igor - Fotolia

Retail websites riddled with security holes, researchers warn

Retailers urged to improve the security of their online stores amid a series of discoveries of cyber criminal campaigns to exploit vulnerabilities in retail websites

Retail websites are full of security vulnerabilities and urgent improvement is needed in the sector, according to researchers.

On average, retail sites exhibit 13 “serious” security vulnerabilities that are classed as either “critical” or “high-risk” by the Open Web Application Security Project (Owasp), according to WhiteHat Security.

The security firm’s researchers also found that about half of all retail websites exhibit at least one serious security flaw, but the average is 23 unique vulnerabilities.

“Retailers clearly have a big part to play in website security,” said Ryan O’Leary, vice-president, threat research at WhiteHat Security. “These organisations represent thousands of consumer-facing web applications and are responsible for holding both personal and financial information.

“Retailers are simply not able to resolve all of the serious vulnerabilities found in their web applications, and it takes them a long time to remediate even the most serious vulnerabilities – on average, 205 days to implement an appropriate fix.”

Retailers are prioritising and rectifying just under half of the website vulnerabilities that they are made aware of, the WhiteHat researchers found.

The existence of multiple serious vulnerabilities not only increases the total business risk that retail organisations assume, but also the risk that they pass to users of their vulnerable websites, said O’Leary. 

“By prioritising the critical and high-risk security flaws for remediation, retailers stand a good chance of reducing the number of days that serious vulnerabilities remain open to attack,” he said.

Researchers at security firm RiskIQ have also recently discovered a key-logging attack using shopping cart software vulnerabilities to compromise e-commerce sites and steal payment card information.

According to RiskIQ, the attack, dubbed Magecart, injects JavaScript code into the site, which allows attackers to capture payment card information.  

Retailers operating e-commerce sites should partner with integrators and contractors, said RiskIQ. These can be verified to provide assurances not only of minimum compliance requirements, but can also demonstrate transparency around the technologies they use and their processes for hardening e-commerce installations and maintaining sound security.

Read more about web application security

  • Four out of five applications written in popular web scripting languages contain at least one of the critical risks in an industry-standard security benchmark, according to a report from Veracode.
  • Some consultants find web application firewall products don’t deliver due to poor deployment strategies and a lack of skilled maintenance.
  • The 2014 Verizon data breach report shows a big rise in Web application attacks, with CMS frameworks and user credentials the most likely targets.
  • The threat landscape and increase of web app attacks forces security teams to tackle web app security through secure software development.

E-commerce site administrators must also ensure familiarity and conformance to recommended security controls and best practices, and that all operating system software and web stack software is kept up to date.

The security of retail websites has come under scrutiny after Dutch developer Willem de Groot found 5,925 online retailers unknowingly harbouring code designed to steal credit card details.

Poor web application security is the underlying cause. “In short, hackers gain access to a store’s source code using various unpatched software flaws,” De Groot said in a blog post.

“Once a store is under the control of a perpetrator, a (Javascript) wiretap is installed that funnels live payment data to an offshore collection server (mostly in Russia). This wiretap operates transparently for customers and the merchant. Skimmed credit cards are then sold on the dark web for the going rate of $30 per card.”

Card skimming increasing

According to De Groot, this online card skimming is being carried out by several cyber criminal groups and has increased by 69% since November 2015, when he first began tracking the activity.

“New cases could be stopped right away if store owners would upgrade their software regularly,” wrote De Groot. “But this is costly and most merchants don’t bother.”

John Bambenek, threat intelligence manager at Fidelis Cybersecurity, said retailers should pay more attention to security because failure to do so could put their reputation and profitability at risk.

“Every day, millions of scans are detected looking for routine vulnerabilities to insert malicious code into websites,” he said. “The problem is that once the malicious code has been injected and the commerce store has been skimmed, customer card data is at risk of being sold online.”

To combat online skimming, Bambenek said retail sites needed to remain vigilant by scanning their own websites for the top 10 most critical web application security risks identified by Owasp, maintaining a web application firewall, and applying patches immediately. 

“These steps may cost retailers time, but over 90% of exploitations would go away overnight if implemented,” he said. ..........................................

Read more on Hackers and cybercrime prevention

Data Center
Data Management