Go homepage(回首页) Upload pictures (上传图片) Write articles (发文字帖)
The author:(作者)归海一刀published in(发表于) 2014/3/25 7:58:08 Ctrip leaking information and worries! Pay loose more tourism products, and
Ctrip leaking information and worries!Pay easing worries-ctrip travel products leak, ctrip, ctrip, CVV-code-IT news Ctrip leaking information and worries! Tourism products cover loose more worries
On 22nd of this month, domestic network security issues feedback platform-platform cloud vulnerabilities released news that due to net save system technical vulnerabilities, users ' personal information or bank card information may have been compromised. Industry analysis people said, ctrip and no paid licence, by provides not allows storage user bank card information, this event exposed out related enterprise internal control mechanism aspects of short Board and part third party paid institutions risk management exists hidden, recommends about sector as soon as possible introduced protection personal privacy of legal regulations, while on leaked customer information of institutions for punishment, for online paid put good "security valve".
-Events
Exchange Web site breaches existing CVV codes
Ctrip will be used for processing user-pay services interface opens the debugging features, making some interface to the Bank to verify the card holder owner of the packets are stored directly on the local server, are likely to be read by hackers. Ctrip has not paid the licence, in accordance with the provisions do not allow stored user credit card information, especially the CVV code (also called user identification number, is a bank card when conducting non-face to face transactions are used to confirm the identity of the user identification number, similar to a password). These debug interfaces, is usually the only online collaboration needs and debug open packets usually has a variety of cryptographic functions, even be downloaded might have trouble deciphering.
Information map
It is understood that ctrip cooperative banks including the industrial and commercial bank of China, Bank of China, China Merchants Bank and Shanghai Pudong Development Bank over more than 10, third party payment services providers including PayPal, caifutong, Cup online.
Ctrip as NASDAQ-listed online third party payment enterprises, must abide by the third-party payment industry data security standard, which defines how to implement data protection, as well as information about which information can be saved and which cannot be saved, CVV code is not allowed to store sensitive data.
"Trading website save CVV code, equivalent to hourly workers secretly enjoy the keys to your House at the same time, he also knows all about your family information. "Sina authentication microblogging, founder of automotive home lixiang said," requires a CVV code and store the CVV code is the two concepts. Some of the information can be saved, some information cannot be saved anyway, ctrip saved anyway shouldn't keep the CVV code, which is equivalent to password storage and disclosure of your credit card. ”
-Secret
Tourism product means a more "relaxed"
Dark clouds coming out just as the online payment loopholes allow many people are very surprised: why ctrip preservation CVV credit card code? Press survey found that characteristics of reservation in this product.
With airfare and hotel for representatives of tourism products, and price changes with real time inventory, reservation date. Buy a ticket online processes are, after the user queries to a flight, such as 30 percent see a 400 Yuan ticket, entered by the user with the captain's name and ID card, click Next, and then complete the payment, agents see user after you complete the payment, through the complete ticket orders. Users fill out information takes time, however, familiar with the online user will spend 30 seconds with the fastest to complete the payment, requires 1-2 minutes slow, during the course of this, after 30 percent of the votes are likely to have been canceled by the airline or constant prices, prices may go up to 450 Yuan, this payment is successful but not a vote.
Why not fill out the personal information, click on the next ticket reservation success. When booking if consumer product inventory and price matches the data in real time, the reservation is successful, relevant funds will be paid out. However, when consumers book a directive is issued, often appears in the background of all the circumstances, as there is no, or prices are up, and that's when booking platform will continue to book feedback or make other consumers. In order to optimize the customer experience, online travel Web site, the consumer, such as name, ID, credit card number, CVV code be stockpiled in this case book reaction mechanism is more flexible, rotating mechanism in System Access database in the background frequencies higher than the physical commodity.
Store user information third party payment
From a technical point of view, tourism product payment terms "looser", book travel products is less secure than ordinary online shopping? A senior technical person told reporters, in fact, including third-party payment platform for consumer related data will also be stored. Regular online shopping platform for data storage will encrypt data after entering in a sealed tube, only when the bank reconciliations, related data will be decrypted.
After a successful book, how the data is to "Save" it? Relevant data already in the book scenes have been deleted, encrypted information into another repository (non-VCC), so that users can later pull when booking. "NET data breach, not information repository of data breaches. But because ctrip technicians will for processing user paid of service interface opened has debugging features, that is on book background of part data decryption (including CVV) for troubleshooting technology Shang of problem, was these data should download to local log server in the (security very strong, outside cannot access), but these data is was put in Web server in the, can said is not should occurred of low-level errors. "The senior technical people.
-Reminder
Don't don't trust a Web site to fill out core information
The "Godfather of Chinese hackers," said Gong Wei, ctrip this system vulnerability is made up of small holes, each a small leak was not serious, but together it becomes a "security incident".
