Intermediary transaction SEO diagnosis Taobao guest Cloud host technology Hall
Tencent Science and Technology Fan Xiaodong March 24 Report
Ctrip's online weekend of credit card information leaks, or a wake-up call for all companies that are rushing to the wireless market.
March 22, the vulnerability reporting platform Cloud network continuously disclosed two Ctrip security vulnerabilities, the vulnerability found that because Ctrip opened the user to pay service excuses debugging function, resulting in Ctrip security payment log can be arbitrary also readable, the log can be leaked including cardholder name, ID card, bank cards category, bank card number, CVV code and other information.
The official explanation of Ctrip's previous release was that the security breach was due to technical developers leaving a temporary log in order to troubleshoot the system, and was not deleted in time due to negligence.
According to people familiar with the situation, the Ctrip's security vulnerabilities may not be caused by the loopholes in the Web page, but the wireless department in the mobile phone app product debugging process, save the log and opened the directory in the web.config. Once the directory traversal is mastered, an attacker can exceed the server's root directory to access other parts of the file system, access restricted files or resources, or take more dangerous actions.
Tencent Technology yesterday to consult Ctrip official, but as of press has not received the corresponding reply. Cloud Network co-founder Siegmund told Tencent Technology, although the official reply has been repaired, but the loophole is still in the details of the confidentiality period (45 days), wait until the details of the disclosure can not see the specific situation at that time.
Industry analysts believe that ctrip this user information disclosure event, may be the wireless research and development to promote too quickly disguised as a result. Ctrip CEO Liang Jianzhang's first focus after the handover last year was the introduction of a "thumb + cement" strategy to shift more resources to the mobile Internet, with all the latest rich tourism products giving priority to the mobile sector. Liang Jianzhang said that the wireless client represents the mobile internet will be a key point of Ctrip breakthrough. Within the Ctrip, the wireless business is called "two startups".
In the mobile internet era, the pursuit of speed and efficiency in the enterprise compared to the PC era, which also makes the business interests are not so close to the security issue has been overlooked. Siegmund also told Tencent technology that the emerging mobile product development does need to pay special attention to privacy security issues from the cases reported in previous clouds.
CVV code pending dispute: Is it in compliance with international safety standards?
The focus of the Ctrip security loophole is whether Ctrip keeps the user's credit card CVV/CVC code information. The so-called CVV security code, that is, after the signature on the back of the credit card 7-digit italic number of the last three digits, is the network and telephone transaction security features, is a highly confidential user information.
Auto founder Li said, "the trading site CVV equivalent to the hours of work secretly with your home key, at the same time, he also knows all about your family information." The CVV, which stores the user's credit card, also leaks, the former one is the basic ethical issue of the enterprise, and the latter is a security issue. ”
In the off-line transaction mode, as long as master credit card number, validity period, card back of the 3-bit CVV security code can be completed transactions, the entire consumption process does not need to pass any password authentication.
An anonymous security expert told Tencent technology, according to the information provided by the cloud, Ctrip violated the previous ban on the record of CVC, the incident did not fundamentally solve the risk. At present, users can only check the credit card bill to see if their bank card has been stolen.
PCI SSC as the current international payment card industry's highest level of security standards certification, but also explicitly prohibit members to save CVV code, otherwise it will be heavily punished.
For this leaked user cvv information incident, Ctrip official explanation still has two doubtful points.
First of all, why does Ctrip retain the user's CVV information, violation? Ctrip official said, in the user authorization, Ctrip will save CVV information, and not deducted the successful CVV information will be held for up to 7 days, the purpose is to reduce user fees and assist users to facilitate the payment, in line with the DSS regulations, Ctrip keeps credit card information encrypted in accordance with international credit card payment security standards.
But it is noteworthy that Ctrip has been in the application, but did not pass the PCI certification, we can not through third-party channels to get ctrip inside the strict implementation of the PCI rules. For a 7-day term, one payment industry said that, in any case, PCI is not allowed to retain CVV, this is an iron law, once found will be punished.
Mediav CTO Junin that, Ctrip may not intentionally store CVV information, but its data transmission for the clear, and on the line for a long time to open debugging function, resulting in the system log is also clear, and did not clean up in time, the stored server also has security vulnerabilities, resulting in a wrong again.
