Watch to learn the top dangers ecommerce sites face and the very best practices to keep your ecommerce website safe.
In this webinar, SecurityMetrics VP of Investigations, Aaron Willis, and Deputy CISO, Matt Heffelfinger, discuss:
Learn more about Shopping Cart Monitor here.
Request a quote to see how Shopping Cart Monitor can protect your business here.
We are SecurityMetrics, and we are one of the world's leading compliance, risk, and cybersecurity companies. We help businesses of all sizes, help them stay secure, and see the threats they've been missing. We are proudly in business now, twenty four years based right here. Yeah. Right here in Orem, Utah.
And we operate globally. I am your host, the DC So, the director of the Threat Intelligence Center here at Security Metrics. And with me today, we have a special guest, a subject matter expert, our ecommerce subject matter expert, Aaron Willis. Welcome.
Thanks, Heff.
Glad you're here. What's your role specifically when we talk about ecommerce security?
Oh, here at Security Metrics, I've been here almost fifteen years.
Most of that was spent as the senior forensic analyst on the, forensics team. And, recently, as of last year, I I took over the department as VP of forensics.
Congratulations.
Yeah. So, you know, we're gonna talk about today most of this conversation is for our enterprise level clients, our big corporations, and anybody with a cybersecurity or IT staff, and you're concerned about your ecommerce, your shopping platform, this will be a slightly technical conversation. And the good news is we have created a second webinar conversation that is specifically tailored for small to medium sized business owners, or IT staff, or managed service providers. It's a little bit different conversation, Aaron, when we talk about e commerce security, when you talk about it happening at the enterprise level versus the small business, medium sized business level.
So you can find that link to the small business webinar about e commerce security right here attached to our briefing. Now and if you like to watch it again, or you like to share it with your friends or family, or your coworkers, your peers, your colleagues, we encourage it. There is a ton of information we're gonna talk about today, and you might need some time to process it and take it all in. And we're gonna do our best to try to decipher it and make it as simple and as explainable as possible.
Today's content is perfect for anyone that is concerned about ecommerce security. You're concerned about your shopping cart platform, and if you are a business owner, if you're a department head, if you are on your compliance or cybersecurity teams, you might have questions, and we're gonna try the best to try to get you those answers today. And at the end, we will have some of the questions answered. But if you do have other questions, you are welcome to to send them into us.
And we also have, Aaron, I love this about our company, tons of supportive content.
Stuff to help you learn more about ecommerce security and the threats that happen in the shopping cart. We will be sharing those as well as well as a recording of this conversation. So set us up, Aaron. Help us understand that world of e commerce security. Man, it seems like it's really complex. It's changing so rapidly from when we first heard about ecommerce security.
Oh, yeah. It's it's a new frontier out there, really. Things change so fast in the ecommerce world.
It used to be that, you know, on a web server, the content was on that web server. Now it's such a distributed environment. You know, we've got content delivery networks all over. And the level of complexity, has skyrocketed, really.
I think the audience is really gonna appreciate today. We're gonna try our best to try to understand that complexity and and decipher it for all of you. Help me out, Aaron. I know you have a top three list. What are your top three dangers? If you are in the enterprise world, you're a big corporation, you're on a cyber team or compliance team, what are your three top your top three dangers that you're concerned about when an ecommerce conversation comes up?
Oh, that's a tough one, Heff. It's now what do you mean by top three? Are we talking about vulnerabilities? Are we talking about exploits that are actually out there?
Yeah. It is tough. And, you know, I I would specifically if we can narrow it down to what happens in the ecommerce shopping cart platform. You have an online shopping cart. What could potentially go wrong in that shopping cart?
Well, in in an in an enterprise ecommerce environment, there's there's so many things going on under the hood. There's, you know, third party scripts and plug ins, supply chain vulnerabilities.
Iterative attacks are what really keep me up at night. Now those things can be all but, undetectable.
We've even seen, a new weird thing that's happening where unauthorized resellers are are marketing companies products for the sole intent of capturing the credit card.
That's tough. That's there's so many doorways though, Aaron. I mean, you just brought up a couple of them, but the the the idea here is it's so complex.
How does someone just understand all the hands in the cookie jar? I mean, it really comes down to you have a shopping cart, you've got more third parties than ever that, you know, they have their scripts running, You have marketing department say, I gotta have this this thing running in the shopping cart. I've got other kinds of things happening in their analytics, data analytics. What what else is going on there on these doorways?
