The previously disclosed Ticketmaster payment card theft attack was not a one-off event, but instead part of the largest payment card theft in history impacting over 800 e-commerce sites around the world. If we consider the true impact of this event it is absolutely astonishing. The Target supply-chain-enabled attack from a few years ago was frightening, and that was only one merchant under attack, on in-store point-of-sale systems, for a mere
9 days. The Magecart website supply chain attack leveraged digital website payment card skimming that victimized over 800 global merchants for over 3 years – multiple orders of magnitude larger and significantly more chilling in scope.
What Are the Potential Damages?
Once that vendor is compromised, their code can be modified or replaced representing a major vulnerability for website owners. Magnifying the potential damage, once a hacker compromises a single 3rd party vendor, they have access to every single website that runs the tool.
unavoidably vulnerable to this attack vector.
Here’s What You Can Do
Prevention is the best option
Prevention approaches for addressing client-side connections not only secure the organization but are required for adequate data control defined by regulatory compliance (e.g. GDPR and California’s newly passed Digital Privacy Law). Without the ability to control private customer data and prevent unauthorized access by 3rd party website vendors or hackers, an organization is in a state of non-compliance.
Source Defense VICE provides dynamic prevention for attacks of 3rd party origin. Source Defense’s patent-pending solution allows security teams to set and enforce security policies to ensure total control of all 3rd party vendors operating on web pages.
By removing the security considerations from 3rd party integrations, Source Defense saves countless man-hours spent on tests and integrations. This allows website owners to focus on enhancing user experience and driving web commerce revenues while ensuring the security and privacy of private and payment data.
Monitoring provides a detection-based approach that provides a less secure, reactive methodology. The major inadequacy of detection approaches is that they are incapable of preventing attacks. These include technologies like DAST and RASP. Even with a multitude of global sensors, detection schemes often miss highly targeted and hyper-segmented attacks altogether. Additionally, a detection event signals leakage of customer data and constitutes a compliance violation that requires disclosure. The resulting fines, PR crises, remediation, and operational fire drills are often significant. Fundamentally, these approaches are not scalable, and the persistence of the underlying vulnerability renders these approaches ineffective.
Vendor due diligence assessments
Many organizations, and especially those under strict compliance mandates, perform routine, comprehensive vendor security assessments. Although well-intended and highly recommended, such exercises provide point-in-time assessments. They do not provide prevention or even continuous detection. Although these assessments should be part of a comprehensive security program they are in no way adequate as a stand-alone approach to mitigating or preventing website supply chain 3rd party risk.
Restricting the usage of 3rd party tools
Exercising a debilitating level of caution by limiting or restricting the usage of beneficial 3rd party tools on websites is generally counterproductive to the overall goals of the business. Limiting the number of tools able to be deployed on an organization?s website limits the ability to provide an engaging user experience and extract meaningful analytics. This methodology makes delivering a compelling, differentiated, and dynamic web presence difficult.
The Time to Act is Now
It’s likely that the thousands of sites compromised in this attack are just the tip of the iceberg given the amount of time that this attack was running undetected. Similar attacks on major global airlines, online electronics merchants, online mass merchants and credit rating agencies have recently been reported as exploited by this same attack vector. 3rd party vendors have shifted blame to site owners to incorporate the necessary security measures themselves. It is therefore
critical that site owners proactively employ preventative technology to prevent website supply chain attacks and continue to benefit from the differentiating utility they provide.
Quickly access an assessment of your current risk level:
Checking your exposure
If the industry wide susceptibility to this attack vector does not have you concerned about your own current vulnerability: Request a customized expert walk-through of data exfiltration on your site