How websites can tackle Magecart attacks

One of the most major security concerns for many organizations – in particular those operating in ecommerce – is currently Magecart web skimming attacks. Actively targeting online shopping carts, these cyber criminals have cost businesses of all shapes and sizes thousands, and even millions, of pounds as they intercept vital data.

So, how can companies deter hackers and why does their website have a part to play in reducing the threat level? Gav Winter, CEO of next generation website monitoring company RapidSpike, explains…

From air travel to retail and ticketing companies, every organization has to ensure their security processes remain water-tight to protect themselves from cyber-crime. Adding extra layers of safety and surveillance to fend off these damning threats, scammers are trying new, sophisticated ways to target more businesses online.

Magecart attacks are never too far away from the headlines either with high-profile victims including Ticketmaster and British Airways – the latter of which not only caused a data breach in 2018 which affected more than 400,000 customers, but which resulted in a fine of £20m by the Information Commissioner’s Office two years later. Recently, Emma Sleep’s breach impacted consumers in 12 countries.

Occurring by exploiting a vulnerability or human error– before injecting malicious JavaScript code into an existing file or HTML of the website – Magecart-style attacks have plagued ecommerce companies for some time.

Additionally, SonicWall’s 2022 Cyber Threat Report makes for stark reading with nearly every category of cyber-attack increasing in volume throughout 2021 – from 10.4 million encrypted threats (a spike of 167%) to ransomware up to 623.3 million breaches. Battling against a backdrop of data concerns as well as day-to-day obstacles, it’s challenging for modern-day business leaders to know exactly where to start when it comes to installing robust security measures.

While data breaches are high on the priority list for organizations to prevent, the truth is, web skimming threats and alike won’t go away entirely. However, it’s not all a case of ‘doom and gloom’ because what companies can do is equip themselves to be able to respond quickly – should the worst happen – and stop any security issue from manifesting into something bigger and more costly.

How can they do this? The best place to begin is their website.

As a direct point for many companies when providing products and services to customers, both reputations and customers can be won and lost online if even the slightest vulnerability is detected.

That’s because an organization is technically only as strong as its weakest link and so that means it’s in every company’s interest to ensure they’re taking proactive and reactive measures to not only fend off hackers but, if an attack does occur, it’s short-lived and dealt with swiftly and appropriately.

In general, every business should conduct website content integrity checks continuously and consistently on all secure data pages. If organizations have third party plug-in services too, these need to be monitored effectively so that the risk of human error is also reduced.

Why more security conscious brands need to know about synthetic monitoring

This is particularly important for the businesses who transact online, for example those in the retail, ticketing and travel industries. And if they want to analyze how their website is performing from a reliability and security point of view, a great place to start is via synthetic monitoring.

Helping businesses to find, fix and prevent availability and performance issues, this type of automated monitoring can now help to not only protect their site against potential security breaches but improve conversions and overall customer experience.

Providing organizations with full visibility and the opportunity to monitor transactions and online activity any time – day or night – companies instantly put themselves in a far greater position to respond swiftly and protect their customers.

For the businesses that already have synthetic monitoring capabilities, they liken it to having an ‘online security guard’ or mystery shopper. That’s because this application presents real-time, granular detail that teams can quickly unpick and make sure their websites are not only working their hardest, but that they’re acting in a way that doesn’t jeopardise revenue or reputation.

And when things are monitored via around-the-clock automation in particular, that offers employees more opportunity to prioritise their time so they can make improvements – whether major or minor – and keep shoppers happy.

Why compliance developments favor security-conscious organizations

There’s no question that organizations in specific sectors – such as retail, travel and leisure – need to have their customer’s security at the forefront of their priority list. However, it’s not simply about securing their own software, systems and infrastructure anymore. Increasingly, more data breaches are occurring from the retailer’s actual websites and third parties, and not their servers, networks or databases.

The good news is that not only does the new Payment Card Industry Data Security Standard (PCI DSS 4.0) requirements address this issue, but organizations that outsource payment to external services can protect themselves further, offering true peace of mind to customers in terms of their payment data.

Of course, this isn’t a silver bullet – as malicious attacks happen on a large-scale across the globe – but the PCI developments encourage brands to treat their payment pages as secure environments that should be locked down.

For example, this security standard requires retailers to audit the scripts on payment pages, define guardrails that prevent data being sent to untrusted locations and ensure nothing can be tampered with.

Strengthening the customer bond through considered online practices

Overall, building an unrivalled customer base that trusts the company they’re investing time and money into is absolutely vital, especially when brand loyalty is so scarce in today’s saturated market and fast-paced world. So, their website must never miss a beat.

Plus, consumers can form an opinion about an ecommerce brand as quickly as 0.05 seconds after a webpage loads, so it’s no surprise that conversions drop by 7% for every 1 second delay.

Alongside evidencing its security focus, performant websites can also reap revenue benefits and significant sustainability savings too. If a brand mistakenly uploads an image that is 1MB too big for example, that might not seem bad at all. However, downloaded 1 million times, that’s 1 million megabytes of server, network, and user device time, plus electricity and transport, which not only costs the business, but their customers and the planet too. Therefore, it ‘pays’ to be on top of website performance overall.

Following the last two years which has seen technology adoption and security breaches soar, there will be even more need to understand the impact of a highly performing website and how it’s contributing to the overall success of a business. When intuitive platforms are in place to catch concerns before they escalate, that not only helps to prevent costly attacks, but build brand credibility and improve the entire customer experience.

Gav Winter

Gav Winter is the CEO of website testing company RapidSpike.

The cost of living crisis.

TBT Newsroom • 29th June 2022

What Communication Service Providers can do to help their customers cope with the cost-of-living crisis. We’re all familiar with the rip roaring marketing slogans of our U.K. Communication Service Providers – ‘together we can’, ‘The future is bright’, ‘It’s all about you’…but sadly, these no longer appear to ring true for the millions of consumers...