Tag Archives: Magecart

Credit Card Theft Continues to Rise

The hackers seem to be winning.

One solution I have advocated for over the last many years to reduce credit card fraud is a technique called credit card tokenization.  When a merchant accepts a credit card, that card information is immediately tokenized and that token is all that the merchant keeps.  If they need to rerun the credit card, say for a monthly recurring charge, they present that token to their payment processor and they get paid.  If hackers steal the tokens, it does them no good because those tokens can be locked down to that merchant or even to that server.

So the hackers innovate, even though the vast majority of merchants don’t tokenize.

They slip a tiny bit of code (15 lines) into a library that MANY merchants use and it watches for a credit card passing through.  They grab the card info before it is encrypted and before it is tokenized.

Since online transactions do not take advantage of chip technologu (yet), this card information can be used in other online environments.

This week’s announcement is NewEgg.Com, a computer hardware and software seller.  The hackers ran wild from mid August to mid September.  The malware is called MageCart.

This is the same malware that attacked Ticketmaster and also British Airways.

Along with thousands of other sites.

So What do you do?

If you are a merchant, you have to deal with the lack of security on your web server that could allow a bad guy to install MageCart.  Since this is buried inside some other software that you use as part of the your development.   Eliminating this is part of what the DoD calls SCRM or Supply Chain Risk Management.  Not easy, but absolutely required.

If you buy things online, you can protect yourself by shopping locally.  🙂

Sure.  That is not gonna happen.

But there are a couple of things you can do.

Sign up for text alerts from your bank or credit card company so that you get notified EVERY time you card gets used.  In real time.  That way, at least, you can kill the card before even the first transaction clears.

Second, you can use one of the vendors that single use credit card numbers.  The biggest issuer that does this that I am aware of is Capital One.  Their service, called ENO (one spelled backwards), includes a browser plugin that automatically issues disposable card numbers that are uniquely tied to a single merchant.  If the number is stolen, it can’t be used at a different merchant and while that card number is tied to your actual card, the actual card number is never exposed so that if that one site is hacked, only that card number has to be replaced, not every one.  And, since they have a browser plugin, the process is pretty simple to use.

The last option I have is to use prepaid cards.  Most banks offer them.  Chase calls theirs Chase Liquid, for example.  Sometimes the bank charges a few bucks a month for the service, but often you can get them to waive that.  That card is tied to your online userid but the account does not draw from any other account.  If you, for example, leave $100 in that account, that is the max the bad guys will get and you will be reimbursed by the bank if the charge is unauthorized.  The challenge is that you have to manage having exactly the right amount of money in that account, so the Capital One strategy is a lot easier.

Information for this post came from The Hacker News.

Facebooktwitterredditlinkedinmailby feather

Third Party (Vendor) Cyber Risk Management Rears its Ugly Head AGAIN!

This seems to be a recurring topic, but it doesn’t seem to be getting any better, so I will leap back into the fray.

Last month Ticketmaster announced they had a breach and they led people to believe that it was isolated and that it had something to do with their software.

According to RiskIQ, the breach at Ticketmaster is due to a third party vendor named Inbenda, but that is just one vendor affected – the one that Ticketmaster uses.

Tools that may be affected or infected include Magento, Powerfront and Opencart.  Payment services including Braintree and Verisign may be being targeted.

The attack has been refined over time since 2016.

RiskIQ has identified 800 infected websites including some from very big companies.

Magecart, which is what they are calling the attack itself, continues to expand and some of the infected tools could capture 10,000 victims at a time.

So what do YOU do?

First of all, you need to identify all of the third party software that you use and that your contract developers use.  This includes software that is integrated into the various software products and tools that are installed on the servers where the products run.  It doesn’t matter if the software is commercial or open source.

Then you need to create a vendor cyber risk management program.  That will measure the overall cyber security awareness and preparedness of each vendor.

YOU need to make sure that these vendors are on top of bugs in their systems and then you need to make sure that your IT and development teams have created a way to be alerted BOTH when bugs are found and then when patches are released.

Finally, you need to make sure that ALL patches are installed on all machines.  Depending on the piece of software affected, it may require a completely new build from the vendor and then a reinstall of the product.  Make sure that you understand what is required because it may not be obvious.

Then, of course, you need to test the patch to make sure that it really fixed the bug.  They don’t always!

If this seems like a pain in the &^%$#, it is.  Sorry.

And, you need to do this for each software product from each vendor.  On each computer on which it is installed.

That is why many companies don’t have a vendor cyber risk management program and why many companies get caught in breaches like this.  Sometimes they don’t even know that they are vulnerable or that they have been compromised.

Information for this post came from RiskIQ.

Facebooktwitterredditlinkedinmailby feather