Millions Of Travellers Put At Risk By Mobile Ticket Sites

Some of Britain’s biggest travel and leisure firms have been putting their customers’ details at risk due to insecure mobile websites and apps, it has been claimed.

Brands including Aer Lingus and Chiltern Railways are sending unencrypted data when customers access their sites from their smartphones, according to security firm Wandera.

Information such as credit card information, names and addresses, passport details, purchase data and other contact information has all been put at risk by sixteen leading companies, which also range from taxi firms to giftcard and event ticket providers.

Wandera has notified all the companies, which deal with a combined 500,000 customers per day, about the vulnerability, and has already removed easyJet from the affected list after the airline that the issue had been solved.

Affected

The flaw, which Wandera is calling ‘CardCrypt’ affected websites and mobile apps which did not use a secure protocol (HTTPS) to secure and encrypt data connections between the browser or app on the user’s smartphone, and the company’s website, mobile website or backend web services.

This means that the credit card information is instead transmitted ‘in the clear’, or unencrypted, over standard web connections i.e. HTTP. This weakness makes the data freely available to be easily intercepted and used in wide-ranging identity theft and fraud.

The unencrypted data was leaked when customers when users accessed a mobile website and app during the purchase and upgrade processes, for example when booking a ticket or choosing a seat.

For example, complete credit card data and customer billing addresses were sent unencrypted to the Aer Lingus website during the booking process.

“We believe there are two likely reasons why HTTPS has not been used,” comments Eldar Tuvey, CEO Wandera.

“It could be a flaw in the coding, or it could be a case of relying on inadequate third party services or libraries. Either way, it’s astounding to me that these companies have failed to exercise sufficient care in the collection of their customers’ personal data.”

Are you a security pro? Try our quiz!

Mike Moore

Michael Moore joined TechWeek Europe in January 2014 as a trainee before graduating to Reporter later that year. He covers a wide range of topics, including but not limited to mobile devices, wearable tech, the Internet of Things, and financial technology.

Recent Posts

Is the Digital Transformation of Businesses Complete?

Digital transformation is an ongoing journey, requiring continuous adaptation, strong leadership, and skilled talent to…

7 hours ago

Craig Wright Faces Contempt Claim Over Bitcoin Lawsuit

Australian computer scientist faces contempt-of-court claim after suing Jack Dorsey's Block and Bitcoin Core developers…

8 hours ago

OpenAI Adds ChatGPT Search Features

OpenAI's ChatGPT gets search features, putting it in direct competition with Microsoft and Google, amidst…

8 hours ago

Google Maps Steers Into Local Information With AI Chat

New Google Maps allows users to ask for detailed information on local spots, adds AI-summarised…

9 hours ago

Huawei Sees Sales Surge, But Profits Fall

US-sanctioned Huawei sees sales surge in first three quarters of 2024 on domestic smartphone popularity,…

9 hours ago

Apple Posts China Sales Decline, Ramping Pressure On AI Strategy

Apple posts slight decline in China sales for fourth quarter, as Tim Cook negotiates to…

10 hours ago