2020-10-28 16:27Blog post

Securing E-Commerce: What works? What doesn’t?

By Sam Pfanstiel, Director, Security Consulting Services

I’d like you to think about something: What, in your mind, is going to be the next mass exploitation of cardholder data affecting the secure e-commerce of small and medium online retailers? What simple mistake or mistakes are being consistently made by these retailers that will lead to the next rash of mass theft of credit card data?

We’ve actually just seen a sign of the coming attacks. In just one weekend last month, nearly 3,000 individual e-commerce stores were breached in a concerted Magecart-style e-skimming attack. What did these stores have in common? They were all still running end-of-life, free and open source software.

E-skimming is an attack on cardholder data within the browser itself, usually through the compromise of one or more third-party dependencies. In this case, known vulnerabilities in Magento v1—which was deprecated in June 2020—were combined with a remote code execution exploit and made available to cybercriminals for a mere $5,000 US dollars.

Where are online retail sites going wrong?

Increasing adoption of EMV technologies for card-present transactions makes online sites more attractive to cybercriminals. In addition, COVID-19 has led to reduced merchant resources for secure e-commerce—and bad actors know it.

Three primary concerns coming from these issues are poor vulnerability management, continued use of end-of-life software, and failure to understand how turnkey e-commerce tools can be exploited. Each of these are under the online retailer’s direct control and should be addressed immediately.

How can online retailers achieve secure e-commerce while using third-party e-commerce tools?

The first step to ensuring a website is using a secure e-commerce implementation is understanding how the online payment acceptance process is just one part of the site’s overall security. Secondly, it's critical to determine how the implementation fits into the Payment Card Industry Data Security Standard (PCI DSS), including eligibility to complete a self-assessment questionnaire (SAQ) or having a Qualified Security Assessor (QSA) complete a report on compliance (ROC).

Finally, when completing a reduced SAQ, it is imperative that the merchant understands how their implementation may still have residual risk with respect to vulnerability management and third-party risk management. Using this understanding, preventative and detective controls to mitigate that risk must be implemented.

The following are four common e-commerce implementations, each with its own security, compliance, and user experience advantages and disadvantages:

  1. Hosted Payment Pages – Full Redirect

The easiest and most secure e-commerce implementation is redirecting customers to a third-party payment service provider (PSP) to perform all payment form, transmission, and processing generally qualifies for SAQ A. But, because fewer security controls are required to be in place, attacks to the merchant’s site can allow the attacker to redirect the customer to a fake payment page instead.

  1. Hosted Payment Page – IFRAME Redirect

This is similar to the first scenario, but the hosted payment page is embedded within an IFRAME on the merchant’s site. This approach can provide security around the capture, transmission, and processing of cardholder data; however, if the IFRAME is not properly implemented, or if the attacker is able to redirect the source of the frame to a fake page, card data can still be compromised.

  1. Payment Widget – Embedded JavaScript

Most common today are JavaScript snippets provided by the payment service provider that can be easily inserted into a merchant’s payment flow, providing increased usability and integrated user experience, but this is much less secure than the first two approaches. E-skimming attacks commonly target these implementations, taking advantage of vulnerabilities that arise from complex merchant sites using vulnerable third-party resources.

  1. Direct POST – Transparent Redirect to Payment API

While less common on new implementations, this payment flow gives all control of the payment form to the merchant, but offloads transmission and processing to the payment service provider. To ensure a secure e-commerce form, the merchant must take full responsibility for secure coding requirements and ensure that the PSP is providing appropriate authentication to detect or prevent a man-in-the-middle attack.

I put together an educational webinar to walk through these common e-commerce implementations, complete with demonstrations of attacks that can be carried out against each. In the webinar, I explain the advantages and disadvantages of each method, how they relate to PCI guidance, and the additional monitoring steps that can be performed to minimize risk of data theft.

Click here to access the free webinar, “E-Commerce Exploits Merchants and PSPs Need to Watch For.”



About ControlScan

ControlScan managed security and compliance solutions help secure IT networks and protect payment card data. Thousands of businesses throughout the U.S. and Canada partner with us for easy, cost-effective access to the expertise, technologies and services that keep cyber criminals and data thieves at bay. With highly credentialed cybersecurity and compliance experts; 24x7 managed detection and response; managed UTM firewall services; ASV vulnerability scanning; security penetration testing; PCI compliance programs and validation services; QSA and HIPAA assessments; and more, we’ve got your back.

Contacts

Sam Pfanstiel
Director, Security Consulting Services
Sam Pfanstiel
Software Security & Encryption Expert