Ctrip hit by security loophole

By Zhang Ye Source:Global Times Published: 2014-3-24 0:13:01

A woman checks into a hotel in Beijing. Photo: IC

User information leakage in Internet companies; financial results of Ctrip


Ctrip.com International, a Chinese NASDAQ-listed travel booking website, said Sunday that they have fixed a security loophole that made users' credit card details vulnerable to hackers and told 93 users to change their cards.

The loophole was found and disclosed on Saturday by a domestic Internet security monitoring platform, wooyun.org. Through the loophole, users' personal information such as their real name, identification card number, credit card numbers, and the three-digit card verification value (CVV) number can be obtained, making it possible for fraudsters to use the users' credit cards, according to wooyun.org.

Ctrip said in a statement sent to the Global Times Sunday the problem was solved in two hours, but believed that 93 users may still face potential risks and contacted them on Saturday and Sunday by telephone to urge them to have their credit cards replaced. The company also noted it will cover the charges for card replacement.

This quick response seems unlikely to put an end to discussions among netizens over why the company had kept the sensitive credit card information, especially the CVV numbers that are the key to completing online transactions via credit card.

Without the authorization from users, Ctrip will not collect and keep their card information like expiry dates but as for the unpaid deals, users' CVV information will be kept temporarily for up to seven days, a PR representative with the company explained to the Global Times Sunday.

In this case, some of its website staff were careless and forgot to remove details like CVV numbers during previous system testing, he said.

It is illegal to collect and store consumers' sensitive credit card information such as CVV numbers without telling them in advance and Ctrip is very likely to face administrative punishment, said Zhao Zhanling, a legal counsel with the Internet Society of China.

All the related information has been deleted at present, and there are no traces of any malicious information having been downloaded, said Ctrip, which thanked wooyun.org for the timely warning in the statement.

"After confirming with domestic banks, we have found no damages caused to our users due to the loophole yet," said the company.

But Yan Maojun, a resident from South China's Guangxi Zhuang Autonomous Region, told the Global Times Sunday that nearly 20,000 yuan ($3,212) has been stolen from his two credit cards that were bonded with his Ctrip account in February, citing the loophole.

He has no intention of pursuing a lawsuit against Ctrip, as the banks promised to cover his loses due to his platinum card membership, but he has unlinked credit cards with Ctrip.

Ctrip pledged to provide full compensation if there are any losses incurred by its users from the loophole.

Zhao told the Global Times Sunday that Ctrip's compensation solution seems infeasible, as it is hard for consumers to prove that the loophole was responsible for money having been stolen via a credit card unless the card was only used in online transactions with Ctrip.

As more consumers are choosing to settle transactions online, Internet security has become an increasingly tough issue confronting companies as well as the government. The loss of consumers' information has happened several times in recent years.

Jd.com, a domestic online retailer, for instance, said they found that some users' account information and passwords had been leaked, according to media reports in February. And in September 2012, the user database of Amazon China, another online retailer, reportedly got hacked and caused financial losses to some consumers.

The government should set up a more mature mechanism to regulate and crack down on crimes in the Internet world, requiring authorities like the police to actively help consumers claim compensation for losses, Zhang Yi, CEO of Shenzhen-based market research firm iiMedia Research, told the Global Times Sunday.

Zhang said that Ctrip's financial performance may be dampened by this security problem.

The net profit of ctrip.com reached $164.91 million in 2013, higher than 2012's $114.67 million, but lower than 2011's $171.03 million.

Posted in: Companies

blog comments powered by Disqus