We're seeing a whole lot of of plug ins that are being compromised. A lot of a lot of the same things that we've always seen, you know, just lack security that's allowing these attackers in and getting, malicious code put in place. Of course, people are always people, so there's always gonna be that that human element. Yeah. You know, you can have the best plans in the world, and somebody clicks on a phishing email in your in your organization, and your plans go up in smoke, and you're you're remediating.
There there's a lot more doorways into the shopping cart. I know for the audience at home, they might want to understand the evolution of the shopping cart. At one time, all the web page code, it came from the merchant's own web server. Right? And now that's changed. What what has changed in there?
Initially, when ecommerce sites went online, there were lots of merchants that could just put a shopping cart in place, you know, an off the shelf cart, and everything was just right there centralized on one server. Yeah.
In the point of sale environment, we locked that environment down. Right? It was if you wanted something in a point of sale, you really had to jump through a lot of hoops to get something approved. You know, if you wanted a script running on a point of sale environment, you had to get approval from all over the place.
Now, in an ecommerce environment, there's so many things, that can be put on that checkout page from, you know, subscription services and coupon databases, all kinds of business analytics, traffic exchanges, ad networks. We see all these type of things running, and that just creates a massive surface area that, attackers can play around in. So the the amount that the amount of surface area that attackers can hit has grown just exponentially.
Yeah. It seems like every additional source of code is just another doorway, another opportunity for the bad guys to to get in there and insert malware. So we we mentioned a couple different doorways. I know you mentioned embedding malicious JavaScript into the commerce checkout page. You mentioned third party scripts, third party suppliers.
They're doing the ads, the static content, all the analytics. They're really corrupting in some ways the functionality of your shopping cart platform, making a real challenge.
And we see, like, hackers are, you know, mimicking domains, you know, registering look alike domains. Oh, man.
That's gotta be tough. And they're spoofing victim domains. I I I understand that, you know, if you are an enterprise level client and you have a high volume of traffic, this is really where you become a much larger target for the threat actor.
What about host? I know I've also heard examples where they're using dedicated hosts for injection and drop. Is that still ongoing?
That that's ongoing.
Now they're using distributed hosts, really. They'll send data all over the place. They'll you know, it's not just a single host anymore. You might have a compromised website here where they source the code from, you know, a compromised content delivery network. Right.
But they might use that to get the code, and then they'll capture data, and they'll send it off to a completely different compromised host.
You know, from, for an enterprise level client, I would say probably one of the greatest challenges they have is understanding all of the things that are happening in that shopping cart. All the plugins that every department seems to want. Marketing wants their plugins going on. You have the analytics folks, they want their plugins going on. Trying to really understand and getting a baseline of all those things that are happening in your shopping cart is a real challenge.
Let's let's take a moment though. Let's dive a little bit deeper into the threat because we always say threat actors, Aaron. Oh, that's a threat actor. It's the bad guy.
But we never really ever I I rarely hear people actually go into, well, who is the shopping cart bad guy? Because there's quite a few. There's a ton of them out there. We know of at least seven.
They're they typically fall under this name of mage cart. Can you take a moment? Can you kind of explain for the audience what is mage cart?
Magecart is an umbrella term that really describes a group of attacks or type of attacks.
You can think of them as as, you know, organized crime, little groups here, little groups there, or, you know, if you wanna call them Internet mafia. Yeah. Internet mafia. But their their their goal is to exploit your website to capture any valuable data they can get from it. If I mean, if they can't get anything, they may just lock it up with ransomware and hold your data hostage.
Yeah. I am I'm excited to show the audience a demo. We're We're gonna show you one of the latest threats that happens and one of the or how it happens. We'll show that here in just a minute.
But before we move off this topic of mage cart, we know of at least seven varieties. We know as early as twenty fifteen that mage cart skimmers were in place. We're talking about malicious JavaScript code being embedded into your e commerce platform. It really is a wide net of casting here.
They're using automated tools. That was usually mage kart groups one and two, and then it evolved into other mage kart groups like, version three, which was high volume targets, version four, which became really advanced.
Advanced dangerous. Yeah.
Folks, that is where you see so much advanced going after the analytic providers, going after ad providers, mimicking your domain, for example.
Where we got the drive by malvertising.
