Compromise Stats for 2020
As we transition into 2021 and look forward to a brighter future (Brexit and COVID19 to become nothing but a distant memory), we can look back at 2020 as another busy year for the cyber criminals. 3B Data Security undertook fifty-four (54) cases where payment card data had been compromised, with the majority of victims (94%) being merchants whose eCommerce channel was compromised, always the most popular target on this side of the Atlantic. The remaining entities compromised included a large corporate bank, a payment facilitator, and several hotels.
Of the investigations conducted by 3B Data Security, Magento was still the most common eCommerce platform in use at the time of the breach, with an equal share of both version 1 and 2 compromised. 2020 was the year we saw the end of support for Magento version 1, albeit many merchants continue to use this unsupported and vulnerable platform. However, the final quarter saw a marked change in the platforms being breached with a significant number of WordPress, bespoke, and eCommerce platforms as a service being targeted.
Reviewing our previous years stats, third-party identification of card data breaches by the banks and card brands remained the common method of detection, with many merchants completely unaware of the breach when they engaged 3B Data Security, despite clear indicators of the compromise being present. Indicators such as web shells present within the environment, which remained the most popular way to provide the attackers persistence and remote command and control over the environment. When it came to exfiltrating the cardholder data, client side JavaScripts such as the MageCart methods were still a popular tactic, however, code presenting a fake payment page was a growing trend and one to watch for 2021. Such a tactic was used to compromise card data from those merchants electing to use a payment page served from their Payment Services Provider (PSP) in the form of an iFrame or full URL redirect, and most recently against those offering eCommerce Platform as a Service (PaaS), such as Shopify and BigCommerce.
The unfortunate stat is that on most of the breaches investigated in 2020 by 3B Data Security, it could not be determined how the attackers initially breached the environment. This was in part due to a lack of suitable log data being maintained, and the length of time between the initial compromise and the start of the investigation (3 – 6 months on average). This lack of understanding of the root cause of the breach means the victim has no opportunity to learn and they can never be sure that any containment measure has been effective. Leading to some becoming repeat victims.
The takeaway lessons from 2020 are that there is no single solution that will provide complete protection and peace of mind when it comes to running an eCommerce environment. Those methods that have been previously reported as the safer methods for accepting card data, such as iFrames, full URL redirects, and PaaS, have been found to be just as fallible as anything else. Accepting the fact that no matter what your eCommerce platform or payment channel, the risk of compromise is just as great, is the first step to securing the environment. Make it your New Year resolution to put cyber security at the top of your list, but not just as a one-off but something that remains at the forefront for the whole year and hopefully you will avoid being one of our stats for 2021.
To help you with all your security needs 3B Data Security offer a range of services to help monitor, identify, and prevent security issues, along with services to help you become and maintain compliance with industry standards such as PCI DSS and ISO 27001.
From all, at 3B Data Security, we wish you a safe and secure 2021.