"In fact, (Web store) CVV information is strongly encrypted, even hackers may not be able to crack. "Gong Wei says," when hackers steal such information need to meet three criteria: encryption can be cracked, long-term records, leak doesn't fix. ”
Gong Wei, third party payment services providers in order to be able to record, track, debug user's purchase, are logged in the program is running the user's personal information, it is justified, but not everybody can see that piece of information, but require encryption. General debugging is done in conditions of virtual, and they are developing or debugging is complete, check all data before the port is closed.
"Online personal information is not encrypted, like name, identity card number is clear, bank card number, CVV code is strong encryption. "Gong Wei said," is part of the personal information is not encrypted, out of considerations of resources use efficiency and user experience, encryption consumes system resources, and it also needs to be decrypted, the restore process so that program are numerous, are slow to use. ”
Gong Wei suggested that manufacturers have to have safety awareness, small leak should not be overlooked. As a consumer, when you choose to buy payment site, fill in your personal information must be careful. "When the submit containing social security numbers, credit card numbers, passwords and other core personal information, must not be submitted to Web sites. Generally speaking, the leading Web technology is relatively mature, hacker does not appear directly in the code from your website, obtain user information. Purchasing sites, such as small, security is much lower. ”
In addition, Gong Wei said that unless absolutely necessary, do not use a real identity, I can use virtual identities to make full use of, which can reduce the leaking of personal information. "In the online payments must be careful, it is best to set quotas on net purchases of bank card, payment of SMS security protection, once the card has been stolen, you can immediately detect and reduce losses. ”
-Recommended
Regulators need strong intervention
Despite the public NET that respond in a timely manner, but public concerns do not seem to abate. Miss Chen is a foreign trade companies of Guangzhou ctrip's loyal users: "net commitment to future losses arising from users for security vulnerabilities, and will assume full responsibility and pay. How to define loss, company in charge? "Chen wondered.
Public information display, so far all investigations of the incident and losses identified by the ctrip does not introduce third party regulatory bodies. Industry watchers say, there are currently no legislation yet for third party payment services providers to get user information for standardized management.
The ctrip leaking user information reflecting the online payment industry not only to strengthen industry self-regulation, you need strong intervention by regulators, needs to be through introduce clear regulations, compliance, legal check of online payments included under the overall supervision of the industry.