Man. It was rough. That was a rough era. And we're still now it's evolved. We we have groups five, six, and seven, and there may be other groups out there. I remember five, group five of Magikarp twenty sixteen, the big ticket master breach.
Oh, the ticket master breach.
Which really inspired security metrics to go and create something that can find these bad guys back then. Going after the third party suppliers. In twenty eighteen, we saw another evolution of Magikarp.
British Airways.
Yeah. British Airways, new egg breeches. And now, we're in really I call this the modern age of Magikarp, which is you have dedicated hosts for injection and drops, exfiltration, compromised sites as proxies. Yeah. It's insane.
Yeah.
Yeah. In the demo, all that I put together, we'll actually look at, a group seven type of attack that we've been seeing.
And I love that. It's a great setup because, folks, we are very happy to show this to you, this demo here. I know we mentioned a lot of doorways. Let's show you at least one doorway of how this happens. Can you kinda set up the demo for us? What what is the audience gonna see in this demo?
What we'll show here is something that happens via a third party exploit.
In this case, this is an example taken from from a a real world exploit. But, when a customer was would input their ZIP code on a particular site, the plug ins the shipping plug ins would activate so that the customer would know how much each of the shippers would charge, and they can go select, you know, with whichever shipper they want.
The merchant had a discount shipper on there, fairly new to the game.
But that shipper had a compromise on their website. So whenever the merchant's website would call that plug in to to get the shipping code, it would just bring over a little bit of malware. And it's just a couple just a couple of lines of JavaScript in in the in the thousands of lines that were being called.
But when whenever a customer would select that particular discount shipper, and a lot of them did because, you know, it was the cheapest method. Right? Right. Right. But, that would introduce the malware, but it was only when the the customer selected that.
So wait a minute. You're telling us that the malware only activates when you choose one particular shipping. So it's not the big dogs. It's not like if I choose FedEx or UPS. It's if only I select ship to you, that is when the power gets loaded?
In this particular case, yes. But, you know, we've seen other cases where, you know, it's not a shipper. It's the the attackers take advantage of anything that's there. Right?
Yeah.
If they can get in and and find a coupon, database that they can access. They'll they'll hit that. In this case, this was particularly scary because there was no compromise really on the merchant's website.
You know, the the attackers didn't get into the merchant. They got into the to the plug in, and that code existed, you know, off of the merchant's website, or off of their server, but was only introduced into the browser at the moment of checkout. You know, as soon as the customer clicked on that shipping option, the malware was called.
And the thing is that that call was white listed.
Wow.
You know, the merchant said, yeah, that's us. You know, if you think about it, how often is anybody gonna go in and and line by line check to see No. If that's there or, you know, maybe they have an SRI in place that will validate that. But in this case, that'd be this had been going on for a while, and nobody could figure out why they were losing cards.
And I could see some some people saying, well, well, that's not my problem. It's the shipping problem. It's not I don't I don't care about that. But, you know, when you're talking about running a business, a safe and secure business, giving your customers peace of mind to do business with you again, yeah, absolutely.
This is such a huge thing. I think it's fascinating too that a threat actor would choose to they maybe, perhaps, they perceived they would have less chance of getting caught. Right? If I use shipped to you and not FedEx or or any other shipping provider.
You know, use an obscure discounted shipping company that few people use or heard of. Fascinating stuff.
So they're gonna use any access. Any any weakness they can find is exploitable. What else is fascinating to you potentially about this this example that we're showing the audience?
What was particularly interesting about this case is that it wasn't just this merchant. You know, these guys are a source provider. Right? And so this code appeared not just on this merchant, but there were, I think, four hundred other merchants that were affected.
Alright. In this demo, we're going to show you a what happens when a third party plug in gets compromised. In this case, we're using, a typical shipping plug in that calculates the shipping based on the ZIP code.
And so the first thing I'll do is just put in this, ZIP code. I'll just put in our own.
And we can see that quickly.
It went and got our shipping calculations for USPS, FedEx, and we've got one here called shipped to you. This is a fictitious shipper that I just put in, as a demo, but this represents an actual, plugin that was breached from a from a shipping company.
And so you can see if you select one you know, I just chose USPS right there. It added our shipping and and calculated the total.
So we'll just go about our checkout process.
I'll just put in some fake data here and a fake credit card.
And now if an attacker has malware on this page and tries to skim the credit card, we can see that the iframe that is protecting this checkout process does exactly what it is supposed to do.
