E-commerce is flourishing, particularly at a time when the coronavirus pandemic has shuttered many stores around the world or profoundly changed the brick-and-mortar shopping experience. But cyber attackers are ready to move in and find ways to illegally profit from customers’ willingness to spend money online.
Payment card skimmers use malicious code that’s embedded within websites to collect and send a copy of a customers’ payment card or other sensitive data to an attacker.
Attacks target everyone from SMEs to established giants
These attacks are often called Magecart attacks, named after an infamous hacker consortium who regularly target online shopping cart systems (most commonly the Magento system) as a means to steal this data. They are also sometimes referred to as supply or form jacking attacks.
Credit card skimming began with ATMs and point-of-sale terminals, then moved online as more and more transactions take place on the internet with e-commerce platforms.
Such Magecart or supply chain attacks aren’t just leveled against smaller retailers. Targets could be anything from niche websites to major players like the ticketing giant Ticketmaster and the airline British Airways. Both have been previous victims of Magecart attacks. In the Ticketmaster attack alone, approaching 40,000 customers in the United Kingdom had personal and financial data stolen. In the case of British Airways, the result was the theft of payment data for a massive 380,000 customers. Academic institutions, hotel chains, and even self-service community and utility portals for actions like paying parking tickets have also been targeted by similar attacks.
Attacks are increasing
Such Magecart attacks are only increasing. In a single weekend in September 2020, almost 2,000 e-commerce sites were infected with a payment card skimmer attack. This may have been the result of a zero day exploit, meaning a vulnerability that had not been previously disclosed by security professionals and patched.
One thing that drives the increase in attacks is the scalability of this form of cyber attack. Because attackers target the third-party entities that supply code for taking payments, once a supplier has been breached or compromised, this can be used to target whichever websites use that code. That could mean breaching thousands of websites. Since the websites may not know that they are running compromised code on their sites (unlike, for instance, a Ransomware attack that makes no effort to disguise that an attack is taking place), malicious code can be left to run indefinitely on a site.
PCI DSS compliance requirements mean that vendors should take precautions such as regularly reviewing source code and scanning web applications for any vulnerabilities that exist in web applications. Failing to do so can result in significant costs as a result of Magecart payment card breaches that negatively impact PCI DSS compliance.
Steps in the right direction
This is a challenging area — and it’s getting tougher all the time. Customers flocking to spend money online means a boon for ecommerce platforms everywhere. However, cyber attackers will continue to focus on this area, given the enormous potential (ill-gotten) rewards they can receive for successful Magecart attacks.
There are various steps online retailers can take to protect themselves against payment card skimmers. For instance, they can ensure that they keep antivirus software up to date, use strong authentication to gain access to system components, check the details of third-party service providers periodically, and turn off any unnecessary services, ports, and more on devices and servers.
Seeking out the professionals that can help
But to ensure compliance (and the safety of both your business and customers), the best answer may be to recruit the services of trusted cybersecurity professionals. The use of a tool like a Web Application Firewall (WAF) can help identify attempts to place or implant Magecart code on a company’s website.
This will give you the peace of mind that you are employing the best security practices, while minimizing workload for yourself and your team. The results are an out-of-the-box security offering that will protect you 24 hours a day, seven days a week, without you having to worry.
The online e-commerce field is bigger than ever. But it’s also more competitive than it’s been at any previous point in history. Business owners and companies have plenty to think about — from strategy to product offerings — without having countless hours to spend focused on the bad actors seeking to do you harm.
Fortunately, here in 2020 the tools are available to help. So long as you take advantage of them, that is.