Watch to learn how to implement solutions for PCI DSS 4.0 requirements 6.4.3 and 11.6.1.
Payment page scripts in consumer browsers need to be secured as defined in these new PCI DSS v4 requirements. Organizations that are doing their research on the best way to meet these requirements will be interested in this video.
Watch this video to learn:
Good morning everyone.
I appreciate everyone taking some time out of their busy days for this presentation and demo today.
I'm excited to show you guys what makes Shopping Cart Monitor unique and valuable.
My name is Brian Cole, and I'm the Enterprise Sales Manager here at SecurityMetrics. I've been here for over seven years. I love working for a company that values their employees and clients so much.
If you have any questions during the presentation or demo, please chat them in, and we'll answer them at the end. So make a note, and we'll make sure and get to those.
Alright. Some of the things that we're gonna be covering today are what is ecommerce skimming, how our Shopping Cart Monitor product works, how we respond to any incidents, and then we'll talk over scoping and pricing as well.
When a website is skimmed, well, the different names for it are website skimming, ecommerce skimming, mage card attacks.
This is all when a website is injected with malware and is compromised.
Hackers will steal your customer's credit card information when they go to the checkout page to pay for products.
Most of the time, ecommerce merchants or ecommerce websites don't even realize they've been hacked until they are notified by their bank that their website could be a common point of card loss.
Even if they've wiped and reinstalled their website code in the recent past, they could still be losing sensitive card data.
And even if owners know that they have a website that has a vulnerability or needs to be fixed, often they don't know where to begin.
A digital skimmer is very similar to its physical counterpart. When the consumer inputs their credit card information into a shopping cart page, the attacker silently harvests the data.
So unlike a physical skimmer, like the one shown here, which has to be physically placed on the gas pump, the malicious code that is hijacking the client data just needs to be on the browser, and the skimmer most likely isn't on the business's server at all.
As a result, the most effective way for identifying if a skimmer has been installed is to look at the client browser or the check up where the check up process is happening.
So why should we care about this? Well, I think we need to ask the common question.
From 2022, SenSec reports that two thousand to seven thousand sites are breached each month, so that's over a hundred thousand stores that are affected.
The average cost as a breach has been reported at three point eight million dollars, and many breaches happen again and again because the remediation isn't sufficient or doesn't happen quickly enough.
In the news, we're constantly hearing about the latest attacks. I'd like to talk about a few specific attacks that we've seen in recent history here.
So there was a large airline that had a skimmer, compromising their payment page. It was only compromised for fifteen days. In those fifteen days, three hundred and eighty thousand transactions were stolen.
We know that the fine was public as it was posted. It was two hundred and thirty million dollars.
Around that same time, there was a large tech retailer who according to Alexa receives over fifty million visitors per month. They had a skimmer in their checkout, on their checkout page for thirty five days. It is undisclosed how many cards were taken during the breach, but it is inferred. We can infer that the attack was much larger than the British Airways attack, and the fines were probably exceeding much more than the two hundred and thirty million dollars.
So let's review how Magecart attacks happen.
So typically, you know, the web server is under the business under the business's control. That is where we used to see attacks happen in the past, but now we're seeing attacks happen, specifically at the browser level. So why is this such a problem?
This represents what your browser looks like when you're accessing a shopping cart. There's much more going on than most of us realize.
Given that the checkout process occurs in the browser and existing tools like FIM, IDS, and IPS don't have visibility at the browser level.
This is why it's so difficult to detect these major card attacks.
This is also a very sophisticated ecosystem of hackers for several reasons.
They hide the code or the code is hiding in highly-obfuscated code.
With dozens of lines of code and with only just a few small changes of malicious code, it's very hard for the human eye to catch the difference.
They also mimic known domains. So they'll have things like Google ads dot com, Microsoft dot com, which is found commonly on a lot of checkout pages. They'll take and remove just one letter from these URLs that are very common, and we read right over them without realizing there's a typo.
Tripwire mechanisms are also very, common as well as stenography attacks, which is malicious code hidden in an image or an image request.
They can also restrict these attacks to very precise geographical areas.
So inside a client's computer, all sorts of independent programs are running, making the browser now in charge of safety and security.
Also, privacy settings pretty much make this, like a black box environment.
Do you know how many requests are being made by third party libraries on your shopping cart today?
We have found that threat actors are using third parties as a path to compromise the browser. They are very crafty, and their techniques are continually evolving.
Some examples that we've detected from our recent Shopping Cart Monitor services, there were a couple of stenography attacks where malicious code was hidden and an image file request.
There was another really interesting one where there was a self-destructing JavaScript, which means that when we opened up our developer tools to begin looking at the code, this particular malicious code would actually self-destruct.
So it was very hard to catch because most of the time, by the time we got down to review that area of the code, that line was already deleted.
And then we had another one where the skimmers were only targeting the Spanish version or the Spanish checkout page of a large retailer that was offering a checkout page in both Spanish and English.
Well, they were able to bypass a lot of the security, excuse me, a lot of the security measures on the English page by only targeting cards that were being processed on the Spanish side.
