Wednesday, 22 February, 2023 UTC
Summary
E-commerce websites are at constant risk of data skimming attacks because of unprotected JavaScript that runs on the payment page. More than 99% of all websites use JavaScript in some form, as it serves many purposes. Some directly, and others via a third-party vendor.
JavaScript powers the web because of its versatility. It provides a form to collect data, and enables key functionality, like tag managers or content management systems, or can be used to build the entire website. Because it is pervasive, the Jscrambler security team wanted to explore the impact of this third-party code (in scripts) present on e-commerce websites.
Most organizations don’t have visibility into the third-party JavaScript that loads at runtime on their website. This massive blindspot can lead to stolen data, loss of revenue and reputation, and massive fines.
Why is this research important now?
Regulations and standards that aim to protect Personally Identifiable Information (PII) are becoming increasingly prominent, especially regarding the protection of payment pages.
The Payment Card Industry (PCI) Data Security Standard (DSS) emerges as a highlight standard for all organizations that store, process, or transmit payment card data, and its latest version, 4.0, was released in March 2022. It has 64 new requirements that organizations seeking compliance must fulfill. In an effort to curtail skimming (Magecart) attacks, two of these requirements focus on the integrity of pages where payment is taken. These are:
- Requirement 6.4.3 demands that entities manage the JavaScript in payment pages. All JavaScript must be detailed in an inventory, be necessary for the payment page, be approved, and its integrity is assured.
- Requirement 11.6.1 requires changes to scripts and page headers to be detected on payment pages, and the appropriate alerts generated.
E-commerce companies need to focus on gaining visibility into the JavaScript that’s loaded into their web pages because the risk of each third-party script shouldn’t go unnoticed. Each malicious script should be blocked and deactivated.
Jscrambler’s Research
The main goal of the research is to highlight the importance of having visibility and control over the scripts that are present on the payment pages, especially on e-commerce websites. Popular e-commerce sites in North America and Europe were selected for analysis in order to understand the scope of the problem and potential points of failure. We looked at the number of scripts on the payment pages controlled by third parties. Our findings indicate that the possible attack surface is huge unless these sites find a way to identify, monitor and control the behavior of third-party Scripts.
For these reports, 20 highly-trafficked e-commerce websites with more than $50M in revenue were selected. They are from diverse industries, including health, personal care, retail, groceries, home goods, consumer electronics, and airlines. The data collected focused on the payment pages. All data was collected using Jscrambler’s Webpage Integrity, a holistic solution to detect and block, in real-time, malicious behavior on the client side of web applications.
Highlights include:
US websites
- 60% of the analyzed websites have more than 10 different vendors on their payment pages.
- On average, 148 scripts are being loaded on the payment page; of these, 58% are third-party.
- One of the analyzed websites did not allow the retrieval of data.
EU websites
- 80% of the analyzed websites have more than 10 different vendors on their payment pages.
- On average, 132 scripts are being loaded on the payment page, and from these, 97% are third-party.
- All websites allowed the retrieval of data.
Consider the potential damage if even one script is compromised - now multiply that by 100. Some of these e-commerce companies register hundreds of third-party scripts on their payment pages. We are witnessing a level of risk that demands action.
In general, it’s important for website owners to carefully consider the use of third-party scripts and to only include those that are necessary for the website to function properly. Implementing an automated client-side security solution will help in the process of continuously monitoring these “foreign” scripts. Such a solution can also help the website comply with mandatory or recommended regulations.
Prevention: what should be done?
Companies need to adopt a proactive approach to client-side security, restricting the behaviors of website scripts to prevent them from tampering with forms and/or leaking sensitive data. The dynamic nature of the web and JavaScript itself, and because there’s so much sensitive data being handled on the client side, demands that security can’t be treated as an afterthought.
Jscrambler’s Approach
Jscrambler’s Webpage Integrity (WPI) is a holistic solution to detect and block, in real-time, unauthorized behavior on the client side of web applications. It prevents leaking or scraping of sensitive data and protects against web supply chain attacks like Magecart. WPI also addresses both of the new requirements in PCI DSS version 4. Download these reports to get more insights.