The malware cannot get in here and read any of the sensitive credit card data.
However, something interesting happens. If we refresh this page and we choose a different shipper, I'm gonna choose the ship to you. Yeah. It's the cheapest option.
And so we select that one. It calculates the shipping.
I'll do the same thing and put in some test data.
And now we try to skim the credit card.
See, the malware was able to get in and grab that card data when we chose the ship to you option.
Now what's really interesting about this is that Ship2You is a legitimate carrier. They're a good company.
They deliver the merchant here chose that company in good faith. However, the attack didn't happen on the merchant site right here. When we click on this, there's a call that goes out to ship to you or to FedEx, to USPS, and interacts with their their shipping API to calculate the different charges, that they might do based on that ZIP code.
And so when we saw this exploit out in the wild, the merchant had seen all the code, but had white listed it and allowed that that, code to come in onto their website.
When they did it, what's interesting is they were seeing in their logs that only certain transactions were compromised.
We we were looking all over trying to find what it was, but we didn't see it until we actually clicked on all of the different checkout options or all the different shipping options.
And, you know, looking at USPS and FedEx, we did not see any malware. Nothing seemed to be off. We ran multiple transactions and didn't see anything. It wasn't until we clicked on this ship to you option that we saw the malware.
When we looked in their logs, it became evident that all of the transactions that had been compromised all had the same shipper in common. So that could also be something, a merchant could look at in their own logs. If you're getting a a number of transactions that are being reported as compromised, you can look at those look at your logs and see if there's anything common between them, whether, you know, they were using coupons on the checkout or maybe they were all using the same carrier.
Things like that can can be indicators that it's a third party plug in that's in play.
Well, you know, e to e skimming, obviously, it's difficult to detect. If you're not looking for it, and you don't know all the plug ins you have running, and you don't know everything else that's going on in there, how difficult is it to detect e e scamming, especially when the checkout process is occurring in the browser? Can you kinda give us an example? I mean, some of these existing tools that big enterprises are using are not gonna catch this kind of stuff.
Yeah. It can get really difficult, especially when it's an iterative attack. Yeah. We we've done that demo in in other presentations. But the idea is that the attackers are not gonna try to get every single card anymore. They know if they grab everything on a large site, it's gonna be detected and and, you know, it's gonna get shut down fairly quickly. Now they're trying to fly below the radar, and they're just grabbing, you know, a a handful of cards at a time, you know, avoiding anything that would alert, the card brands or or the acquirers that there's a problem on this website.
And so they do that by injecting just the smallest amount of code and using triggers, you know, that that can be based on, things like which shipper you choose Yeah. Or whether you use a coupon code, things like that. We've seen it where it's just based on certain IP ranges. Wow. We've we found another one recently that was just a random number generator. That's insane. And so it gets really difficult for even experienced forensic analysts to detect what's going on because you have to be there right when that trigger fire.
And it doesn't trigger all the time. Right. It's random. Right? I mean, you're sometimes you're gonna see it, sometimes you're not. Makes it a real challenge for for the good guys.
Yeah. And, of course, you know, a lot of these exploits now are running in the browser. So tools like file integrity monitoring Yep. That's running server side, and it does a fantastic job.
We want everybody to have file integrity monitoring. Yeah. It does a fantastic job on the server side. If it's set up and configured correctly, it's going to alert anytime any of those core config files or checkout pages are changed server side.
Yeah. There's a big hole though on the client side. Yeah. We don't have visibility.
There are things that are happening client side that, you know, file integrity monitoring has no idea.
And a lot of companies, they have IDS, they have IPS, they've got a SOC maybe, maybe they're using a managed server for service provider as their SOC. They're they don't have visibility either into the what's happening in the shopping cart. Real challenge. Patching can help too, but at the end of the day, if you have all of this third party software running inside the the the shopping cart, the eSkimmers, they have and you're not scanning for that third party code, that becomes a real challenge.
And there's tools like content security policy, CSP Yeah. And SRI that we mentioned. Those can absolutely help, but they're often very complicated. And we see big enterprises all the time that aren't doing it. Oh, gosh. And so, you know, a third party supplier may get popped, and nobody has any idea. And that code gets distributed out to a bunch of different merchant websites.
