14 DAY TRIAL // Research that investigated the state of mobile apps and websites discovered that 16 major companies around the world, including four major airlines, left customer data exposed when clients were making commercial transactions.
The problem at the core of this issue is the lack of HTTPS encryption for the mobile version of a company's website and its mobile applications. HTTPS is often thought of when it comes to protecting e-commerce operations on regular websites but left to the side when it comes to mobile apps and websites.
Wandera, the company behind this report, claims that during their tests, they had no difficulty in obtaining personal identifiable information (PII), and even credit card numbers, from commercial transactions initiated via both the mobile website, and the mobile apps.
Millions of customers exposed to financial information theft
This data, if in the wrong hands, would be more than sufficient to initiate fraudulent transactions.
The companies that leaked information include: ▹ 1 Robe.fr (France, retail) ▹ Aer Lingus (Ireland, airline) ▹ Air Canada (Canda, airline) ▹ AirAsia (Malaysia, airline) ▹ American Taxi (USA, taxi) ▹ Chiltern Railways (UK, railway transportation) ▹ CN Tower (Canada, restaurant) ▹ Dash Card Services/Parking (UK, pay-for-parking) ▹ easyJet (UK, airline) ▹ Get Hotwired (US, telecommunications) ▹ KV Cars (UK, taxi) ▹ OuiCars (France, car rental) ▹ PerfectCard.ie (Ireland, prepaid gift cards) ▹ San Diego Zoo (US, entertainment) ▹ Sistic (Singapore, ticketing service) ▹ Tribeca Med Spa (US, healthcare)
These companies combined service over 500,000 customers/day.
"The reality is that only the 16 companies, that run these apps and mobile web properties, can disclose how many customer records were exposed unencrypted," says Wandera Threat Research Team, "only they know how long that vulnerable code has been deployed and used."
After Wandera's inquiries, easyJet has fixed their issue.
Below is a short video presentation of the issue by Wandera's staff, and an infographic detailing some of the companies that exposed user data.