We've kinda made it our company mission to review as many major card attacks as we can to continually validate that our Shopping Cart Monitor service would identify those attacks had the organization been using our service.
Some of these attacks that you've heard of in the news are Ticketmaster, Breach, British Airways, Newegg, Smith and Wesson. All these attacks were using unique skimmers.
In more recent news, we also reviewed the active networks attack, the Focus Camera, NutriBullet, Tupperware, WooCommerce, Fitness Depot, Intersports, Warner Music Group. All of these attacks could have been prevented or caught immediately if they had been using the Shopping Cart Monitor service.
So when suspicious code is detected, alerts will be sent to SecurityMetrics cybersecurity experts to examine and determine if the alert is malicious or is in fact a malicious threat.
If the threat is malicious, we will notify you directly and document our findings in the formal report.
In just the first first month of our development team researching and beginning using this tool, a MageCard attack surfaced. We were able to identify it and help the organization remediate this. And this was kind of the beginning stages when this was just first being developed.
Shopping Cart Monitor will also help with several of the new requirements for PCI v4, specifically PCI requirements 6.4.3 and 11.6.1. These state that you need to maintain script inventory and also that you need to have a you need to deploy a change and tamper detection mechanism.
This is exactly what our Shopping Cart Monitor does. We anticipate that it'll be, you know, widely used, by both our customers and competitors. They don't have their own service for this.
This is a patent service that we have and we're really excited about.
Shopping Cart Monitor acts as a synthetic user to monitor and analyze your website for ecommerce skinning and malicious activity.
We'll talk more about how this is done later in the presentation.
Many of the people we've talked to think that they don't need to worry about this service for their payment page because they're using a third party to facilitate this. They're either using an iframe or they've outsourced much of their payment information environment to a third party.
But even if you've done this, if you have an iframe or if you're still responsible for the code, if you have to approve that or if you can change that, then the responsibility still lies with you. And this is one of the biggest, one of the most common phone calls we're taking right now is people wondering if it's applicable to them. So if you wonder if it's applicable to you, you know, make a note, write down my email at the end and reach out. We can set up a call and discuss your specific environment.
Our goal is to reduce the amount of time the skimmers installed on your shopping cart from an average of forty six days down to just minutes, and here's how we do that.
It's a pretty simple process.
With three simple steps, you can be covered. So the first step, so we establish a baseline.
We begin by creating a recording of the checkout process, during which we do a review to determine if any malicious code already exists.
Once we review, we create a record of what traffic we expect to see. We use a combination of automated tools along with manual efforts to accomplish this.
Our Shopping Cart Monitor service incorporates a series of tools used by our threat intelligence center. It provides the raw request response that was triggered, the who is information of who owns the domain, the community scores of two popular communities, and the geolocation of the IP address.
Once the baseline is established, we continually monitor the page for changes.
We create a recording, as I mentioned before, then we go through and we actually go through the checkout process. We use our credit card.
We punch it into the checkout page. So we're impersonating a customer as if we're buying a product just like your customers are doing. And then we can see if data is being stolen or not, and that's how we protect you and your customers by finding what's being stolen if the malicious code is present.
Once alerted, the team will review this new request and determine if it's benign or not. Alert fatigue is real, so we will identify false positives by reviewing everything before it ever makes it to your radar.
Now what you've been waiting for, let's talk a little bit about pricing and scoping. So the cost of the service starts out at six hundred and twenty five dollars per month per checkout page.
There are yearly discounts and quantity discounts if you have more than one page. Keep in mind that you do need to if you have a single website but there's multiple checkout pages for different languages or if you have multiple websites with separate checkout pages, you need to cover each of those.
With this service, we offer weekly scanning and reporting, so you'll be notified within less than a week of any suspicious and malicious activity on your website.
There are no modifications needed in your existing website for this tool to be used.
There's no setup required like is required from other competitor services.
You get a full list of scan history so you can identify patterns and keep your site free from infection.
Our Shopping Cart Monitor is non-intrusive, non-disruptive, and it's also not easily detectable by the bad guys. We have noticed with other services that require you to install code on your page, on your checkout page. The bad guys can go to those pages and see that there's code, and then they can do an attack that bypasses that code. Ours is very hard to detect, by the bad guys because we're actually monitoring as it happens.
This saves you money in the long term because it helps you, you receive a list of unresolved, ignored, and resolved threat indicators to help you stay organized.
You save money by being proactive in your data detection efforts rather than being reactive after a breach occurs.
And the service also protects your company's brand and trust within the ecommerce community and your customers.
There's a few reasons why I think you should consider Shopping Cart Monitor. As new threats are discovered, you get notification of high priority threats.
You avoid the time and efforts of manual examination changes. We did have a customer that started using this that was doing this in manual effort. So if they were printing out the code, reviewing it, you know, basically with fingers to papers to to review each line of code to look for changes and compare those, it was very time consuming.
It can save you, you can also save time because you can whitelist your IPs or JavaScript that you've already vetted, so you don't have to worry about that in the future.
And then alerts can be customized so you can choose how often you're notified. You can also choose if you want your reports exported to you via an email or something like that, or you can log in directly to the dashboards to see those twenty four seven.