Guo Tianyong, Director of Central University of finance and banking Research Center believes that ctrip leaked information exposed section of the event a third party payment services providers risk management risks, it is recommended that departments protect personal privacy laws and regulations as soon as possible, while institutional penalties for disclosure of customer information, strict third party payment "safety valves".
携程泄露信息,忧!旅游产品支付宽松更忧 - 携程泄漏,携程网,携程,CVV码 - IT资讯携程泄露信息,忧!旅游产品支付宽松更忧
本月22日晚,国内网络安全问题反馈平台——乌云漏洞平台发布消息称,由于携程网系统存技术漏洞,用户个人信息、银行卡信息可能会遭泄露。业内分析人士称,携程并没有支付牌照,按规定不允许存储用户银行卡信息,此次事件暴露出相关企业内控机制方面的短板以及部分第三方支付机构风险管理存在隐患,建议有关部门尽快出台保护个人隐私的法律法规,同时对泄露客户信息的机构进行处罚,为在线支付把好“安全阀门”。
□事件
交易网站违规存CVV码
携程将用于处理用户支付的服务接口开启了调试功能,使部分向银行验证持卡所有者接口传输的数据包直接保存在本地服务器,有可能被黑客所读取。携程没有支付牌照,按照规定不允许存储用户银行卡信息,尤其是CVV码(又叫用户识别码,是银行卡进行非面对面交易时用于确认用户身份的识别码,作用类似于密码)。而上述调试接口,通常是携程需要和合作公司调试时才打开,数据包通常会有多种加密功能,即便被下载也很难破译。
资料图
据了解,携程合作的银行包括工商银行、中国银行、招商银行、浦发银行等十余家,第三方支付机构包括支付宝、财付通、银联在线等。
携程作为纳斯达克上市的在线第三方支付企业,必须遵守《第三方支付行业数据安全标准》,其中明确规定了如何实施数据保护,以及哪些信息可以保存、哪些信息不能保存,CVV码属于不允许存储的敏感数据。
“交易网站存CVV码,相当于小时工偷偷配了你家的钥匙,同时,他还知道关于你家所有的信息。”新浪认证微博、汽车之家创始人李想说,“需要输入CVV码和存储CVV码是两个概念。有些信息可以存,有些信息无论如何也不能存,携程存了无论如何也不该存的CVV码,这相当于把你信用卡的密码存储并泄露了。”
□揭秘
旅游产品支付手段较“宽松”
乌云曝出的携程支付漏洞事件让不少人非常诧异:携程为什么要保存信用卡的CVV码?记者调查发现,这跟旅游产品预订的特性有关。
以机票和酒店为代表的旅游产品,价格随着库存、预订时间实时变化。网购一张机票的流程是,用户查询到一个航班以后,比如看到一张400元3折的机票,用户输入乘机人姓名和身份证点击下一步,然后完成支付,代理商在看到用户完成支付后会凭借这个完整的订单进行出票。但用户填写信息需要一定时间,对网购熟悉的用户完成支付最快会花30秒,慢的则需要1-2分钟,在这过程中,此前的3折票很可能已被航空公司取消或者变价,价格可能涨到了450元,这就出现了支付成功但不出票。
所以说并不是填写完个人信息,点击下一步票就预订成功。如果消费者预订时相关产品库存和价格数据与实时情况相匹配,则预订成功,相关款项也会支付出去。然而,当消费者的预订指令发出后,后台处理往往会出现各种情况,如库存没有了,或者价格涨了,这时候,预订平台就会反馈消费者是否做其他选择或继续预订。为了优化消费者的体验,对于在线旅游网站而言,将消费者的姓名、身份证、信用卡号、CVV码等储存起来,在这种情况下预订反应机制会更灵活,后台系统访问相关数据库回转机制的频率比买实体商品要高。
第三方支付也存储用户信息
从技术上看,旅游产品支付条件“更宽松”,预订旅游产品是不是比普通网购更不安全?一位资深技术人士告诉记者,事实上,包括第三方支付平台也会将消费者的相关数据储存起来。正规的网购平台储存数据后会进行加密,之后数据进入一个密封的管道中,只有和银行对账时,相关数据才会解密。
在预订成功后,数据是如何“保存”下来的呢?其实相关数据此时已在预订后台被删掉,进入到另一个加密的信息储存库(非VCC)中,以便用户日后预订时调出。“携程这次的数据泄露事件,不是信息储存库里的数据泄露了。而是因为携程技术人员将用于处理用户支付的服务接口开启了调试功能,也就是说对预订后台的部分数据解密(包括CVV)进行排查技术上的问题,本来这些数据应该下载到本地日志服务器中(安全性极强,外界无法访问),但这些数据却被放在Web服务器中,可以说是不应该发生的低级错误。”该资深技术人士说。
□提醒
不要在不信任网站填写核心信息
“中国黑客教父”龚蔚表示,携程的本次系统漏洞是由一些小漏洞构成的,单看每一个小漏洞都不严重,但联在一起就变成了“安全事故”。
“事实上,(网站存储)CVV信息是强加密的,即便是黑客也不一定能破解。”龚蔚说,“黑客在盗取此类信息时需要满足三个条件:加密码可破解、长期记录、漏洞没有修复。”
龚蔚表示,第三方支付机构为了能够记录、追踪、调试用户的购买环节,会在程序运行过程中记录用户的个人信息,这是正当行为,但是这样的信息不是每个人都能看到,而且需要加密。一般调试过程都是在虚拟的条件下完成的,并在开发或调试完成之后、上线之前检查所有数据端口是否关闭。
“在线填写的个人信息并不是都加密的,像姓名、身份证号就是明文,银行卡号、CVV码就会强加密。”龚蔚说,“之所以一部分个人信息不加密,是出于资源使用效率和用户体验的考虑,加密要消耗系统资源,并且还需要解密、还原的过程,这样使用起来程序繁多、速度很慢。”
龚蔚建议,企业一定要有安全意识,不能忽略小漏洞。而作为消费者,在选择购买支付网站、填写个人信息时一定要谨慎。“当提交含有身份证号、银行卡号、密码等核心个人信息时,一定不要提交给不信任的网站。一般来说,知名的大网站技术相对成熟,不会出现黑客在网站中直接加入代码,获取用户信息的现象。而诸如小的代购网站,安全性就降低很多。”
此外,龚蔚表示,除非必要,否则不要使用真实的身份,能使用虚拟身份就尽量使用,这样可以减少个人信息泄露。“在网上支付的时候一定要慎重,最好给银行卡设置网购限额、支付短信通知等安全等级保护,一旦银行卡被盗用,可以立刻发现,减少损失。”
□建议
监管部门需强力介入
尽管携程网及时回应了公众质疑,但公众的担忧似乎并未消减。广州一家外贸公司的陈小姐是携程网的忠实用户:“携程网承诺,未来如果因安全漏洞引起用户损失,将承担全部责任并给予赔付。如何界定损失,企业说了算吗?”陈小姐很疑惑。
公开信息显示,到事发为止所有的调查和损失认定工作均由携程网一方进行,并未引入第三方监管机构。业内分析人士坦言,目前国内还没有相关立法对第三方支付机构获取用户信息进行规范管理。
此次携程泄露用户信息反映出在线支付行业不仅要加强行业自律、更需要监管部门强力介入,亟待通过出台明文法规、进行合规性、合法性检查的方式将在线支付纳入到行业监管的大局之下。
中央财经大学银行研究中心主任郭田勇认为,携程泄露用户信息事件暴露出部分第三方支付机构风险管理存在隐患,建议有关部门尽快出台保护个人隐私的法律法规,同时对泄露客户信息的机构进行处罚,严把第三方支付的“安全阀”。
赞