By Source Defense
If you’re in the Retail sector, you’ve experienced an ecommerce surge over the past two years that was once predicted to take a decade. That means great opportunity but also great risk. If you’re a Digital or Marketing professional not in Retail, you understand that when it comes to doing business or promoting your business online, every company is a digital media and content publisher. Regardless of industry, you and your web team are constantly looking for new tools and partners to enhance user experience, collect visitor analytics, engage prospects and customers through chatbots or advertising, automate information request forms, and process credit cards, among many other functions.
While all of this innovation is helping to drive brand awareness and revenue, there’s a dark side that, as a digital media professional, you must consider before you deploy that next 3rd party web application. Every day, your partner ecosystem puts you at risk of both data leakage – which occurs when your partners overreach, and the risk of data theft – which is perpetrated by cybercriminals. Both scenarios open you up for data privacy noncompliance fines and the potential for millions in losses. It only takes one 3rd party partner collecting data it shouldn’t, or one compromised rogue script to enable cybercriminals to steal the personal and financial data of your web visitors, putting your department in the crosshairs of a crisis that could have massive legal and financial implications.
This is why your Security and Governance, Risk and Compliance (GRC) teams are always so paranoid about what you’re doing – and why many organizations find it hard to implement new functionality on their websites without lengthy review with those teams. But knowing what the risk is, and understanding that there are solutions to mitigate this risk which are easy to implement, cost effective, and don’t add burden to the Security or GRC teams is the way that YOU get back in the driver’s seat of what happens on your website.
The Threats You Must Protect Against
While every modern user-centered, feature-rich website is different, client-side processes are almost always written in JavaScript. According to our team’s latest intelligence, there are more than 1.7 billion public-facing websites worldwide, and JavaScript is used on 95% of them.
Your partners employ JavaScript to enable the functionality you’re after – but you have virtually no visibility into what this code is doing. In a best case scenario, your partners may be capturing data in violation of strict data privacy compliance policies such as GDPR. In the worst case scenario, their code may be compromised by criminals to steal millions of credit cards, identities, etc. That’s why the latest PCI Security Council standard calls for doing something about the use of JavaScript across commerce oriented pages.
When understanding the risk of attack, it is important that you – as the business owner – know what you’re up against. Every client-side web attack is different, but they all focus on data theft at the point of input – your forms. By attacking the point of input, cybercriminals can steal the customer’s private information, including credit card information, in real-time.
A data breach is a quick way to convince customers to go elsewhere, where their personal information or other sensitive data will be secure. Surveys reveal that 64% of consumers confess to being unlikely to do business again with a company from which their personal data was stolen. So what are some of the ways cybercriminals are doing it?
Formjacking
These attacks can affect millions of people at once, or they can be highly targeted and affect a very specific group of people. Formjacking occurs when online criminals hack into a website to control its entry point where sensitive information is provided. This type of hack is most commonly associated with cybercriminals who seek to steal personal information such as phone numbers and home addresses, which could lead to identity theft.
Payment Card Skimming (e-skimming, digital skimming)
While retailers and banks have experienced physical skimming, where the attackers install stealthy credit card skimmer devices on ATM machines or point-of-sale terminals to steal credit card or debit card numbers and PINs, today’s cybercriminals do the same thing on e-commerce websites and skim payment data from input fields on existing payment forms or hijack unsuspecting users to fake checkout pages.
Magecart
Magecart is a type of digital skimming attack that steals information from customers’ payment cards. They target shopping carts from systems like Magento, where a third-party piece of code, compromised by a systems integrator, can be infected without IT departments knowing about it. This is also known as a supply chain attack.
Form Field Manipulation
Hackers can manipulate form fields to alter the data sent to a web server. They learn about your form field data by studying the source code on your web page. Anyone can do this by right-clicking on a page and choosing “view source code.” The HTML code includes your form field data, which skilled hackers can manipulate using injection attacks and other techniques.
Defend Your Digital Enterprise
Digital and marketing teams take note: It is time to deploy a control system to identify and control all 3rd party JavaScript on your web pages. And you can do so without adding complexity to your environment or requiring major capital expenditures.
Source Defense uses real-time JavaScript sandboxing technology to create virtual pages that isolate the 3rd party scripts from the website. The virtual pages are an exact replica of the original ones, excluding what the 3rd parties are not supposed to see. We monitor all 3rd party script activities on the virtual pages. If the activity is within the premise of what they are allowed to do, we will transfer it from the virtual page to the original one. If not, we will keep their activity on the virtual pages isolated from the user and send a report to the website owner, alerting them of the 3rd party scripts violating their security policy.
This is as close to ‘set it and forget it’ security and data privacy that you will see on the market. And it is a solution that gets Security and GRC out of the way of your decision making. Best of all, you can secure your customers’ data for a price similar to the third-party tools causing your security nightmares.
Request a Demo to learn more about how Source Defense can help you mitigate a material risk to your organization, keep your partners from overreaching and defend your enterprise from Client-Side Attacks.
Source Defense is a mission-critical element of web security. It is a data privacy compliance and security solution that protects sensitive user data collected on websites from data leakage or theft by extending security to the client-side. Source Defense is the market leader in Client-side Security for websites, providing real-time threat detection, protection, and prevention of vulnerabilities originating in JavaScript. Source Defense’s patented Website Client-side Security Platform offers the most comprehensive & complete solution addressing threats and risks from the increased usage of JavaScript, libraries, and open source in websites today.
PCI DSS 4.0 makes client-side security a priority.
Source Defense delivers a solution for 6.4.3 and 11.6.1 without adding a burden to your security teams.
