A step-by-step guide to preventing credit card skimming attacks

If you read the news, you’ve encountered the term “Magecart” multiple times in recent years. The term refers to several hacker organizations that use online skimming methods to steal personal information from websites, most frequently customer information and credit card details on websites that take online payments.
E-commerce platform Magento, which offers checkout and shopping cart capabilities for store websites, served as these groups’ initial target, which inspired the name. Its codebase is still an alluring target for hackers trying to scrape credit card data, steal personal data, or cause significant harm to various organizations.

If a Magecart group steals administrator and user login information, they may extend the attack and infect further websites. For instance, a Magecart group compromised not just the primary site but also the retail sites of seven European countries during the Vision Direct intrusion in November 2018.

Thousands of customers’ personal information, including payment card numbers, expiration dates, and CVV codes, were exposed due to that attack. An exploited critical vulnerability, CVE 2016-4010 is well described in NIST database. 

British Airways also suffered an attack of the same type during a public campaign that cost the firm more than $1B to recover from. The UK authorities have fined it £20M. Examples abound of why today’s website developers must take preventative steps to safeguard against card skimming attacks. Let’s have a look at how they can do that.

How did it even happen: a [almost] classic case

Based on ImmunWeb studies, at least 20 distinct Magento extensions were discovered to share a common vulnerability in October 2018, and Magecart was targeting all of them. The malicious code was inserted thanks to a PHP Object Injection attack that took advantage of the unserialized() function in PHP.

A similar vulnerability existed within the Magento platform, resolved by switching out the PHP unserialize() function for json_decode(). Sadly, the extension’s creators did not follow suit.

At the time of disclosure, researcher Willem de Groot was aware that 20 extensions were under attack, but he was unsure which ones. He had only found two. The Webcooking_SimpleBundle Magento extension was the first, and it was reported to the creator and corrected within hours. The author had given up on the second, TBT_Rewards, months before. It must be replaced because this cannot be repaired, exposing the serious issue with legacy software. 

A similar object injection technique was comprehensively reviewed in October 2019 by Trend Micro. A skimmer used the flaw to exploit the store front end by copying its complete payment form, including the victim’s name, address, phone number, e-mail address, and credit card information (number, cardholder name, expiration month, expiration year, and CVV number).
The skimmer serializes the copied data into a string and encrypts it using Base64 after getting credit card information. The encoded string is then subjected to a character permutation to ensure it cannot be immediately decoded using Base64 decoding.

Hackers’ appetites are growing

There was a 26% increase in Magecart assaults between 2021 and 2022, with 5.5 million attacks total registered in 2022 alone, according to a new analysis by RiskIQ. Statistics for 2022–2023 reveal a considerable rise in their prevalence. As long as thieves continue to target unprotected websites that handle payment information, this trend is anticipated to last through 2023 and beyond.

Businesses and customers alike may suffer serious consequences due to these attacks. Attackers can steal financial information, including credit card details, from unwary customers by inserting malicious code into a website’s checkout page. This may result in monetary loss, identity theft, and harm to the reputation of the company and the client.

For website developers, this means putting strong security measures in place, frequently checking their websites for suspicious behavior, and keeping abreast of the most recent trends and dangers in the field of cybersecurity. If they don’t, their firm and clients could suffer severe consequences.

Some best practices for protecting web apps

Any web application that manages financial transactions must secure payment and credit card information. The following are some best practices for protecting web apps from payment data and credit card scam attacks:

