News & Blog

Serious Security Flaws Found in Many Online Shops.

By Francis West on 19th October 2016
Filed under: Blog

Research by WhiteHat Security has found that retail websites have an average of 13 serious security vulnerabilities and that half of all retail websites have at least one serious security flaw.

This research highlights one of the reasons why cyber-crime figures remain stubbornly high. The WhiteHat figures show that on average retail websites have 23 unique vulnerabilities which could be exploited by criminals.

Critical Flaws.

To give an idea of how bad the 13 “serious” security vulnerabilities are in most retail websites, if the Open Web Application Security Project (Owasp) were applied to them they would be classified as ‘critical’ or ‘high risk’. Owasp is a trusted online community for resources that can be used to improved web application security.

Other Research.

The findings of WhiteHat Security are unfortunately no surprise and are backed up by research from other organisations. Dutch developer Willem de Groot, for example, have uncovered shocking evidence that nearly 6,000 online retailer websites contain code (which is unknown to the website administrators) that has been designed to steal credit card details.

In these cases, it is believed that hackers have been able to access the online store code via unpatched software flaws. Hackers can exploit and monetise these flaws by installing a (JavaScript) wiretap which intercepts and directs live payment data to an offshore collection server.

De Groot has also found that there has been a shocking 69% increase in credit card skimming since November 2015.

Key Logging Attacks.

Security researchers at RiskQ have also uncovered a key-logging attack being used on shopping card software. The attack known as ‘Magecart’ inserts JavaScript into the online retail website in order to steal credit card details.

What Does This Mean For Your Business?

This means that businesses could face an uphill struggle in making sure that their online shops are safe and secure, and therefore action needs to be taken as soon as possible.

If, as the research suggests, there may be many serious vulnerabilities in the web applications of online retailers, the most sensible move by those businesses may be to prioritise the critical and high-risk security flaws for remediation. Less serious flaws can be dealt with later as resources allow.

Credit card skimming risks could be nipped in the bud if businesses with online shops would upgrade their software regularly. It is also important for businesses to maintain vigilance and to scan their own websites for Owasp‘s top 10 most critical web application security risks. Maintaining a web application firewall and applying patches immediately are also ways that businesses can reduce the risk.

To reduce the risk of crimes such as key-logging attacks, website shop owners could partner with integrators and contractors to ensure that the desired compliance, transparency of technology, and e-commerce security standards are met. Website shop operators should also make sure that web stack software is updated, and that there is conformance with recommended security controls and best practices.