The holiday shopping season is practically upon us, which means savvy consumers are getting ready for the best sales of the year. Unfortunately, they’re not the only ones preparing to take advantage of the season.
Cybercriminals are likely surveying the ecommerce landscape, identifying unprotected digital properties to target as shopping gets underway. Now is the time for merchants to shore up ecommerce security – both mobile apps and websites – to protect consumers and themselves.
Over the past year, numerous retail brands including PoshMark, Kay Jewelers, Planet Hollywood, Jared, Macy’s, and Adidas experienced a serious data breach. In fact, the retail sector climbed quickly to the second most-often cited industry disclosing data breaches during the first half of 2019, second only behind healthcare.
The consequences of a data breach are real. In early 2018, Under Armour’s 150 million user accounts tied to its MyFitnessPal nutrition-tracking app were breached. The company’s shares fell as much as 4.6% to $15.59 in late trading following the announcement.
The changing regulatory environment further increases the financial risk associated with a data breach. Fines resulting from the failure to protect consumer information under the European General Data Protection Regulation (GDPR) and the new California Consumer Privacy Act (CCPA) could easily reach into the millions or billions of dollars depending on the number of people impacted or the amount of revenue generated by an organization.
Protection Needed for Today’s Threats
A recent study commissioned by Arxan and conducted by the Aite Group sheds some light on the security issues that plague retailers. In just 2.5 hours of initial research, Aite Group discovered over 80 compromised ecommerce sites globally that were actively sending credit card numbers to off-site servers under the control of bad actors. Twenty-five percent of the sites were large, reputable brands.
The compromised ecommerce sites identified in the study were all actively being compromised by Magecart groups. If the name sounds familiar, it’s because Magecart groups made headlines in 2018 as the threat actors responsible for high-profile mega breaches of global brands, including Ticketmaster and British Airways.
As stated by RiskIQ, “magecart” is an umbrella term given to multiple threat groups that use credit card skimming technology to infect ecommerce platforms and websites with the goal of stealing personal and financial information. These events often go undetected for months or even years. A new type of attack known as formjacking compromises the shopping cart or web page collecting credit card information with a virtual skimmer. Credit card information is then sold on the black market or used in shipping scams to traffic goods purchased with stolen cards.
Traditional solutions designed to protect against data loss and application compromise are insufficient against modern web, mobile and API attacks. For example, web application firewalls and data loss prevention systems look for data coming in and out of network servers. They don’t protect the front end of the infrastructure—the application endpoint and source code—where Magecart groups implant credit card skimmers.
In order to detect and respond to these attacks, retailers must have real-time visibility into their web and mobile application’s security posture. This starts with security injected into the application’s code to keep it protected once deployed into the real world. None of the 80 sites found to be compromised by Magecart groups had this in-app protection implemented.
To combat the growing cybersecurity threat, retailers and ecommerce organizations should take the following steps:
- Update or patch ecommerce platforms to the latest version. Numerous vulnerabilities were used by Magecart groups to breach the 80 sites discovered in the research.
- Audit web code to ensure websites, including any third-party apps, have not been compromised.
- Implement a security solution that can provide alerts when suspicious activity targets web application code. This allows the security organization to shut down the activity and repair compromised code.
A security breach erodes consumer and shareholder trust and impacts the bottom line. Without even realizing it, many ecommerce and retail organizations are leaving themselves exposed to modern web, mobile and API attacks. In order to protect your business and customers against a serious data breach, make sure to shore up your digital properties heading into this holiday shopping season.
Chad McDonald is VP of Customer Experience at Arxan