Affino
MENU
Search
Team Time
Affino at a glance

What Can Digital Businesses Learn from the recent British Airways Data Breach / Hack?

Data BreachDigital SecurityDigital Solutions MethodologyInternet HackersIsolated Transaction EnginesSingle Source Solution+-
2018AFBlgBritAirwaysMagecart700-min

Apart from some interesting PR spin on what supposedly took place, the unavoidable truth is that the Magecart Hackers managed to piggy-back 22 lines of their code onto a British Airways Baggage Claim Website Page - which in turn intercepted all newly submitted customer payments - or when customers were keying in new card details - Security Numbers and all - affecting some very significant 380.000 customers! The period impacted was from August 21st through to September 5th.

 

This was a really smart Trojan skimmer - using a ’baways.com/gateway’ URL / domain to spoof customers into thinking that said URL was legitimate. To do this sort of spoofing you need to be close enough to look convincing, but not too close to the root domain to trigger the various security protection systems.

 

There are a couple of really interesting takeaways here, and what we do at Affino to prevent this sort of thing from happening. Back in the day we used to have the Affino solution capture a portion of the payment details before handing over to the payment gateway - that route really has not been safe for a long while. Any process which involves hand-off or transfer of data is susceptible to interception - which is why for a long time now we have just redirected payments directly to the relevant payment gateway - and fully isolated that from any of the main websites processes beyond transaction success/failure reporting. We cannot emphasise strongly enough how important it is for financial transactional engines to be fully isolated and totally locked down. The analogy here is the classic Bank Vault versus Armoured Vehicle - Bank Vaults are so secure nowadays that criminals mostly just target the Security Vehicles which transport / transfer the cash. In the same way on a website - any ’vehicle’ which transports or transfers sensitive data is vulnerable. The recent Fortnum & Mason Data Breach happened with a 3rd party Questionnaire solution which was transferring sensitive data across from the main site. For payments - you should hand off your customers directly over to the fully secured payment gateway, and have all and any transactions carried out there in isolation and under full protection.

 

The other key lesson here is about Single Source vs Multi-Source infrastructure setup. There are way too many websites these days which are a huge messy fragmented affairs of separate apps and scripts - many of them relatively loosely connected third-party elements, and many with inherent vulnerabilities in how they connect with core databases and transfer and communicate sensitive data. The more JavaScript plugins and 3rd party scripts you use - the more difficult it is to keep track of everything - and you’re not just managing the vulnerabilities of your core site and system - but of every single one of these individual scripted fragments. The main code for instance on the British Airways Baggage Claim page had not been touched / updated supposedly for 6 years - which is far too long a period for something to go unchecked.

 

This again highlights the Facebook issues - where it seems neither Customers, nor Facebook were fully aware to the extent of how dodgy Apps were able to grab a whole load of sensitive data - full contact lists etc. from phones onto which the Apps had been installed. When using third party advertising or tracking scripts websites often have very little idea of what those scripts are actually doing or how their customers might be impacted. The only sure and secure approach here is to Single Source your web solution and limit the 3rd party plugins and scripts as much as you can. There are many publishing and media sites out there with 50 or more active 3rd party plugin scripts - trackers and otherwise. This approach is now becoming a lesson in negligence. Companies that employ such measures are recklessly endangering their customers - and customers need to wise up to this and take their browsing / business elsewhere.

 

The more scripts and plugins you use, the harder it is to maintain a secure perimeter around your digital business, in the same way - the larger the hack / attack surface is then the higher the chance of data breach and compromise. Browser companies have been working hard to reduce threats and vulnerabilities, and new and ever improving screening technologies which automatically bar 3rd party trackers and plugins are becoming the norm nowadays. Website Owners and Digital Businesses must do more themselves to ensure that they’re not putting themselves or their customers in harm’s way - something which is still happening way too often nowadays. We’ve all been warned, and we should all not just be taking notes, but taking action!

 

For further info on the BA Hack - read the RiskIQ security report [here]

TweetFacebookLinkedInTumblrPinterestGoogle+eCard
Add New Comment
You must be logged in to comment.

Did you find this content useful?

Thank you for your input

Thank you for your feedback

Blog Navigation


2018 28

Google Plus On its Last Legs
"I suspect Google has parked the idea of owning "...
19 days ago
Google Plus On its Last Legs
"All the more brilliantly helpful and simple to "...
12-Oct-2018
A 12 Step Visual Guide to Affino's Fully Baked-In GDPR Solution
"Great and really informative guide."
11-Oct-2018
Affino and GDPR
"Hi James, it feels like we've gone some distance "...
19-Aug-2018
Affino and GDPR
"Every aspect outlined above is now fully "...
19-Aug-2018
Waiting

Related Articles

Driving business at some of the world's most forward thinking companies

Rovio
Procurement Leaders
Ocean Media
Govnet
Gill
Drewry
Shard Media Group
PPA
AOP - Association of Publishers
Agribriefing
Riviera
Law Business Research
Internet Retailing
TTG

Our Chosen Charity

Humanity Direct

And delivering industry leading awards

2016 British Media Awards - Technology Provide of the Year - Silver
2014 PPA Connect Awards - Procurement Leaders awarded Event Brand of the Year
2014 PPA Digital Publishing Awards - Procurement Leaders awarded Business Media Digital Brand of the Year (Again!)
2014 PPA Awards - Procurement Leaders awarded Business Media Brand of the Year (Again!)
2014 AOP Digital Publishing Awards - Procurement Leaders awarded Best Business to Business Website
2013 PPA Awards - Procurement Leaders awarded Independent Publisher Digital Product of the Year
2013 PPA Awards - Procurement Leaders awarded Business Media Brand of the Year
2013 PPA Digital Publishing Awards - Procurement Leaders awarded Business Media Digital Brand of the Year

55 Bathurst Mews
London, UK
W2 2SB

© Affino 2018

Get In Touch

Contact Us
engage@affino.com
+44 (0)20 3393 3240
Let Us Call You Back
Contact Us
Request A Demo