Millions Of Travellers Put At Risk By Mobile Ticket Sites

Aer Lingus and Chiltern Railways among firms that put customer details due to unsecure mobile platforms, Wandera study reveals

Some of Britain’s biggest travel and leisure firms have been putting their customers’ details at risk due to insecure mobile websites and apps, it has been claimed.

Brands including Aer Lingus and Chiltern Railways are sending unencrypted data when customers access their sites from their smartphones, according to security firm Wandera.

Information such as credit card information, names and addresses, passport details, purchase data and other contact information has all been put at risk by sixteen leading companies, which also range from taxi firms to giftcard and event ticket providers.

Wandera has notified all the companies, which deal with a combined 500,000 customers per day, about the vulnerability, and has already removed easyJet from the affected list after the airline that the issue had been solved.


Mobile securityThe flaw, which Wandera is calling ‘CardCrypt’ affected websites and mobile apps which did not use a secure protocol (HTTPS) to secure and encrypt data connections between the browser or app on the user’s smartphone, and the company’s website, mobile website or backend web services.

This means that the credit card information is instead transmitted ‘in the clear’, or unencrypted, over standard web connections i.e. HTTP. This weakness makes the data freely available to be easily intercepted and used in wide-ranging identity theft and fraud.

The unencrypted data was leaked when customers when users accessed a mobile website and app during the purchase and upgrade processes, for example when booking a ticket or choosing a seat.

For example, complete credit card data and customer billing addresses were sent unencrypted to the Aer Lingus website during the booking process.

“We believe there are two likely reasons why HTTPS has not been used,” comments Eldar Tuvey, CEO Wandera.

“It could be a flaw in the coding, or it could be a case of relying on inadequate third party services or libraries. Either way, it’s astounding to me that these companies have failed to exercise sufficient care in the collection of their customers’ personal data.”

Are you a security pro? Try our quiz!