We recently learned that the previously disclosed Ticketmaster breach was not a one-off event but instead part of the largest payment card theft in history - the Magecart website credit card skimming operation.
This game-changing attack impacted an unprecedented 800 ecommerce sites around the world (and possibly thousands). The recent Master134 attack, which exploited thousands of Wordpress sites via a third-party, proves that these types of attacks are not a one-time event.
The nature of these attacks - in which a website supply chain vendor is hacked - is incredibly alarming. For the Ticketmaster breach, attackers exploited a universal client-side website vulnerability and exposed one of the world’s biggest ecommerce sites for over a year before it was discovered to be exfiltrating payment data.
This is a very big deal. Nearly every website uses dozens of third party tools like Inbenta - the one exploited during the Ticketmaster attack - to deliver rich experiences, features and analytics that result in a far more compelling website than any engineering team could build by themselves. The problem is that these tools, integrated via Javascript, have nearly unlimited access to every element of web pages and introduce a client-side vulnerability that was previously impossible to prevent.
This is evidenced by the severity of the damages (e.g. payment card skimming) and the success of the attacker’s efforts which revealed the complete susceptibility of hundreds if not thousands of websites to this attack vector.
So, what can site owners do today to minimize the risk of card skimming via third party tools? A number of tactics can reduce the threat, while prevention technology can avoid it altogether.
Prevention is paramount. The fundamental problem is that these third-party tools have unlimited access to the pages on which they operate. Technology that controls the access and permissions of every third party running on the page insulates websites, their corporate owners, their visitors and their customer data from the inappropriate behavior of overzealous third parties and the more malicious activities of hackers that seek to exploit them.
Prevention level approaches not only secure the organization, but are necessary for adequate data control required by many compliance laws (e.g. GDPR and California’s newly passed Digital Privacy Law). Without the ability to control what data each third-party can access, an organization is in a state of non-compliance.
A major benefit of prevention is that with security and privacy concerns satisfied, the business is free to use third parties in a way that helps to achieve the shared goal of the business – revenue generation. By using third-parties on otherwise sensitive pages (e.g. payment, registration) the business is able to optimize their conversion rates at critical junctions of the customer journey.
By using new and innovative tools, the business can be dynamic and differentiate from their peers who are forced to move slower and in a more restricted fashion. The end result is a secure and compliant site that delivers a superior customer experience and produces better analytics.
The alternative to prevention is monitoring and detection. The major inadequacy of these approaches is that they are incapable of detecting these attacks in real-time: even with a multitude of sensors spread globally, detection schemes may miss highly targeted attacks altogether.
At best, they may detect an attack but will never detect the attack in time for the website owner to avoid some damage. After all, even if the majority of the damage is avoided after detection, any leakage of customer data likely constitutes a compliance violation that will require full public disclosure. The resulting fines, PR crises and operational fire drills are typically crippling.
We have not even begun to discuss that detection approaches have no remediation capability, so the only response is to remove the tool that was originally selected and employed, losing the utility it provides.
The last resort would be to exercise a debilitating level of caution. Over scrutinizing third-party vendors makes delivering a compelling, differentiated and dynamic web presence impossible. Limiting the number of tools used similarly limits the organization’s ability to provide an engaging user experience and extract meaningful analytics. Restricting usage to non-sensitive pages is entirely counterproductive to the overall goals of the business. If customer experience and analytics are not optimized at critical points in the customer journey like account registration and check out, then conversion rates will plummet.
Overall, it’s likely that the more than 800 compromised sites in this attack are just the tip of the iceberg given the time that this attack was running undetected. Similar attacks on major global airlines, online electronics merchants, online mass merchants and credit rating agencies have recently been reported as exploited by this same attack vector.
While considering and prioritizing mitigating attacks perpetrated by attackers who have exploited third parties, it’s absolutely critical for site owners - particularly those handling regulated customer and payment data - to be aware of the existing threat and take action to control this exposure.