Apart from some interesting PR spin on what supposedly took place, the unavoidable truth is that the Magecart Hackers managed to piggy-back 22 lines of their code onto a British Airways Baggage Claim Website Page - which in turn intercepted all newly submitted customer payments - or when customers were keying in new card details - Security Numbers and all - affecting some very significant 380.000 customers! The period impacted was from August 21st through to September 5th.
This was a really smart Trojan skimmer - using a ’baways.com/gateway’ URL / domain to spoof customers into thinking that said URL was legitimate. To do this sort of spoofing you need to be close enough to look convincing, but not too close to the root domain to trigger the various security protection systems.
There are a couple of really interesting takeaways here, and what we do at Affino to prevent this sort of thing from happening. Back in the day we used to have the Affino solution capture a portion of the payment details before handing over to the payment gateway - that route really has not been safe for a long while. Any process which involves hand-off or transfer of data is susceptible to interception - which is why for a long time now we have just redirected payments directly to the relevant payment gateway - and fully isolated that from any of the main websites processes beyond transaction success/failure reporting. We cannot emphasise strongly enough how important it is for financial transactional engines to be fully isolated and totally locked down. The analogy here is the classic Bank Vault versus Armoured Vehicle - Bank Vaults are so secure nowadays that criminals mostly just target the Security Vehicles which transport / transfer the cash. In the same way on a website - any ’vehicle’ which transports or transfers sensitive data is vulnerable. The recent Fortnum & Mason Data Breach happened with a 3rd party Questionnaire solution which was transferring sensitive data across from the main site. For payments - you should hand off your customers directly over to the fully secured payment gateway, and have all and any transactions carried out there in isolation and under full protection.
This again highlights the Facebook issues - where it seems neither Customers, nor Facebook were fully aware to the extent of how dodgy Apps were able to grab a whole load of sensitive data - full contact lists etc. from phones onto which the Apps had been installed. When using third party advertising or tracking scripts websites often have very little idea of what those scripts are actually doing or how their customers might be impacted. The only sure and secure approach here is to Single Source your web solution and limit the 3rd party plugins and scripts as much as you can. There are many publishing and media sites out there with 50 or more active 3rd party plugin scripts - trackers and otherwise. This approach is now becoming a lesson in negligence. Companies that employ such measures are recklessly endangering their customers - and customers need to wise up to this and take their browsing / business elsewhere.
The more scripts and plugins you use, the harder it is to maintain a secure perimeter around your digital business, in the same way - the larger the hack / attack surface is then the higher the chance of data breach and compromise. Browser companies have been working hard to reduce threats and vulnerabilities, and new and ever improving screening technologies which automatically bar 3rd party trackers and plugins are becoming the norm nowadays. Website Owners and Digital Businesses must do more themselves to ensure that they’re not putting themselves or their customers in harm’s way - something which is still happening way too often nowadays. We’ve all been warned, and we should all not just be taking notes, but taking action!
For further info on the BA Hack - read the RiskIQ security report [here]