Early in September, British Airways announced that it had suffered a massive data breach. Their website and mobile app had been compromised, and around 380,000 customers had personal and financial data stolen. Worryingly, Ticketmaster suffered a similar attack earlier in the year. And both of these attacks were reportedly carried out by Magecart, a hacking group infamous for stealing card details from unsecured payment forms on websites.
If huge companies like BA and Ticketmaster are struggling to keep their credit card processing systems secure, does that mean every business is at risk? This isn’t necessary the case, but it does highlight the need for companies to take the security of their card payment processes very seriously. Here we take a look at what we can be learned from these attacks.
What do these breaches mean?
These breaches are an indicator of a common way that hackers seek to compromise an organisation’s payment card processes, a technique known as cross-site scripting (XXS). XXS attacks involve the scripting of malicious commands designed to exploit dynamic content on websites. In the instance of the ticketmaster and BA attacks, it is thought that the hackers modified the code of third-party services running on both companies’ websites in order to intercept customer card payments as they were processed.
It is reported that the same script used in the Ticketmaster and BA attacks is now being distributed online through infected applications, including code once distributed by push notification service, Feedify. Because some types of XXS attacks involve small code modifications, they can be very difficult to detect.
Is data security compliance slipping?
These card data breaches are worrying enough, but they also coincide with a rather concerning trend; the number of business to fully comply with the Payment Card Industry Data Security Standard dropped in 2017 for the first time in six years. This means that fewer businesses have the appropriate controls and procedures in place to ensure the ongoing security of payment card processing.
This may be due to the fact that some businesses assume once they have achieved PCI DSS compliance, they have done the hard work. In fact, maintaining compliance is a continually evolving process and businesses need to stay up-to-date. Cybercriminals are continually evolving their tactics and techniques and organisations need to ensure their defenses are adapted accordingly.
Now is the time to ensure compliance
Remember this sort of compliance is about more than having a certification logo on your website – it is completely critical to the ongoing success of your business. Dealing with the fallout of attacks will mean paying to remediate the problem, as well as facing possible reputational damage. In addition, failing to be compliant with these regulations can lead to your business being hit with heavy fines.
Failure to adhere with the PCI DSS can result in organizations facing increased transaction fees, and in some cases, withdrawal of banking services. Non-compliance with the General Data Protection Regulation (GDPR) could be potentially even more serious, with organizations facing fines of more than $20 million (€20 million) or 4 per cent of global turnover (whichever is higher).
There has never been a more important time to take cyber security seriously and ensure you have the security controls and procedures in place to not only protect your business, but ensure it’s compliant.
The importance of Web application testing
Penetration testing is a vital step to help assess the security of your business and help protect it against the type of attacks experienced by Ticketmaster and BA. Web application testing is a type of penetration test specifically designed to identify vulnerabilities in your web applications – including susceptibility to XXS and other types of code injection attacks.
Web application pen tests usually take just a couple of days to perform, and can be done outside of business hours to minimise any disruption to business. It’s advisable to work with a cyber security specialist capable of performing an independent assessments on an on-going basis to identify and address security exposures.
The importance of Web application testing
Given the current security landscape, now is the time for companies to take security and compliance very seriously. Failing to do so not only creates significant costs, but could have far-reaching impact on long-term viability of the business. The team at GlobalSign is prepared to help with our broad portfolio of identity and security solutions to protect businesses and large enterprises.
Learn more about the current security landscape, and how GlobalSign can help:
Note: This blog article was written by a guest contributor for the purpose of offering a wider variety of content for our readers. The opinions expressed in this guest author article are solely those of the contributor and do not necessarily reflect those of GlobalSign