Ctrip "loophole door": "Big Data" calls for "big security"

The internet has brought people into the big data age, with big data being called "gold mines" for future information. The value of these data is more and more valued, and countless pairs of eyes are peering into this intangible asset.

"Ctrip in hand, said go away." "The seemingly relaxed advertising language hides the risk of credit card leaks," he said. On the evening of March 22, the national famous ticketing service company, in the United States Nasdaq-listed Ctrip Travel network met a "dark clouds." According to the domestic vulnerability report Platform Cloud Disclosure: Ctrip Travel Network Payment log loopholes, user bank card information can be arbitrary read by hackers.

China Internet Information Center survey report shows that 2013 China's online shopping users have reached 302 million, the number of users involved in online shopping is still showing explosive growth. Every day we have to deal with a variety of Web sites, Ctrip incident again struck the public sensitive nerves:

How much information have you left on many websites? will these sites abuse or inadvertently disclose this information? This time Ctrip may just inadvertently opened the information may be leaked "Pandora's Box", however, if some sites intentionally or even steal this information, is not easy? After this information was leaked, What kind of loss will it bring us?...... A series of questions await the answer.

22nd, Cloud vulnerability platform issued a message that Ctrip Travel Network payment log loopholes, or lead to a large number of users of bank card information leakage. Ctrip later confirmed the vulnerability, with a concurrent statement that 93 users had security risks. Although Ctrip says the bug has been repaired, the security incident has caused a lot of questioning. Some experts said that Ctrip to save the customer's bank card information practices violate the provisions of UnionPay.

Ctrip Store user bank card information is alleged to violate UnionPay regulations

It is understood that the Ctrip can make the inclusion of Cardholder name ID card, bank card number, card CVV code, 6-bit card bin leakage. It is understood that CVV is the card verification Value, is the number of cards, expiration and service constraints code generated 3-bit or 4-digit number, generally written in the card magnetic stripe 2-track user-defined data area. No password to pay the way also called credit card "off-line transaction", only with card number, CVV code and other information can be completed payment. Experts remind, CVV security code equivalent to credit card "second password", need to be properly kept.

For Ctrip this loophole, Sina Weibo certification as "Mediav CTO, the original Google technology director," Junin said, the user credit card information leakage, not guilty of low-level technical errors so simple, "sensitive information to be encrypted storage, on-line debugging functions need to be cautious, system log to clean up in time, server security to meet the standards, It's all common sense. "

Jinshan Poison PA safety expert Tiejun accepted the Beijing It channel interview said, from the current Ctrip and dark clouds published information, Ctrip User privacy disclosure process is not completely sure, but the result of the user security risk is very large. "In addition to the possibility of stolen brushes, understand the user information can also create a third-party payment account, binding credit cards to achieve overseas shopping." "It is understood that the credit card has a payment function for offline payment, this payment method as long as you know the user's basic information and CVV code can realize payment."

According to several media reports, the flaw is that Ctrip records the user's CVV code. Shanghai strong law firm Sun Jianzhong lawyer said that Ctrip's practice of preserving customer information violates the provisions of UnionPay, from the "Consumer Rights and Interests Protection Act", its technical means has not fulfilled the obligation to protect consumers. The managing editor of Caixin Media, Hu Shuli, also pointed out that Ctrip is not a Third-party payment agency and has no right to retain bank card information.

On the other hand, DSS (third party payment industry data Security Standard) stipulates not to allow storage cvv, but the Ctrip payment page is said to pass the PCI authentication, equally puzzling.

Security expert: Users who have been logged CVV code must change the card

Ctrip said in the statement, "as of 23rd 22 o'clock, did not receive Ctrip card notification customers, personal information are safe, need not worry." Ctrip said that there are currently 93 people account security risks, and promised in the future if due to security vulnerabilities caused by user losses, Ctrip will assume full responsibility and compensation.

But the statement or not to reassure users, many Ctrip users in micro-blog said "must change the card." It is understood that as the domestic online tourism market share of the largest service providers, Ctrip Daily hotel reservations, ticket booking and other business volume to 100,000. Many netizens said that such a large-scale enterprise, even if is such as Ctrip said only 21st, 22nd part of the transaction customer risk, is only 93?

On the other hand, how to define the credit card stolen brush and Ctrip vulnerability is also a problem. NET friend @ Ballet 3D said, Ctrip's so-called pay commitment is not credible, because you can not prove that information leakage and Ctrip. And netizens pointed out that even if the credit card has not been stolen, hackers may still be able to save the information leaked to the silence for some time to do, and the reason for the theft of the brush is difficult to judge. "If the credit card is stolen in this way, it is also difficult to defend the rights, because the bank will assume that I am holding the card in the implementation of these operations." "Tiejun said.

Some people in the industry pointed out that, from the current point of view, the most insurance approach is "card replacement." But which users have the need to change the card? From the current Ctrip and cloud disclosure information is not sure whether all Ctrip user information has been leaked, but as long as the record of CVV users must change the credit card. "Tiejun said.

Ctrip's safety hazard may not be lifted at all

After the bank feedback, there is no Ctrip users write with card stolen brush. But things don't seem so simple.

According to a number of media reports, prior to Ctrip users to pay security questions, Ctrip responded that Ctrip used credit card payment method in line with international practice, and the company has enough risk control capacity. Weibo real-name authentication for Guangxi Yi-Search Technology Co., Ltd. CEO of Maojing on micro-blog said, "as early as February 25, I had to call Ctrip I bound Ctrip several credit cards stolen more than 10 foreign currency of the incident, when they return to the system safe and normal." ”

"But from the current situation, Ctrip's payment system does have a lot of uncertainty and a high degree of risk," the Yangcheng Evening News quoted a security source as saying. In addition to hackers to steal information, the company's internal management of user information is also worrying. ”

Although many of Ctrip's users saw the news, they had to apply to the bank to cancel the credit card overnight. But in the case of Qihoo 360, privacy Officer Tanxiaosheng, from the known information, it is still not accurate to determine whether there has been a large-scale leakage, the real situation only the parties themselves know.