Ctrip’s divulgence incident is that employees are not cautious

Although the impact was not as good as the US monitoring of Huawei equipment, the media's actions amplified the negative effects of this incident. Today, Ctrip’s share price has also been affected slightly.

Some people say that the credit card used on Ctrip is not safe. In fact, this description is very inaccurate, and it easily causes unnecessary panic. According to the description of dark clouds, it appears from loopholes until the 11th evening on the 22nd to solve the problem. There are potential risks for users who have conducted payment transactions. At present, Ctrip's official statement is that some users have influence on the 21st and 22nd days.

Someone said that I chose to tie my credit card and Ctrip. This is really not necessary. I emphasize once again that according to the description of the cloud, only the payment process data may be illegally acquired. In other words, the Ctrip website itself is currently safe. If you do not use credit card payments directly on Ctrip in the near future, especially on the 22nd of the 21st, it will not be affected.

Some people say that if you are at risk, how should you avoid and reduce risks? (1) If you are a Ctrip 21 user on the 21st, changing the card is the most direct and safe way. (2) If you do not want to change your card, or if you are not sure whether you are at risk, then UPGC may choose to freeze the card. According to my report on the loss of cards, if the dual currency card is only frozen, it can only prevent the consumption of the China UnionPay channel, and it may not be able to stop the consumption of foreign currency channels. (3) Turn down or close online transactions, choose to send reminder messages for each transaction, which can effectively help you control risk.

Some people say that although I am not in the affected area of ​​Ctrip's announcement, I am still very worried about what to do. This is a very common problem, but there will never be a certain answer. However, I would like to tell you that if you are not in the area and you are worried about Ctrip, you can start worrying about people around you. In theory, they have a greater chance to watch your wallet, record your credit card details, and use it maliciously.

Some people say that I really have no sense of security at all. Although I am not in the area, I am still very tangled. This is really a lot of people, yesterday in a group to chat with Ctrip, the largest number of users is not in the range of Ctrip announced the impact of the user, the estimated range of customers are directly choosing a replacement card. What I want to say is that there are issuers in banks and they are not vegetarian. They will have their own security assessment system. For example, if you suddenly consume in a strange place and even detect abnormal conditions such as the speed you enter on online banking beyond the normal range, there may be a risk warning.

Some people say that you can continue to trust Ctrip? I personally will continue to use Ctrip, but I have to trust a third party completely. I'm sorry I can't do it. However, Ctrip is relatively credible in my eyes. Due to the work relationship, I have contacted many companies and Internet companies' technical and information security teams. Ctrip’s internal control over information security is very high in the domestic companies I have seen.

In this incident, many review articles did not mention the PCI-DSS standard. In fact, through this simple dimension, it can be judged which review is reliable and which one is not reliable. PCI-DSS is the "third-party payment industry data security standard" and is led by VISA and MasterCard. If you want to do a third-party payment service and want to go public in the United States, you must go through this standard. In the PCI-DSS standard, a clear definition of how to implement data protection, and what information can be saved, and what information can not be saved (especially the preservation of the plaintext) (such as CVV and other sensitive information). Therefore, Ctrip this time is a clear violation of the relevant provisions of the PCI-DSS.

Since Ctrip certainly passed the PCI-DSS standard when it went public, it can also be seen how hard it is for some safety standards to go from implementation to maintenance. The requirements of "safety standards" and "compliance" have now been reduced to one business and the gold content is getting lower and lower. Security companies implementing PCI-DSS may submit a lot of documents to customers, but fewer and fewer companies are really serious about landing. So passing safety standards doesn't mean anything, it just costs money to buy a license. For example, the requirements of the PCI-DSS will generate a lot of derivative security requirements, and VISA has also invested in some security companies, and they have divided most of the benefits. In the interest of correlation, the audit of certification will inevitably not be too strict.

According to Ctrip's official explanation, the incident was recorded as a temporary log for debugging purposes. A total of 93 users were involved and no other data was found. I believe that the submitter of this loophole, "Pig Swine," does not use this part of the data for malicious purposes, because his reputation in the industry is very good, and if you want to do this, you will not submit loopholes to the dark clouds. However, whether Ctrip still has other problems is unknown.

For users, panic may occur and banks are required to change credit cards. But unless you no longer pay with an online credit card in the future, similar problems are hard to avoid in the short term. I believe that there are still many companies that are worse than Ctrip and lack of standards. In particular, some companies that have not yet gone public and have not passed PCI-DSS certification, but these problems have not been exposed to the sun, so you do not know it.

For Ctrip, this incident is not so much a technical flaw as it is a credible crisis. At the same time, we also saw the importance of security: It may take several years to establish user trust, but it only takes one day to destroy it.