On the PCI Security Standards blog, basic questions are covered by Christopher D. Roberti, Senior Vice President for Cyber, Intelligence, and Security Policy at the U.S. Chamber of Commerce and PCI SSC SVP, Engagement Officer for Market Intelligence and Stakeholder Engagement Troy Leach.
A term sometimes used in the press for this threat is Magecart. Magecart is an umbrella term used by some security researchers to describe several criminal hacking groups who are responsible for various online skimming attacks. The term has also been used to generally identify the type of attack being utilized by the groups. These attacks have been active since 2015 and represent the continuously evolving cyber threat behind several high-profile attacks against international organizations.
So how exactly do these attacks work?
Troy Leach: Without the proper controls in place, these attacks can be very difficult to detect. That is what makes them so dangerous. Threat actors use various methods, all in an attempt to gain access and inject malicious code. These attacks are either directly into e-commerce websites or often into a third-party’s software libraries that merchants rely upon. Payment service providers may not be aware of the risk they create for their customers if they are not focused on security and the potential threats targeting them.
The code is often triggered when a victim submits their payment information during checkout. Different threat actors gather different details including, billing address, name, email, phone number, credit card details, username, and password. The malicious code logs the payment data either locally on the compromised website or remotely to a computer controlled by the threat actors.
What businesses are at risk of this devious attack? Should small merchants care about this?
Christopher D. Roberti : Yes, any e-commerce implementation that does not have effective security controls in place is potentially vulnerable. Small merchants are no exception and might even be more at risk because they do not have large IT departments or budgets to monitor for such threats. Many small merchants rely on payment security third-parties, some of whom have been demonstrated to be susceptible to this attack.
According to the 2019 Verizon Data Breach Report 43% of cyber-attacks target small businesses. In fact, the Verizon report shows that cyber attacks on small businesses represent the largest share of all the attacks in the report. One reason for this is a lack of data security resources and knowledge. Cybercriminals are aware of this fact and that is why they are targeting small businesses in higher numbers.
What are some prevention best practices to stop this attack form happening in the first place?
Troy Leach: The best protection to mitigate against these attacks is to adopt a layered defense that includes patching operating systems and software with the latest security updates. Some recommendations to prevent these types of attacks include:
- Verify vendors enforce security best practice
- Apply security patches for all software
- Restrict access to only what is absolutely needed and deny all other access by default
- Use strong authentication for all access to system components
- Implement malware protection and keep up to date
What are some ways small merchants can learn more about cyber security in general and the threats they face?
Christopher D. Roberti : Cybersecurity is an important priority for the U.S. Chamber of Commerce – the world’s largest business organization representing the interests of more than 3 million businesses of all sizes, sectors, and regions. Our members range from mom-and-pop shops and local chambers to leading industry associations and large corporations.
The Chamber of Commerce hosts several high-profile cybersecurity summits throughout the year and we offer resources on our webpage aimed at helping small merchants better understand cybersecurity and the threats they face. Our Internet Security Essentials for Businesses 2.0 is a popular resource and good starting point for small merchants who want to learn more about these vital challenges.
The post "Online Skimming and Payment Security" appeared first on the PCI Security Standards Blog, posted by Mark Meissner