Traditional brick-and-mortar retailers have been moving online for years, but the COVID-19 pandemic super-charged the move. Today, most retailers are a hybrid of physical stores and feature-rich online destinations designed to capture as much of the nearly $900 billion e-commerce market as possible. Online has become the fastest growing of the multi-channels but it also carries the slimmest margin given the nature of offers around free shipping, free returns, etc.
The exponential growth in online sales is why cyberattacks targeting these websites have returned with a vengeance. The slim nature of margins for retailers is a major reason that rounding out web security must be a top priority…you can’t afford to lose millions of dollars to security response costs, brand damage, fines for data privacy non-compliance and judgements from class actions. Even if you’re not in Security, maybe even especially if you are not, this is something you need to be aware of and need to partner with Security to address.
Cybercriminals target the retail sector more than any other sector of the economy. This year, there have already been hundreds of attacks using techniques like formjacking, digital skimming, credential harvesting, etc. These attacks work by targeting the 3rd party web applications that help retailers collect customer data and process credit card transactions. The attacks are happening at the point of data input. This is why PCI DSS 4.0 specifically calls out client-side security as a focus.
As one case in point, in January, researchers discovered a web skimmer on the website of Segway. The attack may have exposed 600,000 visitors to malicious code embedded within Segway’s web pages. When customers entered payment details into the Segway website, that information was exposed to hackers as well, potentially leading to credit card fraud, identity theft, and damage to Segway’s revenue and reputation.
Because these attacks target the 3rd party digital supply chain, they’re slow and low – meaning that they go unnoticed for long periods of time. As a retail ecommerce professional, you need to understand the risks your partners introduce. As a Security or Compliance professional, you need to work with your business counterparts to address this risk.
The notorious Magecart hacker group has been responsible for some of the most sophisticated ecommerce attacks since 2015 by taking advantage of vulnerabilities in the fastest-growing, slimmest margin channel in online retailing: The client-side digital supply chain.
Digital & Security Wake-Up Call
The client-side (the browser) is the primary environment used by retailers to display and capture critical customer and payment data. It is the front door for interaction with customers and their data. Your own website code, and that from potentially dozens of your partners is served inside the browser. Your partners’ code (third-party JavaScript) executes in the browser and is granted unmanaged and unlimited access to the entire web page, including the ability to exfiltrate data (keylogging, web injection, form field manipulation, etc.) and deface/alter web page content. Simply put, by integrating 3rd party JavaScript, website owners are potentially handing out skeleton keys to the front door of their business.
You can’t drive a great web experience without these partners – but you can’t keep letting this code go unprotected. Source Defense research shows that websites that process payment card data have up to 16 3rd party software integrations, and those partners can bring in about 6 additional parties. With the average for 3rd party scripts in the double-digits and about half of those partners adding 4th party scripts to the page, retailers must pay more attention to strengthening client-side security.
Given that many 3rd party vendors have comparatively weaker security protocols than the corporate websites that run them, it makes them attractive and susceptible targets. Third-party JavaScript has unlimited access to the web page Document Object Model (DOM). This means that every 3rd party JavaScript vendor, and the hackers that seek to exploit them, have the same level of access to all web page elements as your development and digital marketing teams.
Once one of your digital supply chain partners is compromised, their code can be modified or replaced, representing a major vulnerability for website owners. Magnifying the potential damage, once a hacker compromises a single 3rd party vendor, they have access to every website that runs the tool.
For the Security Team – Beware of Limited Approaches
Third-party JavaScript is served from external remote servers and executes on the client. This makes current security approaches such as pen testing, periodic code review, and dynamic application security testing incapable of preventing these attacks. Since client-side connections with external servers are completely unmanaged and largely unmonitored, your company has no visibility into what these 3rd parties are doing and no way to prevent hackers from maliciously exploiting this access.
Security teams often consider Content Security Policies (CSP) or whitelisting. While this methodology can contribute to website security effectiveness, it will not mitigate a breach coming through a whitelisted domain (or vendor). CSP also requires substantial configuration and ongoing maintenance.
You could also consider the Sub-Resource Integrity (SRI) approach, which adds a cryptographic hash to JavaScript, allowing browsers to verify that the files they fetch are delivered without unexpected manipulation. However, there are many services with dynamic JavaScript that change per user. In addition, the majority of 3rd party JavaScript vendors continuously improve their services, which results in frequent changes to JavaScript. But SRI is notoriously difficult to apply to dynamic JavaScript code. Adapting SRI to this volume of changes can result in skyrocketing false positives.
The Simple, Effective Approach
The best approach to defeating client-side attacks and eliminating client-side risk is by taking a proactive approach and deploying technologies that can stop the attacks before they inflict damage on your business or your visitors. By managing the code running on your web pages and within your visitors’ web browsers, a client-side security platform enables real-time control over what client-side code can and cannot do, stopping even novel and inventive attacks before they can exfiltrate data.
The Source Defense client-side security platform was designed from the ground up to provide not only ironclad security but also burden-free deployment and ongoing use. Source Defense deploys with just two lines of code or is easily added via a suite of off-the-shelf integrations. Maintenance and monitoring require only a few hours per month, ensuring that solving a new problem doesn’t stress already over-taxed security teams.Request a Demo to learn more about how Source Defense can help you mitigate a material risk to your organization, keep your partners from overreaching and defend your enterprise from Client-Side Attacks.
PCI DSS 4.0 makes client-side security a priority.
Source Defense delivers a solution for 6.4.3 and 11.6.1 without adding a burden to your security teams.