So I'm excited to show you a little demo here.
Okay. So I have this website that we set up for this demo. It's a fake website, functions just like any other ecommerce website, where I've already put items in the in the in the checkout here in the cart. So if I go to the cart to initiate the checkout process, you'll see just like any other checkout process, we enter billing information, we enter in the delivery information.
And then at this point, let's see. Shipping.
Okay. Right here, I'm gonna take my mouse. If you can see my cursor on the screen, I'm gonna take my cursor off the screen, and I'm gonna use the tab.
Let me see. Let me first check the conditions and conditions.
Then this particular skimmer, I'm gonna tap to continue, hit enter.
This particular skimmer was only activated when mouse movement was present on the page. So our dev team installed this little green bar where you can see, the malicious code is inactive. So it would not be detectable by any services at this point in time.
Now, you'll see if I tap through here and begin entering in information, that it's not being stolen. Right? I can start earning card information here. No. I don't wanna enter in my real card information.
But as soon as I bring the mouse onto the page, if you look at that green bar, you'll see that now the malicious code is active and any data I enter will be stolen. So as I go through and enter big data here, it's being skimmed as I enter it in. Now if I hit confirm here, it goes red that the transaction was completed and the card was stolen. But it was actually being skimmed as I was punching it in.
So even if I backed out before I confirmed the order, I put in my credit card information, I think, oh, you know what? I better wait till payday before I buy this. It's too late. The data was already removed, and skimmed by the malicious actor as it was being punched in.
So that's as simple as it is, is that, you know, without knowing, your card data can be stolen. Your customer's card data can be stolen. It's just that simple. We don't, obviously, we don't put these, green and red bars on our websites to let us know, but that is what Shopping Cart Monitor will do for you, when it's installed on or when it's running on your checkout page.
Alright. Let's jump back here and let's jump to questions.
If you have any questions, please let us know or type them in the chat as they come through here.
One question that I received was, how do I get a quote for this service?
Well, please reach out. You can send us an email. You can reach out to us, and we'll get on a phone call to discuss your specific environment, discuss those needs, and we can get your custom quote.
Another question.
Let's see here.
Do you have any solutions for SMBs?
So right now, the solution is for everyone.
You know, I understand this might not be a fit for everyone in their price range.
This is the only solution or option we have at this point in time. We are considering other solutions, but at this point in time, this is the one that we have.
Alright. Another question. What is the recommended scanning cadence? Great question. So the PCI Council recommends or requires that you have to do weekly scanning. So at least once a week is what is recommended and required for PCI compliance, and that's what the service is based off of.
Alright. One couple more questions. It looks like we have here.
What if I just wanna do a one time check? Can we just sign up for one month?
So this is not a one month service, but we do have a a sister service to this called shopping cart inspect, where it's a one time scan where we give you a detailed report of we look through all the code on the on the checkout page, see if there's anything malicious, and then we give you that report that details all of all of the code that's on your checkout page. You can see all the third parties that are making requests there.
So we've been using that service quite a bit. That might be a good option for SMBs if the continuous monitoring is out of your price range.
We could definitely do the shopping cart inspect, which is a one time scan and a report for that. Now let's see here.
Do we have a free trial is another question.
We don't have a free trial at this point in time, but reach out to us. Like I say, we wanna make sure this product works well for you.
So please shoot me an email if you have interest in wanting to see how this works for your page.
Another question here.
Can you give examples of a weekly report or the notification of compromise?
I did have some screenshots of this.
If you can email me, I can send you some screenshots. I don't have those pull up right now of what those reports look like. Happy to have you happy to send you some screenshots. So please email me directly, and I'll get those over to you.
How much is inspect? Great question. Inspect retails for fifteen hundred dollars per scan. There are discounts. A lot of people buy, you know, four scans so they can do it quarterly or something like that.
There are discounts for that, but that starts out at $1,500 per scan.
Another question. Where can I find out more about this issue and your tools?
So our website has lots of good information.
I wonder, can we send that out, Sarah, to, when we send we'll send that out with, when we send out the recording of this, we'll send out the links to our website that has additional information to that as well. Great questions.
Last question.
Just clarifying, I guess it's a clarifying question. Is the service purchased per website or per checkout page? So once again, that is purchased per checkout page. If you have multiple checkout pages per website, then you need multiple, multiple items, sort of multiple monitoring services.
So it is per page, not per website.
One more question here. What is the usefulness of this if the site is already tokenized for credit card data?
Good question. Depending on when the tokenization occurs, so if they punch live credit card data into the site and then it's tokenized, it would still be useful.
If your website only deals with tokens so let's say you have a redirect where, before the customers enter enters in card data, it goes to a third party where the card data is entered, and then they send you back a token, that would, the service would not, be necessary if you're only dealing with tokens at that point. So hopefully that answers your question.
Couple more questions popped in.
Would I need to do this if I was a charity and just had a donation page?
So if that donation page is taking credit card data, then, yes, you would need this service.
So, yeah, that's all the questions for now. I really appreciate everyone jumping on. Thanks again, and have a great rest of your day.
.svg)
