With the vast majority of online businesses being classified within the small to medium sized category and the huge growth in eCommerce, the Payment Card Industry (PCI) came to the realisation that one of the industry’s greatest exposures lies with the tens of thousands of small to medium sized eCommerce businesses potentially not protecting their client payment data effectively.
They were right. With the increasing numbers of small to medium sized businesses getting hacked, as an industry, we’ve got to ask what is going on and what can we do better to help protect them?
While the identities of hacked businesses in the European region tend to be protected by the merchants and their banks (nobody wants to say “hey everybody – we’ve been hacked, and no we weren’t really looking after our customers’ data very well, so it all got stolen too”), with the European Data Protection Directive due to come into being in 2017, they will be required by law to tell everyone that they have been hacked and were negligent with their client data (and are likely to receive a hefty penalty too).
So while there is little evidence to be seen of the growing numbers of hacked eCommerce businesses, you’ll have to go on our word that so far this year we have already done as many cases as we did in the whole of 2013 – we have a very active forensic team (one of the leading forensic teams globally) and 2013 was busy.
There is a growing problem in the eCommerce industry.
The vast majority of hacked eCommerce businesses have a similar story to tell when they contact us:
Unfortunately, in most cases the bank’s alert proves to be correct – the website has been hacked and a lot of payment card data has been stolen. It is expensive, hugely disruptive, exhausting and in some cases catastrophic for these businesses.
Some learn from the experience and others just want to be back up and running as soon as possible, viewing the forensic process as inconvenient bureaucracy.
If you think through the process of setting up an online business, it goes something like this:
Yes, we’ve simplified the process somewhat… However, more often than not, the first time that security is usually considered is during the answering of the Self Assessment Questionnaire.
Of course, the web developer has a bit of security experience and aims to build a secure website. The right intentions are there, but going on the experience of our forensic team, web developers tend to have some of, or most of, the following challenges:
Let’s assume – for sake of simplicity that the web developer built the website with a redirect payment / hosted payment page at the chosen payment service provider. The website owner has completed the Self-Assessment Questionnaire – SAQ A. Given that most website owners are not hugely tech-savvy, SAQ A can still be challenging even though it is only dealing with Requirement 9 (Restricting Physical Access to Cardholder Data) and Requirement 12 (Maintain an Information Security Policy) – however, they cope with the questions, complete the SAQ and their bank gives them the nod of approval – happy days – they are PCI Compliant.
It’s what happens next that is usually where the issues start.
In 2015, Magento released a patch to update their platform and close the Shoplift vulnerability (we wrote about it in June 2015). Many thousands of websites have fallen victim through this vulnerability and many more will (we still see roughly 10% of all websites that scan themselves using our free Magento scanner being vulnerable to Shoplift still). Why?
It’s a fairly simple vulnerability that can allow attackers to gain complete control of a website. Web developers can protect against this type of attack through a number of ways – here are a couple of examples:
The issues here are that the web developers are usually too busy building new websites to monitor existing ones, don’t have appropriate monitoring in place or have not installed a web application firewall as their client was on a budget and perhaps the monthly cost of a web application firewall seemed to much of an extravangance – “besides who would be interested in attacking this new website?”
We often have business owners asking “why me? Why my business?” The fact is that it is very rarely a personal attack.
Have you ever checked your website logs? If you have, you will know that your website is being scanned multiple times per day.
The average time between attacks across our clients' websites is under 5 minutes - every 5 minutes they are getting attacked.
Indexing the top 1 million eCommerce websites is a simple process – the full list of websites is publicly available. Our forensic team conducted an experiment 18 months ago where they scanned the top 1 million eCommerce websites to detect a particular malware attack that had been successfully used in multiple cases to steal payment card data.
Clearly it is a relatively simple process to carry out these external scans – and you can be sure that any attacker worth their salt will have done the same – indexing which websites use which platforms. This is handy to know – especially when a zero day vulnerability is announced on a particular platform/technology. If you have indexed the top 1 million eCommerce websites, you automatically know who your potential targets are and can get to work immediately.
It’s not personal – it’s business as usual for the attackers.
So here you have the scenario where the small/medium eCommerce business has completed the PCI Self-Assessment Questionnaire A (SAQ A) and validated that they are compliant.
They have outsourced their payments to a PCI Compliant payment service provider and are using a redirect payment page.
And yet they’ve been hacked.
Quite easily is the answer.
If you read our recent blogs on:
You’ll see that even with the industry-recommended outsourced payment models for eCommerce, if a website is not secure itself, then the payment process can easily be intercepted or manipulated and payment card data stolen.
Visa Europe identified this issue as far back as 2010 and issued an alert, which you can read here.
Simply put – in order to protect your customer data, you need to secure your website.
If you’re a website owner, you need to work closely with your web developers – they are in a great position to provide the vital security monitoring that your website needs to keep being successful.
Here are a couple of the key controls:
Some malware is detectable by doing an external scan (have a look at our free Magento scanner) however, most of the malware we have encountered is well hidden within a website – evading detection by even some of the most vigilant web admins.
We recommend daily checks using an advanced malware detection solution as a highly effective defence against malware attacks.
You can read more on our blog article: 11 Steps to Improve your Website Security
If you’re a web developer, please get in touch with us using the form below. Our FGX-Web technology will "bake the security into your websites" and give you the ability to have our expert team working for you, taking care of your clients’ website security.