«any attacks on the payment gateway through which to purchase tickets online www.rzd.ru , was not. Gateway protected the latest version of the standard payment card data security. All customers transacting through it, guaranteed absolute security payments, "- said RBC spokesman of the credit institution. Source RBC bank is sure: the site is created for visitors to leave him there evidence of their cards. Blockquote>
However, this statement is untrue. Vulnerability to the site Railways was about this author wrote in the topic What threatens Heartbleed simple user? , He confirms that the vulnerability has been discovered them exactly VTB 24 and the gateway is online Railways.
Another comment from the press service
If you look closely at the site, it is in itself raises many questions: instead of the names used by the numbers, abbreviations, meet Russian or partial names, which can not be in the case of bank cards. It seems that it's just a fake. Blockquote>
Also very strange statement. The vulnerability allows to get data from the server's memory, respectively, if the user has entered an incorrect or incomplete data, they will be the same and in the dump. However, the data confirm the authenticity of the majority of the users. For example, Alexei Kopylov, one of the directors of the company Flexis, confirms that its data is in the list and leads photo card + screenshot of an electronic ticket.
Also indirectly confirms the authenticity of the data Viktor Lysenko, CEO Roketbanka, promising reissue all cards from the list.
Not converge well and phishing activities. The site offers a check, only 10 of the 16 digits of the card number. And for particularly distrustful allows you to download a database file to check locally.
Moreover, it seems that the site is running against the media campaign. Such large sites like RBC, SecurityLab, JustMedia and others not understand the issue, take a position and VTB24 called phishing site.
Sadly, large Russian companies, instead recognize the problem and take action together to solve it, pretend that nothing happened, in parallel, trying to muzzle indifferent IT professionals.
Source: habrahabr.ru/post/219691/