Magecart

I’m going to put my one takeaway tip upfront in this article, because it’s that important: Don’t use a debit card when you’re shopping online. While debit cards provide more protections than they used to, they are still a direct conduit to your actual money–not credit–and as such it’s just a bridge too far in the current environment of scam whack-a-mole we all have to deal with this holiday season.

Now for the news.

You may have heard that the Macy’s website was breached recently. It was an e-skimming attack, and a successful one. Hackers were able to intercept customer credit card information and other sensitive personal data by injecting a bit of rogue code into the Macy’s online shopping cart.

While it’s never good news for a major retailer, especially in the middle of the post-Halloween portion of the ramp-up for the holiday season, Macy’s is by no means alone. Tens of thousands of e-commerce sites have been compromised in similar attacks linked back to a hacking group (or groups) called Magecart.

Even though the threat posed by Magecart has now triggered an FBI warning to small and medium-sized businesses, the number of targeted entities and affected customers is expected to continue to spike this holiday season.

Here’s what businesses need to know.

What is E-skimming?

When we look at a webpage we’re essentially seeing the “skin” of a complex organism. There is a patchwork of files hosted on multiple servers that deliver code written by hundreds, if not thousands, of authors making that webpage look and function the way it does. Every piece of functionality on a site made to be more appealing to customers, or to glean more meaningful data about their behavior, requires the addition of modules, plug-ins, and scripts.

Taken at face value, the ever-expanding universe of plug-in functionality is great for businesses, since only big players have the time or money to acquire custom software. From a security point of view, this very same universe is the stuff of migraine headaches. Each extra line of code included on a site expands its attackable surface, and as we’ve seen most recently with Macy’s, a single compromised file can be used to compromise an entire site.

Enter Magecart.

Magecart’s methods vary (there have been over 40 documented techniques deployed), but the broad strokes are consistent. Once a weak point has been found on an e-commerce site (common methods including phishing, or targeting outdated versions of software with known vulnerabilities), code is inserted to “eavesdrop” on any information entered by a customer, and transmit that information to an offsite server.

The compromised business and the customer are none the wiser, as the attack doesn’t actually interfere with the processing of a payment card, and the first sign of trouble is usually a notification from a credit card company or bank that they suspect a fraudulent transaction.

The holiday season makes it even harder to pinpoint the source of the breach as shoppers are likely to order from many different websites. E-Sklimming is easy to deploy, hard to detect, and extremely lucrative.

How Can Business Owners Avoid Getting Got?

As with any other cybersecurity threat, there’s no one way to stop e-skimming exploits, especially given Magecart’s wide-ranging bag of tricks, but there are a few things we can do to minimize the risk.

  • Stay current with patches and upgrades: It’s important for any business to keep its website up to date, but for commerce sites, it’s mission critical. Every time an e-commerce platform releases a security update, it flashes a beacon to hackers to attack, since any site that hasn’t installed the update is vulnerable.

  • Train employees: Educate employees to better recognize phishing emails, to use strong passwords and be on the lookout for anything that seems out of the ordinary.

  • Practice cyber hygiene: Implement multi-factor authentication and be sure to change the default credentials on any software or hardware.

What Can Consumers Do?

The debit card tip is one that’s worth putting into practice. Otherwise, the best practices here are the same as those we should have in place in general. Basically, practice what I call the Three Ms in my book Swiped.

Minimize your exposure. Don’t authenticate yourself to anyone unless you are in control of the interaction, don’t over-share on social media, be a good steward of your passwords, safeguard any documents that can be used to hijack your identity, and freeze your credit. Be careful when you click.

Monitor your accounts. Set up free transaction monitoring alerts. Check your credit report religiously, keep track of your credit score, review major accounts daily if possible.

Manage the damage. Make sure you get on top of any incursion into your identity quickly and/or enroll in a program where professionals help you navigate and resolve identity compromises-oftentimes available for free, or at minimal cost, through insurance companies, financial services institutions and employers.

Despite an increase in the number and severity of data breaches affecting businesses, too many companies still haven’t gotten the message.

PCI compliance, the set of standards created by the payment card industry to safeguard customer financial information, has fallen for the second year in a row worldwide, and currently barely 1 in 5 businesses in the Americas are capable of passing an audit.

We’re most likely looking at the twilight of the good old days when any company could spend a minimal amount of money to get a functional shopping cart up and running. Cybersecurity is an investment in your company’s future. E-commerce sites can generate massive amounts of revenue (just ask Amazon), but they can also provide a point of entry for hackers to access a motherlode of financial information.

Let that old chestnut “forewarned is forearmed” be your watchword this holiday season.