It's tough. I know I I know if I if I was in the shoes of the audience right now, I'd probably say, what are my options? What are my solutions? What can I do to protect my large enterprise, my shopping cart? You know, what are some of the things that you typically recommend to our clients in conversations like that?
Protecting your business is really about doing what's best for your business.
You always have to do what's necessary to protect your business and and, you know, operate within your budget, of course. Yeah. I always tell, our clients, our forensic clients, you know, it might cost this much to to implement the proper security. What happens if you don't and then you get hit?
How much is that gonna cost? Yeah. And so it's really important that you stay within your budget, of course. But your budget really needs to reflect the value of your data, and the risk to your company.
Yeah. And so, you know, if you're a big company, you've got valuable data, you probably should have a decent budget allocated to security, you know, versus, you know, if you're a small merchant, you may only need basics. And, of course, there's a lot of free tools and things out there that that people can use.
What about AI? I mean, if I use AI to cut corners, I hear that a lot. You know, I'm gonna use AI, and it'll solve all my problems.
Any challenges with that?
Yeah. It we're we're seeing, problems start to pop up with AI. AI is at a point where it can generate a lot of code. Yeah. But it is by no means a replacement yet for skilled, knowledge.
Yeah. Especially a a product like what we do with shopping cart monitor and the things and the level of knowledge and skills that Aaron and his team have done. Phenomenal stuff. I you know, it I think it's important that for the audience, especially again at the enterprise level, that you get some kind of framework on an effective shopping cart security implementation. What does that look like? You had mentioned starting with file integrity monitoring. What else can we can can someone think about or examine?
Well, there there's a basic model that we've seen that is highly, highly effective, whether you're an enterprise company or or an SMB. You know, getting file mon file integrity monitoring in place is great.
Yep.
Getting an iframe to around that payment form is one of the most effective methods of protecting that card data. If you think about it, if you use an iframe and you don't store the card data, then when when your customer types that credit card in, there's only one point where an attacker has the ability to capture that card. Mhmm. And so by using that iframe, you can really isolate that, that payment process.
And so we we encourage, merchants to use an iframe with a reputable payment gateway, and then tokenize that card.
Yeah.
You know, so that so that you're not working with that card number anymore. It it's submitted once and only once.
One transmission, no storage. That's such a wonderful thing.
And that really eliminates the opportunity of anybody grabbing that card. It's still there. You know, people, are typing that credit card in. And so the attacker you're forcing the attacker to be right there at that moment. Mhmm. And then, of course, you need your security to be there at that moment as well so that if anything goes weird in that process, you're looking at it in real time.
And that's that's really the beauty of what we have with Security Metrics. We have shopping cart monitor and shopping cart inspect. And I would encourage you to pick up the phone and call us about that, and and at least get a demo and see the beautiful work that your team does in finding those kind of threats.
Yeah. And, of course, we continue to see, the admin portals getting breached.
No MFA?
Yeah. Yeah. It it's just, you know, they gets they're set up. They're running, they're running smoothly.
But to manage that cart, you've gotta log into your panel and and do things. That's a privileged area. You can do a lot of of Damage. Damage if you get in there.
And so we we the kingdom really. Yeah. We we continue to see those admin portals compromised all the time. So we encourage everybody to get MFA set up.
That's multifactor authentication.
It's it's bonkers that in this day and age that people still don't have MFA turned on, especially on the shopping cart. But there's a lot of other things as part of your holistic strategy to secure your shopping cart. You had always mentioned things like we had mentioned IDS and IPS and endpoint monitoring and WAF.
What can they can they get a lot of traction in that area?
Yeah. Those things are are really part of any robust, web security. And you want especially getting your WAF in place and back it up with an IDS and IPS. Endpoint security, of course, you know, you can get all the way down to the packet level to see what's going on.
I think that's what's really cool about Security Metrics is that we have not just shopping cart monitor products and services, and and shopping cart inspect, but we can also provide a holistic approach, which includes offering endpoints for your business, offering monitoring, and really it's it's really about essential monitoring more than anything. Yeah. Your your IDS and IPS may catch it, but they may not. And I think the way that we do our monitoring is very unique and very different, and I would encourage you to have a conversation with with, our team about that.
But more importantly, there's an education element too that goes into this. And if you're not aware of all the different the the seven or more flavors of mage cart, and you're not aware of these different doorways into your business shopping cart, you should start with education. And we do offer a lot in that area as well. Cop went or completely free?
