In recent years we have seen a significant increase to online shopping as more and more retailers try to meet the needs of their consumers for lower cost, increased product choice, time savings, and convenience. According to US Census Bureau News, published May 17, 2019, e-Commerce sales totaled $137.7 billion.  This represents a 12.4 percent increase over the same period in 2018. Additionally, nearly all e-Commerce transactions have one thing in common.  The payment of goods and services is done by credit card. Needless to say, e-Commerce represents a significant opportunity for bad actors to obtain your credit card information during the payment process.  This is why the Payment Card Industry Security Standards Council (PCI SCC) released a bulletin on August 2nd, 2019 regarding the Threat of Online Skimming to Payment Security.  

Magecart Online Skimmer

Magecart is an umbrella term to describe malicious code that performs sniffing for personal and credit card data on unsuspecting websites, otherwise known as web-based card skimming. Originally developed to exploit the Magenta shopping cart, the code has expanded to exploit other popular platforms as well.  The code is usually developed in JavaScript and is very difficult to detect since the code is easy to hide in plain sight.  Based on a survey by W3Techs, over 90% of websites use JavaScript for their client-side programming. Malicious actors will embed their sniffing code in an e-Commerce website or will often attach itself to third-party service providers, or third-party apps such as chat channels, product rating systems, tags and others.  Once infected, the JavaScript will sit and wait for the payment page to open and will capture the data being entered into the payment form using a key logger or reading the data in the payment form, then send the data to another server, or store it locally and send the data at a later time. What is also concerning is the persistence of the malicious code and its ability to re-infect the e-Commerce site.  It is important to know that this is not a new threat.  In fact, these types of attacks have been around since 2015 and are controlled by a number of criminal enterprises.

The Difference Between a Physical Skimmer and an Online Skimmer

A physical skimmer is a device that may be attached directly to a credit card payment terminal, ATM machine, gas pump credit card reader, etc.  These devices are utilized to capture information from the credit card magnetic stripe or embedded chip on the card, and even possibly record the PIN that is entered on a keypad.  Hackers have been able to steal this information by use of a memory storage card with a Bluetooth enabled connection to siphon off this information or would come back later to recover the memory storage card that was installed.

Online skimming is based off malicious JavaScript code that is injected by hackers on an organizations e-Commerce website and works essentially the same as a card skimmer that is installed on a physical credit card terminal swipe device.  The malicious code is utilized to capture information that is inputted by the consumer on a payment page which may include customer name, address, phone number, credit card number, expiration date, and CVV.  The JavaScript code utilized by the hacker may redirect that information that is input by the consumer and siphoned off to the hacker’s database without the user being aware of this.

One might wonder how we can best detect and prevent these actions from being performed.  There are a number of PCI DSS controls that are associated to ensure that organizations are able to detect and help prevent both physical skimming devices and online skimming mechanisms.  Some of those controls that would be evaluated in a PCI assessment include physical device inspections, code review, change management practices, access controls, vulnerability management, penetration testing, and security awareness training. However, the challenge with online skimming is that the malicious code has been seen to be as little as 22 lines of code, or less, and is often embedded in third party apps, not controlled by the e-Commerce provider.  Unlike the attachment of a physical card skimmer, there is not a physical skimming device present.

Impact on PCI DSS Assessment for e-Commerce

The impact that Magecart will have on a merchants PCI assessment is yet to be determined. However, current PCI DSS standards is based on the delivery of the payment page and how it is protected.  The reduced requirements based on SAQ A may not be enough since the e-Commerce site, itself, is at risk and may allow the exfiltration of personal and credit card data through the delivery of malicious code to their customer’s web browser.  Due to the rise in online skimming, the PCI Council make changes to the SAQ A in order to protect cardholder data.

PCI SCC Recommendations for Detection and Prevention

The PCI SCC has made a number of recommendations that will assist you in the detection and prevention of the Magecart web-based or on-line skimming attack.

Detection

  • Reviewing code in order to identify potential coding vulnerabilities (Req. 6)
  • Use of vulnerability security assessment tools to test web applications for vulnerabilities (Req. 6)
  • Audit logging and reviewing logs and security events for all system components to identify anomalies or suspicious activity (Req. 10)
  • Use of file-integrity monitoring or change-detection software (Req. 11)
  • Performing internal and external network vulnerability scans (Req. 11)
  • Performing period penetration testing to identify security weaknesses (Req. 11)

Prevention

  • Disable unnecessary ports/services/functions and configure components securely in accordance with industry accepted system hardening standards (Req. 2)
  • Implement malware protection and keep up to date (Req. 5) – Apply security patches for all software (Req. 6)
  • Follow secure coding practices and perform code reviews (Req. 6)
  • Restrict access to only what is absolutely needed and deny all other access by default (Req. 7)
  • Use strong authentication for all access to system components (Req. 8)
  • Implement intrusion-detection and/or intrusion-prevention to detect and prevent intrusions (Req. 11)
  • Conduct proper due diligence prior to engagement of third-party service providers and monitor service providers’ PCI DSS compliance status (Req. 12)
  • Additional controls for hosting service providers to protect their customers’ hosted environments and data (Appendix A1)

Finally, work with your QSA should you have any questions surrounding the PCI DSS requirements and how to best assess and secure your e-Commerce environment.

Content provide by LBMC’s Chris Jones.