In the past few years, data center security and web server defense has improved significantly, making it a less feasible approach for an attack. Cyber criminals have taken note and are shifting their focus from performing spectacular bank data server attacks to skimming credit card information from a variety of ecommerce sites, unbeknownst to the website administrators. Although various credit card fraud related security exists nowadays on both the merchant and the payment vendor side, cyber criminals have found a lucrative blind spot that is yet to be plugged in.
Banks, Payment Card Industry (PCI, whose members include Visa, MasterCard, AmericanExpress and other large payment companies) and other financial institutions are the most regulated industries, both offline as well as their online practises, and rightly so. For online payments, the PCI and specifically the PCI Security Standards Council sets the regulations for data security and enforces compliance of best security practises, through the PCI Data Security Standard (DSS). These standards consist of twelve significant requirements including multiple sub-requirements, which contain numerous directives against which businesses may measure their own payment card security policies, procedures and guidelines. Failure to comply with the PCI DSS will lead to the members of the PCI pulling the plug on a merchant website and business.
The standard outlines how credit card details are collected, stored and transferred from a merchant’s website & servers, to the payment card vendor. This ensures that the sensitive data is handled with care, and also complies with any local regulations, such as GDPR. PCI formed these standards mainly to ensure that more people will be comfortable to pay online and to ensure that all these payments were secure. Since its inception in 2006, PCI DSS has helped improve the security posture of many websites, as well as ensure the secure experience of a consumer when they pay for goods.
However, over the past 4 years, a group of cyber criminals known as Magecart have figured out a way to exploit a weak spot in the standard’s enforcement : 3rd party vendors that are present on the merchant website. These 3rd party services generally help the merchant website with user analytics, advertisements and various other functionality. The PCI DSS mainly regulates the payment vendor and the website merchant, but does little to protect against attacks made by a 3rd party vendor that may be present on the website.
The Magecart group thus targets legitimate 3rd parties that often have weaker and unregulated security to carry out their attack. Due to the supply chain nature of 3rd party javascript on the website, when a compromised 3rd party javascript loads, it can carry out any operation on the website, all the way from defacing the website to loading their own content and advertisements. The Magecart group realized that the best way to monetize from this type of vulnerability was to skim the credit card details as they are being typed by the end user, and to later on sell it on the dark web. A Symantec report from 2019 found that everyday, an average of 20 websites are attacked globally by the Magecart group leading to thousands of credit card numbers getting stolen each day in this manner. A key reason for the success of this style of attack is that this attack is quite hard to detect, mainly because the actual credit card transaction goes through legitimately from both the merchant’s website as well the payment vendor’s point of view – the only difference is that the Magecart group quietly sends a copy of the credit card details to their own server in the background. These details are then sold on the dark web, with an average price of $10 for US based Credit Card numbers, often several months later to prevent an easy attribution of the attacks. When British Airways was attacked by Magecart in 2018, it took security engineers over 30 days to realize that credit card numbers were being skimmed from their own website, resulting in over 380,000 victims and millions of pounds in regulatory fines.
The solution to these attacks is well known – the website administrators should secure the web application against any 3rd party that may get compromised. This is done using W3C and HTML5 standards such as Content Security Policy (CSP) and SubResource Integrity (SRI). CSP ensures that 3rd party resources are loaded from a certain list of domains and their behavior is controlled to certain operations that the website administrator can select. This standard, for example, can prevent a 3rd party from reading and sending out the credit card details to any server. Through SRI, the security of 3rd party JavaScripts can be taken a step further – this standard checks the hash of the 3rd party JavaScript at run time and in case it does not match the expected value, the script will not be allowed to load.
These standards are valued and widely used in firms such as Google, however their adoption beyond the Alexa Top 100 websites is quite low. This is especially concerning as the websites that are most often targeted by Magecart and similar groups, generally fall outside the Alexa Top 100 and do not have large sophisticated security teams. Most of the compromised website administrators are unfortunately not aware that such an attack vector can take place, even though they are following PCI DSS to the fullest. Furthermore, PCI vendors and the merchants are often liable for fraudulent payments that may occur with the stolen credit card details. As most of the Magecart attacks go unreported, the cost of reputation loss from the end user often falls on the payment card vendor unfortunately.
As adoption and awareness is the biggest hurdle to the widespread use of these protection mechanisms, PCI DSS needs to upgrade the standard to include protections against 3rd party vendors. Similar to how Google pushed the globe to adopt HTTPS over the past decade, PCI will need to take the lead to reward merchants that adopt the new age of security standards such as CSP & SRI, and appropriately penalize merchants that do not comply within a suitable time frame. Increased adoption of these standards will give merchant websites and payment vendors an edge in the fight against online credit card fraud.