App Security Disasters in eCommerce
September 18th, 2018 | By Jscrambler | 5 min read
This led us to this initiative — to look back at the most significant attacks, the impact they had, and how we can learn from them. Because there are so many interesting case studies, we will break this down into a series on App Security Disasters.
Today, we begin by looking at attacks on the eCommerce space.
This incident came public during late June 2018. Ticketmaster issued an alarming statement: a third-party breached the platform and was able to access data of around 40,000 UK customers, BBC reported.
Shortly after the breaking news, security analyst RiskIQ identified the perpetrators as the hacker group Magecart. A deeper analysis showed that the leak didn't affect only 40,000 Ticketmaster customers, but potentially millions.
Magecart had been orchestrating a gigantic credit card fraud operation, which affected more than 800 e-commerce websites — potentially the largest credit card skimming operation ever. Some recent attacks, such as the one on British Airways, are being linked to Ticketmaster's.
Because Ticketmaster had no web page monitoring system, the company took a long time — reportedly, two months — to identify and address the attack.
At the time of writing, this incident is still fresh. As the dust starts to settle, some consequences become notorious:
Payment data of potentially millions of users was stolen, including Personally Identifiable Information (PII);
Numerous Ticketmaster customers reported fraudulent transactions;
Ticketmaster may face some heavy fines, given EU’s strict GDPR policies;
Both Ticketmaster and Inbenta received severely negative PR.
Identity theft is no simple matter — neither is a huge PR nightmare. All guilt games apart, both companies still face a long road of damage control.
Hong Kong-based Klook, a leading travel services booking platform, released a public statement regarding customer data leak on its website.
Even though Klook acted quickly after uncovering the issue, attackers retrieved the personal data and credit card information of around 8% Klook's users, from December 2017 to June 2018 — a total of six months.
Given the known details and outcomes of similar past breaches, we can expect to see:
A rise in phishing attempts targeting affected Klook customers;
Reports of credit card fraud;
Potential legal actions taken against Klook and the company responsible for the third-party tool.
"We cannot apologize enough for letting something like this happen".
OnePlus is a rising smartphone brand which surpassed US$1 billion in revenue just 3 years after its inception. Most company sales come from their own eCommerce website, which debuted in 2014.
Early in 2018, OnePlus customers started reporting credit card fraud after purchasing via the eCommerce platform and news quickly went public.
OnePlus suspended credit card payments, warned its customers, and offered free credit monitoring. However, significant damage was done:
Approximately 40,000 affected customers, many of which were victims of fraudulent transactions;
Severe criticism for not following PCI guidelines — a set of security standards for credit card payment handling;
A considerable dent in the company's reputation, directly impacting its customers' trust.
Attacks on eCommerce websites are extremely frequent. In the U.S., 6% of all websites use Magento, and a huge chunk relies on other platforms with known vulnerabilities, including WooCommerce and Squarespace.
Server-side security systems are not capable of protecting against these attacks. Companies are only now starting to realize the danger of client-side threats — and mostly because of the recurrently reported attacks.
Ticketmaster and Klook's cases come to show that protecting own code is often not enough. Both were unable to monitor web pages where the third-party modules were being run, and so they had zero visibility on these threats.
With so many breaking news this week about Magecart infecting potentially thousands of eCommerce websites, we're providing a Webpage Threat Analysis at no cost. Don't wait any longer to see if your website is being infected.
Security is not a blame-game. Growing businesses are receiving fiercer attacks each passing day and decision makers must evolve security using state-of-the-art solutions.
Hackers' capabilities for compromising websites have evolved. Our knowledge and readiness must be several steps ahead. Is your business prepared?