Each year, the e-commerce industry grows in revenue. In 2015, it was $1.548 trillion dollars. Three years later, by the end of 2018, the global online sales revenue is approaching an impressive $2.842 trillion dollars, an almost x2 increase.
With the rising profits, e-commerce websites become popular targets of hacker attacks. And when cybercriminals from all over the world want a slice of your pie, you know you are in trouble.
The Dangers of Online Transactions Inside Magento
Online stores process payments without the presence of a credit card. This fact alone opens a sea of possibilities for people who would like to take advantage of this online.
Hackers Use Stolen Payment Details to Buy Your Goods
Can you guess which online businesses are most vulnerable to fraudulent payment?
Hackers use them as a risk-free way to test whether the card they have can be charged or returns an error.
Online charities are at the greatest risk because they rarely challenge payments or have specialists on staff who can detect suspicious payments and decline them.
But if you are not a charity, it doesn’t mean you are safe. Small Magento stores are good targets for these fraud attempts. Hackers use them for the same reasons as a non-profit organization.
But this time they will actually buy from an unsuspecting store online. And fraud repercussions will hit you days later – usually when the goods are already shipped and there’s nothing you can do.
This type of attack leaves the store owner both without the product and without the money.
Hackers Use Your Security Holes to Steal Customer Payment Details
Depending on where you get your data from, Magento owns from 14 to 20% of the e-commerce market. This makes Magento an industry leader but at the same time places Magento stores as a prime target for hacking attempts.
Hackers will try to use every possibility to breach your security and infect the website (see this post on defending against data breaches). From the inside, they will attempt to steal your customers’ CC details.
Cardholder data breach will make you liable for damages. It’s not unheard of for online merchants to receive notice from Stripe and other payment processors with compensation requirements for a proven data breach.
Merchants Get Fines for СС Data Breach
You probably already know that Google warns users about compromised websites. Most browsers such as Google Chrome and Firefox will block users from visiting hacked websites which leads to lost sales.
But leaked CC data can lead to even more problems. For example, Stripe will immediately freeze merchant accounts that have exceeded their fraud/chargeback monitoring program thresholds. In addition, the payment processor will apply fines to merchants who violated their security guidelines.
Based on our experience, payment processors will fine merchants depending on the damage done. A $3,000 dollar fine for 100 compromised cards will be dwarfed before a $100,000 fine for thousands of leaked CCs. Scaling fines are extremely dangerous for the business since there is no cap to how high they can get. While we are NDA-bound not to disclose any customer-sensitive data, we can say that some of our customers came to us with data breach issues that caused them hundreds of thousands of dollars in damage.
Our team helped run Magento security check (and regular security audits as well), audit and close security holes in a lot of Magento stores, but the damage was already done. Being able to defend yourself from hacking attempts is more cost-effective than dealing with the aftermath, so make sure you read the Magento security tips below. However, in order to understand what exactly is the challenge here, we need to talk about PCI compliance.
What You Need to Know About Payment Security Standards
PCI compliance is the industry standard for receiving online payments in e-commerce. PCI DSS stands for Payment Card Industry Data Security Standard. This standard is applied to all online stores that handle buyer payments using CCs.
Visa and MasterCard together with a few other global payment processors developed the standard to put an end to data leaks. PCI is a de-facto best practice in how e-commerce websites should process and store cardholder data – although not all payment processors use it today.
Non-PCI compliant payment methods can become a huge problem if they get hacked and you lose customer payment details because of this.
Leaked payment credentials can be used for fraudulent payments on other websites or on your own website. And both Visa and MasterCard have mechanisms in place to detect which website is leaking data since they collect and analyze fraudulent payment statistics.
How to Damage Control a Payment Data Compromise
Here are the necessary steps if you suspect or have a confirmed payment security breach:
- Separate your payment processing point from the rest of the website. Move your credit card processor to a stand-alone server in order to contain the threat.
- Close off ports that offer remote access to your processing system.
Once you separate these critical services from one another it’s time to change all passwords.
- If you can, turn on two-factor authentication wherever possible – FTP, Remote Access, etc.
- Review your firewall policy to make sure all vulnerability vectors are closed off
- Do an internal audit of your install and try to find out what exactly happened. Reinstall Magento and its extensions to eliminate the possibility of hacked contents still on your server or use software to detect malicious changes in system files and remove them
- If you are absolutely positive the data leak happened, inform both the payment processor. Follow their instructions to mitigate damage
- Take responsibility and reach out to your customers to warn them about the incident
For a more in-depth look at the security steps, read Stanford’s white paper on PCI compliance and how to protect payment data.
Move Toward a PCI Compliant Magento Checkout
Speaking of PCI-compliant on-site payment methods, there are just not a whole lot around. Creating a proper PCI-compliant experience requires you to pass a compliance audit from a certified provider.
