How to solve the Magecart threat

Written by:
Hyve
Date Posted:
17 July 2018
Category:
Security

Recently, Ticketmaster UK was breached. This was not an isolated attacked, but part of a large credit card skimming debacle that hit 800 websites worldwide.

The customer’s shopping cart is the door that gets repeatedly, maliciously probed. Third-party JavaScript runs on the client side (where all personal data is entered). The access given to the third-party means that data can be accessed by sophisticated bad actors. 

The server side of this negotiation is now predominantly secured. The consumer facing section is where companies are effectively handing out skeleton keys. Because these third parties generally invest less in security protocols than the website itself, they become the target for attacks. The benefit  for the hackers is clear. Once they break the third party’s security, they have access to every single website that uses that service. In this case, Magecart. 

No matter how rigid your internal pen testing, code reviews and so on are, if you rely on a third party to process credit cards, you are susceptible to all attacks that hit them. 

Fortunately, there are steps you can – and should – take if you are relying on any third party to make your site function. 

MONITOR

Constantly monitor all third party scripts on your site. Yes, this will take up some resources, and yes, it will not fix the problem, but without monitoring you are left totally in the dark.

RESTRICT

Be very cautious when selecting third party tools to use on your website. Closely examine the security processes and protocols of any company you are looking to work with. Only shortlist vendors with fully comprehensive security features. 

LOCKDOWN

Tightly control access and permissions any third party tool has. The utilisation of security prevention technology will insulate a website or application, its owners, visitors and user data from any insecure behaviour from compromised third parties. This has two advantages for an enterprise. Firstly, it secures they company. Secondly, it adds a layer of data control that is now required by compliance laws such as the recent GDPR. 

All of this takes time and resource away from scaling your company in order to make sure it is secure. Which is why many large and smaller organisations will look to a Managed Service Provider to deliver a security suite, allowing an internal IT team to concentrate on value-added projects and growing the business. 

No votes yet.
Please wait...

Learn how Medichecks were able to grow

Case Studies


Hyve are 100% carbon neutral. We use carbon offsetting to balance out the release of carbon dioxide from our offices and infrastructure.