How these crooks backdoor online shops and siphon victims' credit card info The FBI and its friends have warned businesses of crooks scraping people's credit-card details from tampered payment pages on compromised websites. It's an age-old problem: someone breaks into your online store and alters the code so that as your customers enter their info, copies of their data is siphoned to fraudsters to …
From the report: "As of January 2022, the unidentified cyber actors used the require_once() function to call and execute the TempOrders.php file"
The key (and entirely unanswered) question is how they got to the point where they could modify the PHP code. That suggests a serious deficiency in server security to start with. Increasingly, breach reports seem to gloss over the initial penetration vector, which is of course the most important factor almost every time.
Bang on. Unless you have a heads up on how the site was compromised in the first place, removing the affected code is useless because it'll be back again by morning.
Does this affect all shopping cart systems or is it specific to a particular code base? Magento anyone? Asking for a friend.
I assume all online shopping sites are compromised (can be, or will be) I would have thought by now, most only use Virtual Cards for online purchases - but no, apparently not.
Certainly, if I was currently running an online shop, it would include a hefty recommendation to my customer base to use them.
All banks should offer such a service by default, but not all do (vanishingly few and by request only) nor are they all engaged in an information campaign to encourage the practice - hence the rise of FinTech services.
So, all we can do is attempt to mitigate individually. Of course the argument is that even 'virtual' cards and accounds (and the Banks and FinTechs operating them) are equally likely to be compromised. What can you do? Really only try as best you can, with the tools available.
Use a seperate debit card/virtual account only for online purchases, load it only with the amount required at point of purchase and generate a 'one-time' virtual card form that.
Is that process convenient? Nah not the most convenient really, but less inconvenient than having your bank details hoovered as a matter of course and stored in plaintext.
At best you lose that dosh only. At worst the Bank and/or FinTech offering such a service is compromised and all your dosh disappears anyway, but you might have some redress at least.
Yes, I am aware of a particular FinTech notoriously 'freezing' 'virtual' accounts with large balances in them, without apparent redress (or timely redress) That's not really best mitigating practice though - holding a large 'float' - that's convenience and security is inconvenient.
Security is hard, compromise is assured, mitigation is all we have.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