So in contrast to how this term gets tossed around, most of the time the systems that offer Checkout without taking the user outside of the website are not PCI compliant (unless they use an <iframe>).
Accepting CC and billing information on your own checkout page is always a compromise between convenience and security.
Default Magento has only one built-in PCI-compliant onsite payment method – Enterprise Payment Bridge. When you install additional non-compliant payment methods, you potentially expose yourself and your customers to a data breach risk.
There are a lot of third-party PCI-compliant services that take you off-site during the payment. These are all secure and fine to use.
So here’s a comparison table of one of the most popular payment solutions on the market:
|PCI Compliant||Non-PCI Compliant (unsafe!)|
|Magento Secure Payment Bridge||Authorize.net|
|PayPal Express Checkout||Authorize.net Direct Post|
|SagePay||PayPal Payment Gateway|
|Stripe Payment Gateway|
Choose your payment service with care. When in doubt – check twice or ask your payment processor directly.
Mitigate Common Attack Methods on Magento Stores
Let’s take a brief look at the most popular ways your Magento store can become compromised. When an attacker studies the website, they are searching for the easiest way in. It’s always different but there are a few common vectors:
|Vulnerability Type||How to Mitigate|
|MySQL Injections. This is a huge one. Poorly configured MySQL and PHP are vulnerable to malicious code injections.
Improperly screened MySQL input areas allow the attacker to delete, read, write, and change data in your databases.
If you use your database to store payment details, your customers’ CC info will also be stolen. Injected code
|Patch Magento to the latest version to close off known exploits and bugs. Create and maintain backups to prevent data loss.
Test third-party extensions for popular injections since these extensions are often less secure and offer an easy way in for any hacker (here’s a fun further reading – Magento security from a hacker’s perspective).
SQLmap is one of the most popular tools that help you find vulnerabilities semi-automatically.
|Non-PCI compliant payment processors. Saved CC is your worst enemy here but other less secure payment processors can also get you in trouble.
Some of them claim to be PCI compliant. Your responsibility is to check whether their claim is true.
|Review and change payment processors. Leave only those who are 100% PCI compliant.|
|Merging payment server with your Magento install
This is the same as keeping all your eggs in the same basket. One wrong move and you get a really bad mess on your hands.
|Keeping your payments close to your Magento install is a big no-no.
Use a secure third-party service or more your payments to a separate server.
|Known holes in outdated Magento installs.
Everyone has the access to Magento bug tracker. It’s open source after all. They can see every bug, every security hole that gets published.
|Upgrade to the newest Magento version as soon as you can. Make it a strong commitment to install Magento security patches and upgrade to the most recent versions at the nearest opportunity.
Hackers rely on your negligence. Don’t make their work easier.
|Security vulnerabilities in third-party extensions. Magento Marketplace alone hosts 2,564 extensions for Magento 2 and 1,868 for Magento 1.
This statistics does not include any extensions that you can buy from third-party developers outside the Marketplace.
|Third-party plugins are not always well-secured from MySQL injections and other exploits.
Be vigilant about what you install on your website. Try to limit your extensions to only those you absolutely can’t live without.
Make sure you update existing extensions to the latest version.
|XSS vulnerabilities. Both client-side and server-side, these security holes put at risk both your store and your customers’ data.
XSS vulnerabilities are often found in third-party extensions when developers don’t meticulously test againt hacking attacks.
|Keeping Magento up to date will eliminate the risk of XSS attacks from native Magento vulnerabilities. However, third-party extensions are harder to secure.
The best way to eliminate third-party extensions as the weak spot for XSS attacks is to test them yourself. This is of course not an optimal solution when you have dozens of them on your website.
So it would be a good idea to keep your extensions to a minimum. Fewer extensions will also mean faster website, better stability and reliability of your Magento store.
|Human error and social engineering.
Simple passwords, excessive permissions for minor roles, unnecessary users in the system, not following Magento security best practices – all this contributes to a huge security risk.
Protect Your Magento Store From Payment Data Leaks
Keeping your Magento store safe is an ongoing effort. Switching to PCI compliant payment processors is the most important step towards a safe store. In terms of priorities, it’s vital that you secure your customers’ data first to avoid both PR damages and financial repercussions.
Both MasterCard and Visa have in place fraud- and chargeback monitoring programs that apply fines to merchants who surpass a certain % of “bad” transactions. In addition, merchants are liable to fines if customers’ payment data gets leaked because of their fault.
And we can help you with that. Our Magento experts team audited and secured multiple Magento stores that had issues with payment data leaks which resulted in fines from payment processors. Onilab closed off possible attack vectors and made these stores more secure and robust against future hacking attempts. Get in touch with Onilab and our Magento security experts will run a Magento security scan to identify possible issues with your online store.