App Security Disasters in eCommerce
September 18th, 2018 | By Jscrambler | 5 min read
This led us to this initiative — to look back at the most significant attacks, the impact they had, and how we can learn from them. Because there are so many interesting case studies, we will break this down into a series on App Security Disasters.
Today, we begin by looking at attacks on the eCommerce space.
Ticketmaster’s Payment Data Breach
This incident became public in late June 2018. Ticketmaster issued an alarming statement: a third party breached the platform and was able to access the data of around 40,000 UK customers.
Shortly after the breaking news, security analyst RiskIQ identified the perpetrators as the hacker group Magecart. A deeper analysis showed that the leak didn't affect only 40,000 Ticketmaster customers, but potentially millions.
Magecart had been orchestrating a gigantic credit card fraud operation, which affected more than 800 e-commerce websites — potentially the largest credit card skimming operation ever. Some recent attacks, such as the one on British Airways, are being linked to Ticketmaster's.
Because the code was unprotected, attackers were able to retrieve credit card information. Inbenta released a statement, claiming that their module shouldn't be running on payment pages, as it poses a major security threat.
Because Ticketmaster had no web page monitoring system, the company took a long time — reportedly, two months — to identify and address the attack.
At the time of writing, this incident is still fresh. As the dust starts to settle, some consequences become notorious:
Payment data of potentially millions of users was stolen, including Personally Identifiable Information (PII);
Numerous Ticketmaster customers reported fraudulent transactions;
Ticketmasters may face some heavy fines, given the EU’s strict GDPR policies;
Both Ticketmaster and Inbenta received severely negative PR.
Identity theft is no simple matter — neither is a huge PR nightmare. All guilt games apart, both companies still face a long road of damage control.
Klook's Data Breach
Hong Kong-based Klook, a leading travel services booking platform, released a public statement regarding a customer data leak on its website.
Even though Klook acted quickly after uncovering the issue, attackers retrieved the personal data and credit card information of around 8% of Klook's users, from December 2017 to June 2018 — a total of six months.
Given the known details and outcomes of similar past breaches, we can expect to see:
A rise in phishing attempts targeting affected Klook customers;
Reports of credit card fraud;
Potential legal actions were taken against Klook and the company responsible for the third-party tool.
OnePlus’ Clients Credit Card Leak
"We cannot apologize enough for letting something like this happen".
OnePlus is a rising smartphone brand that surpassed US$1 billion in revenue just 3 years after its inception. Most company sales come from their own eCommerce website, which debuted in 2014.
Early in 2018, OnePlus customers started reporting credit card fraud after purchasing via the eCommerce platform and news quickly went public.
The company's website was using Magento — an open-source platform commonly used in eCommerce sites.
OnePlus suspended credit card payments, warned its customers, and offered free credit monitoring. However, significant damage was done:
Approximately 40,000 affected customers, many of whom were victims of fraudulent transactions;
Severe criticism for not following PCI guidelines — a set of security standards for credit card payment handling;
A considerable dent in the company's reputation, directly impacting its customers' trust.
Final Thoughts and Lessons Learned
Attacks on eCommerce websites are extremely frequent. In the U.S., 6% of all websites use Magento, and a huge chunk relies on other platforms with known vulnerabilities, including WooCommerce and Squarespace.
Server-side security systems are not capable of protecting against these attacks. Companies are only now starting to realize the danger of client-side threats — and mostly because of the recurrently reported attacks.
Ticketmaster and Klook's cases come to show that protecting own code is often not enough. Both were unable to monitor web pages where the third-party modules were being run and so they had zero visibility on these threats.
With so much breaking news this week about Magecart infecting potentially thousands of eCommerce websites, we're providing a Webpage Threat Analysis at no cost. Don't wait any longer to see if your website is being infected.
Security is not a blame game. Growing businesses are receiving fiercer attacks each passing day and decision makers must evolve security using state-of-the-art solutions.
Hackers' capabilities for compromising websites have evolved. Our knowledge and readiness must be several steps ahead. Is your business prepared?
Must read next
How to Strengthen E-commerce Security Against E-skimming Threats
This article shares everything you need to know to improve e-commerce security against e-skimming attacks.
October 24, 2023 | By Tom Vicary | 12 min read
Third-party scripts in e-commerce websites: is payment data at risk?
February 22, 2023 | By Jscrambler | 3 min read