVV code, each time the user buys the ticket, the reservation hotel needs to enter the CVV code; But 2009, fan in order to simplify the operation process, optimize the customer experience, the decision on Ctrip to retain CVV code on the server. It now appears that the fan decision was a hidden danger for today's loopholes. and Ctrip to this incident the latest processing decision is: we will be in accordance with the requirements of regulatory departments, as soon as possible to optimize the completion of the user's payment process. Strengthen the internal investigation of all possible loopholes, invited the domestic well-known network security experts on Ctrip system for consultation. At the same time, we have initiated CFCA and PCI certification procedures to better meet regulatory requirements. Problem is, before Ctrip had the intention to access the certification procedures, but the company staff to investigate after found that Ctrip's own system to rectify the difficulty is too large, many types of business and cross, if the system access and rectification will make the structure will change, resulting in no introduction of CFCA and PCI certification standards. But PCI is not a legal provision, but the payment card tycoon's own specifications, through PCI does not represent can save the user's sensitive information, but also in accordance with domestic regulations. DSS, a Chinese partner at Beijing Aerospace billion, told the Financial weekly reporter. And then, Ctrip is facing not only the introduction of the DSS standard of technical test, but also how to restore the trust of security payments, regain the consumer confidence problem.
Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.