• Always use SSL/TLS encryption to secure data being communicated over the internet. This protects sensitive data, such as credit card information, from being intercepted by unauthorized parties.
• Ensure PCI-DSS Compliance for your web application to maintain the security of payment data. 
• Avoid keeping payment information on your server or database, such as credit card numbers. Use a third-party payment processor (payment gateways, e.g. Stripe) to handle the transaction; they will handle data processing and storage.
• Restrict access to cardholder data: Limit access to cardholder data to only those who require it to perform their jobs. 
• Use tokenization to substitute sensitive data with a non-sensitive token if you temporarily store payment data. Additionally, use industry-recognized encryption techniques to encrypt the payment information.
• Use multifactor authentication and least-privilege access management to guarantee that only authorized users can access the payment system. Assign the minimum permissions required for each user account and limit access to sensitive data.
• The two most frequent injection issues hackers use to access your databases or directories are SQL and LDAP injections. They send inaccurate data using a command query, tricking you into executing instructions to access crucial data. Injection attacks can be thwarted by using filters for variable protocols for all query inputs.
• Ensure your web app’s software is up-to-date on all security patches and upgrades to guarantee that known vulnerabilities are fixed and patches are frequently applied.
• Use monitoring tools to look for suspicious activity, such as repeated failed login attempts or multiple credit card transactions from the same IP address.
• Mitigate the risk of stolen credentials: supercharge your CI/CD by monitoring and detecting vulnerable API keys, tokens, credentials, security misconfiguration, and other threats in real time without compromising speed. 
• Implement a Web Application Firewall (WAF) to protect the website from common attacks such as SQL injection, cross-site scripting (XSS), and cross-site request forgery (CSRF).
• Hackers can access your microphones, webcam, location, and private data on your smartphone by using XSS vulnerabilities. By verifying user input, you can successfully stop harmful code from accessing your system.
• Regularly back up data and store it securely to prevent data loss in case of a security breach.
• Regularly perform penetration testing and other vulnerability assessments to identify and address security weaknesses before they can be exploited.
• Educate and train employees on cybersecurity best practices and create security policies to ensure that everyone knows the risks and understands their role in protecting the website.
• Use PCI DSS-compliant services. For example, AWS provides PCI DSS-compliant services such as Amazon RDS, Amazon S3, and Amazon EC2. Google Cloud Platform also provides several PCI DSS-compliant services such as Google Cloud SQL, Google Cloud Storage, and Google Compute Engine. If you work with Azure, a similar list can be found here. Using these trusted services for your payment processing system and other applications helps to handle cardholder data securely.

Where should coders look closely?

Several libraries can help developers achieve PCI DSS compliance in their applications:

Python

• PyCryptodome is a self-contained Python package of low-level cryptographic primitives. It can be used to encrypt and decrypt sensitive data and to implement secure communications protocols.
• Requests is a popular Python library for making HTTP requests. It supports SSL/TLS encryption and certificate verification, which can help ensure that data transmitted over the network is protected against eavesdropping and man-in-the-middle attacks.
• Flask-Security is a Flask extension that provides authentication, authorization, and user management features. It includes support for password hashing, password reset, and multifactor authentication–all required for PCI DSS compliance.
• PyJWT is a JSON Web Token implementation in Python. It can be used to generate and verify secure tokens for authentication and authorization, which are required for PCI DSS compliance.
• Boto3 is the Amazon Web Services (AWS) Software Development Kit (SDK) for Python. It provides a simple yet powerful interface for interacting with AWS services.
• PyMySQL is a pure-Python MySQL client library that can be used to communicate with MySQL databases securely. It supports SSL/TLS encryption, password hashing, and other security features required for PCI DSS compliance.

PHP

• OpenSSL is a cryptographic library that provides APIs for various cryptographic algorithms, including AES, RSA, and SHA. It can be used to encrypt and decrypt sensitive data and to implement secure communications protocols.
• PHP PasswordLib is a library that provides APIs for password hashing and verification. It can be used to securely store passwords in a database and prevent common security vulnerabilities such as SQL injection and XSS attacks.
• PHP Secure Session: PHP Secure Session is a library that provides APIs for secure session management. It can be used to prevent session hijacking and ensure that sensitive data such as user credentials are not leaked.
• PHPIDS (PHP Intrusion Detection System) is a library that provides APIs for intrusion detection and prevention. It can be used to detect and prevent common security vulnerabilities such as SQL injection and XSS attacks.
• Symfony Security Bundle is a security component that provides authentication, authorization, and user management features for Symfony applications. It includes support for password hashing, password reset, and multifactor authentication–all required for PCI DSS compliance.
• AWS SDK for PHP is the AWS Software Development Kit (SDK) for PHP. It provides a simple yet powerful interface for interacting with AWS services.

C#

• Bouncy Castle is a cryptographic library that provides APIs for various cryptographic algorithms, including AES, RSA, and SHA. It can be used to encrypt and decrypt sensitive data and to implement secure communications protocols.
• Microsoft Identity Platform (formerly Azure Active Directory) is a cloud-based identity and access management solution that provides authentication, authorization, and user management features. It includes support for password hashing, password reset, and multifactor authentication.
• Microsoft SQL Server Cryptographic Provider is a cryptographic library that provides APIs for various cryptographic algorithms, including AES, RSA, and SHA. It can be used to encrypt and decrypt sensitive data stored in a SQL Server database.
• FluentValidation is a .NET library that provides a fluent API for defining model validation rules. It can be used to validate input data and prevent common security vulnerabilities such as SQL injection and XSS attacks.
• ASP.NET Core Identity is a membership system that provides authentication and authorization features for ASP.NET Core applications. It includes support for password hashing, password reset, and multifactor authentication.
• AWS SDK for .NET is simple and useful for interacting with AWS services when using NET.

Realizable? Quite! 

