Ctrip security vulnerability: 93 users have arranged to change the card large data security mask shadow

Ctrip Safety cracks: Users worry about credit card verification code leakage, the company said 93 potential users have been notified of the card, the rest of the user card security is not affected

March 22 18:18, vulnerability reporting platform dark clouds (Wooyun) Exposure Ctrip payment log security vulnerabilities. Coincided with the fierce game between traditional finance and internet finance, the incident also tortured the security of network payment.

Ctrip to the issue of the user caused by the distress issued an apology. In a reply to the daily economic news, Ctrip said, "The March 22 night has been cleared and the issue is fixed within two hours of the release of the message." 93 Potential risk users have been notified of card replacement, the remaining Ctrip user card security is not affected. After the incident, Ctrip and major banks have been contacted, verified that there is no user credit card stolen brush. Ctrip solemn promise, in the future, if there is a security loophole and cause user losses, Ctrip will give full compensation. ”

However, the impact of the incident did not subside. A bank customer service reflects that Ctrip's announcement appease may have little effect, ICBC (3.34, 0.06, 1.83%) a customer service staff told reporters yesterday (March 23) Call to change the card of a lot of people, "I have received 10 or so."

Violation of the "no record cvv" rule?

According to the Cloud report, the leak information includes the user's cardholder's name, ID number, bank card category, bank card number, bank card CVV code (i.e. 3-bit or 4-digit number generated by card number, expiration date and service constraint code), and bank card 6-bit bin (6-digit number for payment). In other words, if the hacker has this set of information, can steal user account. On the night of the incident, Ctrip confirmed the existence of this "security loophole".

In response to the dark clouds of the material, the question turned to "Ctrip violates the previous ban on record cvv." According to the reporter understand, CVV is the bank credit card behind the three-bit verification code, in the "No card payment" link, simply provide card number and this three-bit verification code can be completed payment.

"Ctrip has responsibility in the event that credit card CVV code should not be saved on the local platform. Ctrip in the payment process needs to record and forward to the Bank interface user information, but log, the breach of payment security. "The tourism industry veteran who love to visit the head of the Zheng to reporters, believe that the event on the brand and reputation of Ctrip has caused the impact, especially for Ctrip has long been dependent on the service business customers."

As a sensitive privacy breach, the incident generated a lot of forwarding and communication on social platforms such as microblogs and micro-letters. In particular, the recent rumors that the country will limit the development of internet finance, this incident is not good news for "Alipay [Weibo]".

Powerhouse Consulting CEO Wei Changren also analyzed that "this incident will certainly affect the consumer's confidence in Ctrip." Because now basically all of the air tickets, some hotels, travel resorts and other types of products need to pay online. This event will certainly promote Ctrip to user information security issues more attention. ”

Interrogating OTA to pay security problems

"The online tourism industry should be the earliest in the air tickets, hotel areas to achieve credit card licensing of the industry, in Alipay and micro-letter payment is not popular before, Ctrip and art as the representative of the online tourism industry, has been on-line payment through the mode of credit card is very good." Many high-end business travelers are using their services because of their convenient credit card payments on Ctrip and the Art Dragon. Events will have a greater impact on this part of the business Traveller community. "Zheng points out.

"In fact, Ota's information security is very important, in my observation, no matter is Ctrip, where to go to the net or Art dragon, they are doing very well in data confidentiality," said a senior partner in the online travel industry. ”

"Now Ctrip exposed users (privacy) of the leak, but also on other E-commerce platform to play a warning role." Ota should quickly self-examination, to avoid similar incidents occur again, affecting consumer rights. "Wei Changren said.

Reporter learned that, in recent years with the development of mobile networks, Internet wealth management products, tablet computers, smartphones and other handheld terminal devices, the popularity of new mobile payment has become a fishing software, hackers and other coveted land. CNNIC the latest data show that the number of Internet users in 2013 due to security problems on the Internet accounted for 4% of the total number of web surfers, affecting the number of 20.106 million people. Among them, personal information leakage ratio of 42.9%, account password stolen ratio of 23.8%.

Endless New Tricks, guise Trojan, no one is not in the interrogation network to pay security problems. "Innovation is always accompanied by risks, the relevant institutions should improve their own security technology business, at the same time, want more publicity and popularization of user safety awareness education." Hope that more international well-known information security certification bodies together to protect the user's personal information security. The process is like supervising and inspecting food safety. Chang, Chief knowledge management expert at Ramada Hotel Consultancy Ltd.

93 users have arranged for card replacement

March 23, for the platform vulnerability caused the user credit card information leakage problem, Ctrip issued an announcement, said the vulnerability has been repaired, and the risk of only 93 Ctrip users, has arranged for card replacement.

But Ctrip's announcement could have little effect, according to information from bank customer service. ICBC, a customer service staff told the Daily Economic news reporter, yesterday to call a lot of people to change the card, "I have received 10 or so." As for the cost, the customer service staff said that the card will be charged 20 yuan fee, can be handled immediately.

China Merchants Bank (9.84, 0.38, 4.02%) customer service staff told reporters, "There is no need for this card change", and repeatedly stressed that the bank has been checked the risk, "If you do change, the loss of the cost of 60 yuan." ”

A Bank of credit card department manager Cui told reporters, in fact, it is difficult for banks to completely eliminate credit card information disclosure, "We have a department dedicated to monitoring, but there is no way to completely eliminate, because the banks themselves need this information to complete online transactions, can not rule out the possibility of hackers intercepted." ”

"From the current disclosure, there may be some flaws in Ctrip," said Wang, a senior risk expert at UnionPay. We have been actively promoting the relevant agencies to strictly implement the relevant requirements, the merchant and the receiving body can not retain the cardholder's sensitive information, but also to take a variety of measures to enhance the trading links of information security management. ”

Large Data security Mask shadow

While other sites have not exposed the same risks as Ctrip, the security of Internet information in the big data age has been tortured.

Previously, including Dangdang [micro-BO], Amazon [micro-blog], Jingdong Mall [micro-BO], 7 days hotel, including a number of sites have also burst the user's personal information leaked reports, but personal information and credit card information, Ctrip's flaws is obviously more serious.

Security experts have illustrated that hackers can use the user's mobile phone number, the bank card number and the CVV register the third party payment account, thus skips the user and the bank to bind the handset, carries on the theft the brush, "this data may use to create or the association third party pays, the domestic third party payment company up to hundreds of, may use the point many." Victims may be robbed at any time. ”

In this respect, Ctrip people explained that this is Ctrip travel network in the technical debugging process, a short time loophole. "In addition to the vulnerability found that a small number of test downloads and have been deleted, there is no malicious download of the data, the user in Ctrip's transaction is still safe, the user information is not affected." ”

Mediavcto, the original Google Technical Director Junin Analysis, may carry Ctrip did not intentionally store CVV information, but its data transmission for the clear, and on the line has a long time to open debugging function, resulting in the system log is also clear, and did not clean up in time, the stored server also has security vulnerabilities. One step wrong, step by step wrong, "user credit card information leakage, not to commit low-level technical errors so simple." Sensitive information to encrypt storage, online debugging functions need to be cautious, system log to clean up in time, server security to meet the standards, this is common sense. "Junin said.

It is reported that Ctrip has set up a security emergency response center, and set up an Information security incentive fund, reward for Ctrip to find out the vulnerability of information security defender. It also casts a shadow over the current red-hot Internet payments and large data security.