Traditional brick-and-mortar retailers have been moving online for years, but the COVID-19 pandemic super-charged the move. Today, most retailers are a hybrid of physical stores and feature-rich online destinations designed to capture as much of the nearly $900 billion e-commerce market as possible. Online has become the fastest growing of the multi-channels but it also carries the slimmest margin given the nature of offers around free shipping, free returns, etc.
The exponential growth in online sales is why cyberattacks targeting these websites have returned with a vengeance. The slim nature of margins for retailers is a major reason that rounding out web security must be a top priority…you can’t afford to lose millions of dollars to security response costs, brand damage, fines for data privacy non-compliance and judgements from class actions. Even if you’re not in Security, maybe even especially if you are not, this is something you need to be aware of and need to partner with Security to address.
Cybercriminals target the retail sector more than any other sector of the economy. This year, there have already been hundreds of attacks using techniques like formjacking, digital skimming, credential harvesting, etc. These attacks work by targeting the 3rd party web applications that help retailers collect customer data and process credit card transactions. The attacks are happening at the point of data input. This is why PCI DSS 4.0 specifically calls out client-side security as a focus.
As one case in point, in January, researchers discovered a web skimmer on the website of Segway. The attack may have exposed 600,000 visitors to malicious code embedded within Segway’s web pages. When customers entered payment details into the Segway website, that information was exposed to hackers as well, potentially leading to credit card fraud, identity theft, and damage to Segway’s revenue and reputation.
Because these attacks target the 3rd party digital supply chain, they’re slow and low – meaning that they go unnoticed for long periods of time. As a retail ecommerce professional, you need to understand the risks your partners introduce. As a Security or Compliance professional, you need to work with your business counterparts to address this risk.
The notorious Magecart hacker group has been responsible for some of the most sophisticated ecommerce attacks since 2015 by taking advantage of vulnerabilities in the fastest-growing, slimmest margin channel in online retailing: The client-side digital supply chain.
Digital & Security Wake-Up Call
You can’t drive a great web experience without these partners – but you can’t keep letting this code go unprotected. Source Defense research shows that websites that process payment card data have up to 16 3rd party software integrations, and those partners can bring in about 6 additional parties. With the average for 3rd party scripts in the double-digits and about half of those partners adding 4th party scripts to the page, retailers must pay more attention to strengthening client-side security.
Once one of your digital supply chain partners is compromised, their code can be modified or replaced, representing a major vulnerability for website owners. Magnifying the potential damage, once a hacker compromises a single 3rd party vendor, they have access to every website that runs the tool.
For the Security Team – Beware of Limited Approaches
Security teams often consider Content Security Policies (CSP) or whitelisting. While this methodology can contribute to website security effectiveness, it will not mitigate a breach coming through a whitelisted domain (or vendor). CSP also requires substantial configuration and ongoing maintenance.
The Simple, Effective Approach
The best approach to defeating client-side attacks and eliminating client-side risk is by taking a proactive approach and deploying technologies that can stop the attacks before they inflict damage on your business or your visitors. By managing the code running on your web pages and within your visitors’ web browsers, a client-side security platform enables real-time control over what client-side code can and cannot do, stopping even novel and inventive attacks before they can exfiltrate data.
The Source Defense client-side security platform was designed from the ground up to provide not only ironclad security but also burden-free deployment and ongoing use. Source Defense deploys with just two lines of code or is easily added via a suite of off-the-shelf integrations. Maintenance and monitoring require only a few hours per month, ensuring that solving a new problem doesn’t stress already over-taxed security teams.Request a Demo to learn more about how Source Defense can help you mitigate a material risk to your organization, keep your partners from overreaching and defend your enterprise from Client-Side Attacks.
PCI DSS 4.0 makes client-side security a priority.
Source Defense delivers a solution for 6.4.3 and 11.6.1 without adding a burden to your security teams.