Yeah. One thing we forgot to mention, robust logging. Yeah. You've got to be logging those transactions on on your website, on that checkout process.
Log everything that you can. Yeah. Because if you do get a a compromise, one of the hardest things to for an investigator to do is come in and try to figure out what happened when you don't have the right logs. You know, if you have the right logs, often it's a matter of of a few hours work, and we know how they got in and what you need to fix.
We've got a client right now that they're getting hit over and over again and they still don't have the right logs in place. That's tough. Yeah. And it's like, we know they're getting in.
We we see them the moment they get in. We're detecting it. Yeah. Right like that.
But it's happening over and over again, and they just don't have the right logs in place.
Wow. What a challenge.
And so even when you do have the right logs in place, you gotta have somebody monitor.
Yeah. You gotta be looking at it. I know that's that's what we do. That's what my team does here at monitoring logs.
I we did mention a lot of the free stuff out there. I would encourage you. We're gonna put a link in the description here that if you would like to sign up for our weekly free intelligence email, we try to go out and feature all the latest shopping cart ecommerce threats that are in the news. So you're ahead of the story before it happens to you, and that is a beautiful thing, folks.
It's completely free. There's no cost to you to sign up for it. Education and awareness is is a critical piece of it. And we do tailor the the information in there to cover those topics, cover those latest threats that are happening.
So at the enterprise level, I always seem to hear about getting a baseline, getting an idea of what normal looks like in your shopping cart. Can you kinda dive into that for a moment? Why is that so important?
That that's a critical thing to do. You know, PCI DSS four point o, the new ones coming out. Yep. Six dot four dot three addresses exactly that. You have to know what's running in your shopping cart, especially when credit card data is present.
You've got to know if there's ad networks running or traffic exchanges, business analytics scripts, anything there that could potentially have access to that card data, you've got to know what it is and what it looks like when it's running. You know, establish a baseline. These connections are what happened. These are the HTTP gets and posts that are going on.
The data flow is about this size. And if you if you get that baseline, it's a whole lot easier to spot anomalies that happen. Yeah. And so, you know, we offer our shopping cart inspect service that goes through and catalogs all the JavaScripts that are present when the card data is present.
That's crazy. And let me ask you. I'm gonna put you on the spot here. I've heard stories that some companies have upwards of six hundred scripts, third party scripts running in their shopping cart at any given time. Is that right?
Yeah. Absolutely.
We've, you know Six hundred folks.
So then that's that's just unique calls. Those libraries can get into the millions of lines of code.
That's crazy. And not knowing what's even happening in your environment and not having a baseline. And, you know, from coming from my perspective on the security operation side, we always talk about, well, you gotta have a baseline of what normal looks like on your network. I mean, we drive that into our our clients heads. But, you know, a lot of people not on their radars, not knowing a baseline of what's happening in their e commerce platform is just as important, just as critical, and it's always seems to be left to the wayside and not really important in a lot of, businesses minds.
Yeah. It is critical to get that baseline. It's really inexpensive to do.
You know, you can, of course, do it yourself, but, you know, our shopping cart inspect is a thousand bucks. Yeah. You know, that's for the value you get there, you get so much information about what's going on under the hood. It's a very detailed report. In your checkout process.
One time scan, you get in there, you see what you your strengths, your weaknesses, your opportunities in that shopping cart. If something's malicious is is found, what do you guys usually do then?
Oh, in in our shopping cart inspect report, we provide you with exact scripts where we found, malicious or suspicious code running Yeah. So that you have an actionable item. You know, a lot of times if if the card brands or an acquirer contacts you, they say, hey. We think you're losing cards.
Go figure it out. Yeah. With the shopping card inspect, we can say, these are the these are the vulnerabilities that we think might be exploitable on your website, or this is the malware we found and you're compromised right now. Start here.
Wow. You know, get that locked down, get that malware out of there. Yeah. And then, you know, we can work with you to to formulate a plan to get those holes plugged so that you're not dealing with this again six months later.
Oh, no way.
Alright. So I know we have questions. We wanna get to your questions. Let's we're kind of on the back end of this webinar, and I wanna just answer some of the most important questions that have come into our center here.
Let's start with question number one, and I'm gonna put you on the spot, see how you do on this answer here. The question says, shouldn't my third party platform cover most of the security tasks for me? I expected them to make sure my checkout process was secure. That's a common misconception, isn't it?