Second, Ctrip this security vulnerability will affect how many users?
Ctrip official said that the main impact of the March 21 and March 22 of the major trading customers, 93 potential users have been notified of card replacement, the remaining Ctrip users with card security is not affected.
Cloud Network co-founder Siegmund told Tencent Technology, Ctrip how long the flaw, when and whether the period has been attacked caused by the loss of the user cloud is not known.
However, with concerns about potential risks, many users on social networking platforms such as microblogs and micro-credit circles have said they are applying to banks to replace their credit cards.
Easy Search Technology Co., Ltd. CEO Maojing revealed on Weibo, as early as February 25, he had to call Ctrip's bound Ctrip several credit cards stolen more than 10 of foreign currency, and suspected that Ctrip is caused by the loophole.
Maojing told Tencent technology, last month he had 2 stolen two-currency credit cards that were bundled with Ctrip (about 10,000 yuan worth), but Ctrip officially said that what happened last weekend was the victim of the incident-and that he still thought he was the victim of the loophole, but there was no way to prove it.
"There has always been a problem with the brush, and there are a lot of leaks, so even if the future Ctrip users credit card theft of the event is difficult to confirm the vulnerability." Siegmund said.
Tencent technology to call the major banks signal credit card center, have not received the official notice of the specific situation and response measures, merchants Bank and Minsheng Bank Credit card Center staff told Tencent technology, temporarily do not understand Ctrip credit card information related to the specific information, but customers if the privacy of the information is leaked, Will freeze old cards and send new cards.
In addition, there are people in the industry said, Ctrip in order to let their own services to achieve "say go on" convenient, so that users in the phone with customer service to tell the validity of the credit card and CVV2 code key information, also contains a small risk. Of course, this situation is not limited to Ctrip, many convenient payments have similar risks.
A UnionPay technology director told Tencent Technology, there are two main types of payments, including ordering business and ordinary internet personal business, which order the type of business pay higher risk.
In the Internet consumption, in fact, different businesses will have different restrictions on consumer behavior. General Internet payment business is to require a variety of user authentication, such as will send authentication code text messages, users need to manually input to the page to complete the payment, or through the Web generated dynamic password completed.
But the demand for such orders such as Ctrip is looser because it can track the eventual beneficiaries. For example, the user buys the plane ticket, the train ticket or the reservation hotel, in the final use time still needs the identity card as the auxiliary verification method, therefore its payment link only needs the credit card's CVC code and so on information can complete the transaction.
Security problems remain a common danger in the industry
In recent years, a variety of user information disclosure incidents continue to emerge.
The 2012 CSDN leak incident, has caused extensive reflection, that is, the site should not use clear text to store user password information, Beijing authorities even to the CSDN network operating company to put forward specific rectification requirements, and to make administrative warning penalties.
Last October, dark clouds reported that customers in a large number of hotels, such as home and Hanting, were leaked by Third-party storage and system vulnerabilities. In the report, dark clouds exposed the process of downloading hotel customer information online, the successful download of customer information in the complete record of check-in hotel visitors identity card, check-in time, room number to stay and other privacy information.
With the rise of mobile Internet, users including identity, bank property and other related data and Internet applications binding more and more closely, leakage of risks and threats. In order to improve the user's convenience of operation and consumption, or to speed up the process of product development, the enterprise often ignores the security.
A company responsible for internet companies told Tencent Technology, whether it is the app or WAP or the Web, is only the front-end product form, the data source must be called only one. The on-line process of new product is generally "development machine--Intranet test machine--publisher publishes to Extranet", every link has QA testing, but in the case of lax control or the pursuit of speed, programmers will temporarily go to the extranet to modify the product, this is very dangerous, because skip the control process, skip the publisher (and product development is not a dial people Will lose control points for each link and security.
"Now the risk of easy mobile payment is mainly in the mobile phone virus is listening to input data or mobile signal hijacked, the risk is relatively easy to control, the biggest and most difficult to control the risk of the enterprise port, is the internet level of data security level can keep up with the financial level of data security issues." "An enterprise technology executive thinks.