Millions Of Travellers Put At Risk By Mobile Ticket Sites

Some of Britain’s biggest travel and leisure firms have been putting their customers’ details at risk due to insecure mobile websites and apps, it has been claimed.

Brands including Aer Lingus and Chiltern Railways are sending unencrypted data when customers access their sites from their smartphones, according to security firm Wandera.

Information such as credit card information, names and addresses, passport details, purchase data and other contact information has all been put at risk by sixteen leading companies, which also range from taxi firms to giftcard and event ticket providers.

Wandera has notified all the companies, which deal with a combined 500,000 customers per day, about the vulnerability, and has already removed easyJet from the affected list after the airline that the issue had been solved.

Affected

The flaw, which Wandera is calling ‘CardCrypt’ affected websites and mobile apps which did not use a secure protocol (HTTPS) to secure and encrypt data connections between the browser or app on the user’s smartphone, and the company’s website, mobile website or backend web services.

This means that the credit card information is instead transmitted ‘in the clear’, or unencrypted, over standard web connections i.e. HTTP. This weakness makes the data freely available to be easily intercepted and used in wide-ranging identity theft and fraud.

The unencrypted data was leaked when customers when users accessed a mobile website and app during the purchase and upgrade processes, for example when booking a ticket or choosing a seat.

For example, complete credit card data and customer billing addresses were sent unencrypted to the Aer Lingus website during the booking process.

“We believe there are two likely reasons why HTTPS has not been used,” comments Eldar Tuvey, CEO Wandera.

“It could be a flaw in the coding, or it could be a case of relying on inadequate third party services or libraries. Either way, it’s astounding to me that these companies have failed to exercise sufficient care in the collection of their customers’ personal data.”

Are you a security pro? Try our quiz!

Mike Moore

Michael Moore joined TechWeek Europe in January 2014 as a trainee before graduating to Reporter later that year. He covers a wide range of topics, including but not limited to mobile devices, wearable tech, the Internet of Things, and financial technology.

Recent Posts

UK’s CMA Readies Cloud Sector “Behavioural” Remedies – Report

Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector

7 hours ago

Former Policy Boss At X Nick Pickles, Joins Sam Altman Venture

Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…

10 hours ago

Bitcoin Rises Above $96,000 Amid Trump Optimism

Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…

11 hours ago

FTX Co-Founder Gary Wang Spared Prison

Judge Kaplan praises former FTX CTO Gary Wang for his co-operation against Sam Bankman-Fried during…

12 hours ago