Flaws in the mobile websites of major firms operating in the UK including easyJet, Aer Lingus and Chiltern Railways have resulted in sensitive user data being transmitted without encryption, according to mobile security firm Wandera.
It said an investigation, which started roughly two weeks ago, identified 16 companies that have put customer information at risk by exposing credit card details, names, addresses and transaction information.
The flaw, dubbed ‘CardCrypt’, is said to affect websites not using HTTPS to secure and encrypt data when in transit from mobile devices and smartphones. According to Wandera, this leaves data at risk of man-in-the-middle attacks or identity fraud.
“We started investigating our data because we wanted to see if there was any sign of any credit card information,” Eldar Tuvey, chief executive and co-founder at Wandera, told V3.
“We actually found lots of unencrypted credit card information that has been going through our service, which means that a variety of these sites we believe have not coded their mobile websites correctly.
“What we are talking about here is complete credit card information with the three-digit code, and expiry date, and in some cases passport information, car registrations, addresses, phone numbers. But the common factor is complete credit card information.
“It’s an HTTPS problem so the traffic from particular parts of their mobile websites is being unencrypted. Whether it’s bad coding, certificate misconfiguration or lack of testing, I can only hypothesise but we believe it’s probably an oversight on their part due to complexity.”
He added: “It’s mostly mobile sites but it’s some apps too.”
EasyJet has denied that its customer data is at risk. A spokesperson told V3: “All passenger data is encrypted using HTTPS and we have retested all our systems overnight which verified that they are fully secure.
“EasyJet takes the security of its passengers’ data extremely seriously using the latest technology alongside regular audits to test our systems to ensure our customers’ data remains protected.
“In addition, no easyJet customers have reported payment security issues based on their use of the easyJet app. Our security experts have contacted Wandera and they are yet to provide further information.
“Additionally, our app supplier MTT has undergone rigorous PCI compliance audits and is fully PCI Certified.”
V3 also contacted Aer Lingus and Chiltern Railway for comment but received no response at time of publication.
It appears the problem is not confined to the UK, with Wandera also claiming to find suspected flaws in the mobile websites of Air Canada, American Taxi and San Diego Zoo.