Yeah. At at at the end of the day, it's your merchant account. It's it's your responsibility.
And the car brands are gonna come after you if it's your merchant account. Wow. And so there are all kinds of third party agreements and, and we see lots of third parties that claim to be PCI compliant. But when we dig into a breach, we find out that they're not Uh-huh. You know, even though they're advertising that they are.
And so if you're using these third party services, that's fantastic, but always do due diligence. You know, make sure that it is clearly delineated whose responsibility belongs to which party. Mhmm. You know, a lot of times, we especially see it with logging.
Somebody always thinks somebody else is logging. Or watching it. Yeah. Or monitoring those logs.
Yeah. They're not. Yeah.
We see that all the time. You know, it's like, hey, we need your logs.
Ask them. Yeah. Ask ask the other third party.
That's tough. Now you mentioned the new PCI requirements, and I know some of our audience is really into that stuff. And it's one of the things that we're known for here at Security Metrics. The new requirements, what is it? Six point four point three?
Six dot four dot three.
And eleven six one? Eleven six dot one. What are the recommendations that you have? You mentioned a couple of them. Let's kinda summarize it. That is our next question right here. What recommendations do you have for some of these new PCI requirements?
Get started early. Okay. You know, don't wait and and until the requirement, is mandated.
Start getting those things in place now because it can be complicated.
Or you can outsource it to a company like Security Metrics. You know, we've got we've got our shopping cart monitor, which, specifically addresses eleven dot six dot one and six dot four dot three. Yeah. You know, six dot four dot three is know what's in your shopping cart. You know, make sure that the integrity is there. And then eleven dot six dot one, of course, is monitor it. Make sure that if if a third party plug in that you're calling has code that gets imported onto your website, if something changes, you gotta know about it, and and you've gotta vet those changes.
We have time for two more questions, and I wanna get to this these next two. The one that I love, if you had a limited budget, limited time, limited resources, maybe you don't have a big staff, what is one or two of the most important security practices that you would focus on with those limitations?
I would get an iframe in place. Okay. A third party hosted iframe. Most payment gateways now support it, and they've got a lot of robust features that still allows your website to be fully interactive. That's one of the best ones.
And then get file integrity monitoring running on your server so that if anything changes on your server, you're alerted.
Get notified. Yeah.
And then get a shopping cart monitor service running on on the client side.
Yeah. I would add to then keep the ongoing monitoring. After that moment in time, you get that snapshot. You gotta keep it going because things change. Third party scripts change. You gotta stay you gotta stay in the loop on what's happening there.
Yeah. That'll give you you the the best coverage possible for minimal budget. Yeah. That that covers server side. It it it covers the browser side, and it covers ongoing monitoring.
K. One last question here. And again, if you have questions, we didn't get to your questions, please send them in to us. We will absolutely do our best to try to answer them for you, and someone will get in touch with you. What if you had this kinda pick one, the most difficult threat to detect, the most dangerous threat right now that you're seeing, can you kinda share that with the audience as well?
We mentioned it before. These are the iterative attacks. Iterative attacks. Okay. The these ones are are so hard to detect. They fly under the radar.
It might come from a third party plug in that that we mentioned, and it could be whitelisted.
So if you've got if you've got multiple third party plug ins or service providers on your checkout page, did anybody vet those before you did it? Yeah.
Again, those can come in. And if you white list them, if you think that that that code is all legitimate, and you're getting breaches, you're losing credit card data, it's time to to to thoroughly look at all of your third party suppliers.
And a lot of times, some of them aren't even necessary on the checkout page. Yeah. We we see it over and over where analytics scripts or or traffic exchanges or or other third party code is running there when it really probably could be moved out of that process.
It's a it's a bonkers world we are entering. When it comes to ecommerce security, all of the changes and the threats and the speed and the velocity at which these things are happening. From all of us here at Security Metrics, including myself, Hef, and Aaron, we're so glad you could join us, and we hope you got a lot of value out of today's briefing and webinar. Now if you do have questions and we didn't get to them, we're sorry.
We would like you to submit them, and please give us a call. We will do our best to try to get you some help on your ecommerce platform and get you some security around that. You can also are welcome to share this webinar, and, of course, we encourage you to watch it multiple times. There's a a lot, I mean, a lot folks to take in.
But as always, thank you for joining us, and we'll see you next time.
.svg)
