Good for Barry
I have a nasty suspicion that Start-Rite may not have been in too much of a hurry to give this widespread publicity.
Children's shoemaker Start-Rite is dealing with a nasty "security incident" involving customer payment card details, its second significant lapse during the past eight years. That's according to a recent notification sent to customers, seen by The Register, which didn't clarify exactly what the nature of that trouble was, …
Just visited the Start-Rite checkout payment page and it loads 11 scripts from 6 different 3rd parties. It probably loads more if you allow those 11 scripts but my browser add-ons won't. This really sounds like someone injected Magecart into one of the many 3rd parties having a party on their payment page. It is possible to see this sort of attack coming but you have to be looking.
Scripts are not necessarily malicious but from 2025 the PCI Data Security Standard introduces more controls around scripts and integrity of the content delivered to the cardholder’s browser for this very reason - you can hack the card holder without there being anything apparently wrong on the e-commerce server.
BTW, Magecart is a generic name for malicious script attacks, not a specific attack. You cannot inject Magecart, it is just the addition of a malicious script to a system to scrape card data. Magecart derived from Magento, the platform these types of attacks were most commonly seen, but this site is not a Magento installation
And this will be common practice for so many websites.
This always has been a disaster waiting to happen. It was the case of the BA fiasco a few years ago.
It is cheaper to just outsource something or buy a service, most developers are not interested in security or the implications of the decisions they take.
It is the future!!! (Or the past for the last 5 or more years.
Still can't get over my fear of kids shoe fittings after so many visits to Clarkes and having my foot painfully squished into one of those metal "measuring" devices. I guess it was better than being irradiated by an X-Ray foot measuring Fluoroscope popular in the US since the 1920s.
Hmm.... Maybe read the article before commenting?
"Firstly that data could have been stored, this would be the worst outcome. Next on the list of possibilities is stealing the data when it has been entered into the system. A likely cause of this is card skimming type tools that we've seen attackers use in the past in previous breaches. I suspect that this is the most likely cause. These tools largely inject malicious JavaScript into online payment systems to then steal and forward the entered card details to the attackers."
Liked this line
"These tools largely inject malicious JavaScript into online payment systems to then steal and forward the entered card details to the attackers."
A huge issue is that most payment systems require lots of JavaScript (& often third party). As someone who surfs with JS disabled by default on "new" sites I visit, and then configure JS allow lists on a per site basis (or in many cases, just give up as there is so much needless JS!) I can say that online payment is a PITA*.
* You go to make a payment & that fires off a whole new lot of scripts and domains that you need to assess for safety (or lack of)**
** Which is why I like companies with an online presence but that still also have a telesales option (a virtual beer to Richer Sounds*** & similar companies)
*** Though their site is also, unfortunately, a fine example of too many different sources of JS