What You Should Know about Online Payment Hijackings

What You Should Know about Online Payment Hijackings
featured image

This article originally appeared in Payments Journal on April 26, 2019.

Online payment data breaches have become so common that we practically expect it to happen. In 2018 alone, close to 5,000 websites per month were compromised through formjacking. And it’s not a new — or cheap — problem, either.

When things like this happen, someone needs to take the hit — and financial institutions are no longer the only ones bearing the burden. Most recently, national fast-food chain Wendy’s faced a $50 million class-action lawsuit from 7,500 bank and credit-union plaintiffs and eventually was held liable for a malware attack on their point-of-sale system (POS) between 2015 and 2016 that compromised roughly 18 million payment cards across 1,000 franchises. Although these figures are eye-popping, the more dramatic figures are those linked to online POS.

The Perils of Online Payment

Shopping from your smartphone or computer is easier than ever, often involving related online activity like researching affiliated websites, registering as users on websites or signing up for alerts. Throw in the ease of one-click payments using third party digital systems like ApplePay and PayPal, and it’s not shocking that 40% of online shoppers make more than one purchase online each month. But as more consumers turn to online shopping for convenience and better pricing, the number of cyber-attacks on online shoppers and the e-commerce sites they visit also rises. The growth in such attacks is no coincidence. POS systems are now built into websites through third party code, and bad actors know too well how lucrative attacks on digital third parties can be.

More than half of data breaches include the use of malware to hijack the consumer’s online journey. Malvertising and skimming are the two most common attack methods to payment pages managed by third-party vendors. Companies have mostly been unable to defend against these attacks because modern malware is built to evade traditional anti-malware defenses. As a testament, mobile malware has evolved exponentially as attacks from cyber theft groups like Magecart, CartThief-3PC, and ShapeShifter-3PC have all emerged over the past year alone.

In 2018, for example, users visiting premium newspapers and magazines were susceptible to a large-scale ApplePay phishing scheme lying beneath a malvertising campaign dubbed PayLeak-3PC.  Disguised as a legitimate iOS system update, the campaign implemented a redirect phishing strategy aimed at iPhone users. Unsuspecting users voluntarily “update” their information, effectively serving up credit card and device information to a bad actor.

Likewise, hackers are using skimmer code on payment pages to obtain identity and payment information. One of the latest methods is supply-chain hacking, which involves using malware to compromise insecure, but trusted third parties who do business with multiple higher-profile e-commerce clients. Notorious cybercrime group Magecart, for instance, was attached to multiple data breaches in 2018, setting off a blame game between compromised Ticketmaster and its third-party vendor customer support service, Inbenta. Similarly, both Stein Mart and Title Nine were affected by a Magecart data breach via Annex Cloud, a customer loyalty, referral marketing and UGC support system. Aside from being a PR nightmare, these malware data breaches will soon become a giant financial liability for businesses that don’t take proper precautions.

Limiting Impact

Organizations around the world are coming under a flood of emerging new privacy laws like GDPR, the California Consumer Privacy Act, the Texas Consumer Privacy Act, Utah’s proposed data privacy laws, and two federal data privacy bills under review. There is little doubt that organizations must improve their data protection and privacy capabilities. Assuming all the laws are in place — and most, if not all of them, hold core businesses at least partially accountable even for data breaches that hit their third parties — the cost of doing business with insufficient data security and privacy measures will soar.

Data security as strategy

There are a few key steps companies can take to reduce the security and privacy risks in today’s challenging environment. The key is to embrace data security as both offensive and defensive strategies.

Protecting your organization begins with making consumers the business’ first priority. Data privacy and security should be a board-level issue. After all, if your customers can’t trust you as a vendor, they probably won’t continue to do business with you.

Address the issue by creating a cross-functional team with representatives from IT, marketing, privacy, risk, and compliance. Together, they can operationalize security, privacy, and compliance of digital assets. Develop digital policies that clarify the requirements vendors should meet in order to do business with you, which should reflect your priority of protecting consumers. Make sure to have a clear, visible version of your privacy policy for consumers that’s easy to understand on websites or apps.

Find out who your existing third parties are (most of these code suppliers are often unknown to the company), what code they’re running and how that code affects user information. Moving forward, carefully vet your third parties for security and privacy capabilities before they get on board. Many vendors focus more on getting a product out to market and pay little attention to privacy and security; they see building security into their product life cycles as an expense rather than an investment.

Once these third parties are on board, continuously monitor their code and activities — trust, but verify. If they continue to violate policies, shut them down. Create a whitelist of trusted third parties and flag those who aren’t on the list. If there are third parties who pose a problem, they probably shouldn’t be there.

Continuously monitor digital assets for any unauthorized third parties and their code. Malware is hard to detect — it is often obfuscated and therefore escapes traditional security defenses. Having security experts scan these digital assets will help surface any unapproved parties and activities. Set up processes for providing consumers with the ability to request, access, delete or decline the distribution of their data.

By taking these steps, companies will be putting themselves in a position of strength where a difficult regulatory environment and an opponent’s gambit become a company’s shield and sword.