Here is an example in Python evolving Flask-Security lib.

Step 1: Install Flask-Security and its dependencies using pip:

pip install Flask-Security

Step 2: Define a User model that inherits from Flask-Security‘s UserMixin class:

from flask_security import UserMixin

class User(db.Model, UserMixin):

    id = db.Column(db.Integer, primary_key=True)

    email = db.Column(db.String(255), unique=True)

    password = db.Column(db.String(255))

    active = db.Column(db.Boolean())

    confirmed_at = db.Column(db.DateTime())

Step 3: Configure Flask-Security by setting the required options in your Flask application’s configuration:

app.config['SECURITY_PASSWORD_HASH'] = 'bcrypt'

app.config['SECURITY_PASSWORD_SALT'] = 'my-salt'

app.config['SECURITY_CONFIRMABLE'] = True

app.config['SECURITY_EMAIL_SENDER'] = 'noreply@example.com'

Step 4: Initialize Flask-Security by creating an instance of its Security class:

from flask_security import Security, SQLAlchemyUserDatastore

user_datastore = SQLAlchemyUserDatastore(db, User)

security = Security(app, user_datastore)

Step 5: Add authentication and authorization to your Flask application’s routes using Flask-Security’s login_required and roles_required decorators:

from flask_security import login_required, roles_required

@app.route('/dashboard')

@login_required

def dashboard():

    return 'Welcome to your dashboard!'

@app.route('/admin')

@roles_required('admin')

def admin():

    return 'Welcome to the admin area!'

Step 6: Use Flask-Security‘s forgot_password and reset_password views to implement password reset functionality:

from flask_security import forgot_password, reset_password

app.add_url_rule('/forgot', 'forgot_password', forgot_password)

app.add_url_rule('/reset/<token>', 'reset_password', reset_password)

Step 7: Implement multifactor authentication using Flask-Security’s two_factor extension:

from flask_security_two_factor import SMSFactor, EmailFactor

app.config['SECURITY_TWO_FACTOR'] = {

    'SMS': SMSFactor,

    'Email': EmailFactor,

    'default': ['SMS', 'Email']

}

AWS: Making your AWS application PCI-DSS compliant

Firewall

In order to protect the stored cardholder data, you should first install, configure, and maintain a firewall. Make sure your environment is set up with a VPC (Virtual Private Cloud) and that public DMZs and private subnets are properly segregated. 

Additionally, for an additional layer of security, you can use Unified Threat Management (UTM) solutions in the public subnets, otherwise known as DMZ. A systematic process must be followed before any adjustments to the configuration of the network or any tool can be made.

No defaults!

The default password provided by a service provider or vendor should be immediately changed if you are using their services. A service should request a password each time it is restarted. It is necessary to remove unwanted scripts, packages, and services from the instances. You must ensure that each instance you use supports just one function before using it.

Access Restriction

There are two components to this step: physical access and virtual access:

Physical security is a key aspect of information security, regardless of how effective the established security controls or approaches are. A cutting-edge security system, for instance, serves no purpose if it is installed on the street in front of your business. A strong physical security system is required to protect technical systems. More than half of the work is already done because your application is based on AWS and is already PCI-DSS compliant.

Strict identity and access management (IAM) policies must be put in place for virtual access in order to provide access to only a few people who need it to complete their job.

Segment your network

In the PCI DSS QuickStart reference implementation, “firewalls” are equivalent to security groups and “networks” are represented by Amazon VPC subnets. Consequently, the security group list, the security group rules, and the subnet configuration might all be used as proof of the segmentation borders.

Authentication & IAM

The accounts that have access to your AWS management console should be properly defined in an IAM policy. An IAM policy should have the following clauses:

• No shared accounts are permitted.
• Each individual must have their own ID.
• Everyone’s 2FA must be enabled.
• To find logins and changes at strange times, behavior analysis can also be added.

AWS CloudTrail

Ensure CloudTrail is enabled for logging. It should be enabled and configured with at least one multi-Region trail.

Moving forward, armed with the right tools for the job

We’ve discussed how skimming attacks occur, their consequences for businesses and customers, and best practices for protecting web applications–from using SSL/TLS encryption and implementing PCI-DSS compliance to avoiding storing payment information on servers and regularly performing vulnerability assessments. 

As for developers, they should have two strong weapons in their arsenal to prevent their web apps from being used by malicious actors: One is a strong knowledge of specialized libraries for popular programming languages in web development and the ability to apply their classes and methods in practice. The other is an automated way to monitor, classify, and protect your code, assets, and infrastructure for exposed API keys, tokens, credentials, and high-risk security misconfigurations in a simple way, without noise. Request a demo and get started now.