See Violation Tickets on the Blind-Side of Web Security | Techno Glob

through source protection

Despite its name, leading ticket service provider C Ticket was blind to a card skimming attack that stole financial and personal information from its online customers for 2 1/2 years.

The attack first occurred in June 2019 and included a JavaScript-based skimmer inserted into the checkout pages of the C Ticket website. The company, owned by France-based media giant Vivendi SA, was notified of possible unauthorized activity in April 2021 and took until January 2022 to investigate and shut down the malicious activity. Vivendi began sending infringement notices this month.

While the number of people affected by the breach is unknown, 92,074 victims were reported in Texas alone and an unknown number in Vermont. Looking at this information, the number of affected parties is likely to be in lakhs. The stolen data included payment card data (card numbers, expiry dates and CVV numbers) along with personally identifiable information such as names, addresses and pin codes.

The attack is similar to a 2018 attack against C Ticket’s main rival Ticketmaster UK, which was attributed to the Majekart group. Over 40,000 customer data was stolen in the attack on Ticketmaster.

The notorious Magecart hacker group has been responsible for some of the most sophisticated e-commerce attacks since 2015, exploiting vulnerabilities in one of the fastest-growing, lowest-margin channels in online retail: client-side digital supply chains, a key issue. Vulnerabilities – These need to be addressed and can be addressed easily and without adding a security burden.

Digital and security wake-up call

The client side (browser) is the primary environment used by retailers to display and capture critical customer and payment data. It is the main gateway to communicating with customers and their data. Your own website code, and that from dozens of your partners, is served in the browser. Your partners’ code (third-party JavaScript) executes in the browser and is granted unmanaged and unlimited access to the entire web page with the ability to deface/modify data (keylogging, web injection, form field manipulation, etc.). Web page content. By integrating third party JavaScript, website owners are potentially giving a skeleton key to the front door of their business.

You can’t have a great web experience without these partners – but you can’t leave this code vulnerable. Source Conservation Research shows that Websites that process payment card data contain 16 third party software integrations, And that partner can bring up to 6 additional parties. With 3rd party scripts averaging in the double-digits and half of those partners adding 4th party scripts to the page, retailers need to pay more attention to strengthening client-side security.

The industry is woefully unprepared for these attacks, and action must be taken now to prevent more breaches this year. That’s why PCI recently included client-side security as a key focus in 4.0 – and why Source Defense is offering a risk-free solution for retailers that can be turned on even during seasonal website code freeze periods.

A simple, effective approach

The best approach to defeating client-side attacks and eliminating client-side risk is to take a proactive approach and deploy technologies that can stop attacks before they harm your business or your visitors. By managing the code that runs on your web pages and in your visitors’ web browsers, a client-side security platform enables real-time control over what client-side code can and cannot do, stopping even novel and inventive attacks before they exfiltrate data. .

The Source Defense client-side security platform was designed from the ground up to not only provide ironclad security, but also for burden-free deployment and continuous use. Source Protection can either scan and alert externally or protect automatically by deploying just two lines of code. Maintenance and upkeep takes only a few hours per month, ensuring that solving a new problem doesn’t strain already overtaxed security teams. Request a demo to learn more about how source protection can help you reduce physical risk to your organization, keep your partners protected from overreach and your enterprise from client-side attacks.

See the post Breach tickets highlight the dark side of web security.

*** This blog is a Security Bloggers Network syndicated blog – Source Security Writers [email protected]. Read the original post here:

Source link