Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More

Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More

Services
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Security
Unlock the full power of Microsoft Security
Offensive Security
Solutions to maximize your security ROI
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

Five E-Commerce Security Myths (Part 1)

Compromises of e-commerce websites are increasingly common. In our 2012 Global Security Report we reported that 20% of our incident response investigations related to e-commerce sites. This was up from 9% the year before. In my part of the world (Asia-Pacific), this figure is closer to 40%. In almost all of these cases the motive was simple - the theft of credit card data.

In order to better defend against e-commerce attacks, we must first understand them better. In our experience, there are three common methods for e-commerce sites to accept payment cards.

Store and download

This is the most common method for smaller merchants, especially those that have augmented their pre-existing physical store with an e-commerce outlet. These merchants already have a method of accepting payment card transactions in their store. Instead of getting a second merchant facility for their website, they download the payment card data relating to new orders from their server and manually enter this into their existing facility. As a result of this, payment card data has to be stored somewhere, usually on their web server.

Third-party gateway via API

Larger merchants tend to favour this option, as it gives them a seamless customer experience and enables them to authorise payment cards at the time of purchase. The customer submits their payment card data to the merchant's website during the checkout process. The merchant's website then passes this directly onto a third-party for authorisation. Using this method there is no reason for payment card data to be stored on the merchant's server nor is there any need for a customer to be redirected away from the merchant's website.

Hosted or direct third-party gateway

The goal of hosted and direct payment models is to ensure that the merchant's web server never sees payment card data. In a hosted model, the customer is redirected to a third-party during the check out process. This third party then presents the customer with a form to enter their card data into, processes this transaction and redirects the customer back to the merchant site.

A direct payment model is very similar, except that the credit card form is actually hosted on the merchant's website, but when the customer submits this form the data is sent directly to the third-party instead of back to the merchant.

All of these methods are susceptible to attack in certain circumstances. In general we see three different styles of attack:

  1. Stored data - As the names suggests, an attacker simply locates and copies stored payment card data. This is very common for "store and download" merchants, but also happens to API merchants that are storing payment card data inadvertently.
  2. In-transit - In a well-implemented merchant environment using an API payment model, there will not be any stored payment card data. As a result, an attacker needs to intercept data at the time that a transaction is made. Attackers commonly do this by saving a copy of every request sent to the payment gateway to a file that they can then download, or having a copy of each transaction e-mailed to them.
  3. Bait and switch - Whilst hosted and direct payment models dramatically reduce the risk of compromise for most smaller merchants, they do not completely eradicate the possibility of a compromise. By changing the destination that a customer is redirected to or the location that payment card data is sent to, the attacker can inject themselves into the transaction flow and capture payment card data.
    For example, an attacker could modify a merchant's website to direct their customers to evil-payment-company.com instead of good-payment-company.com. The attackers can make the website of evil-payment-company.com look identical to good-payment-company.com and even send a copy of the data captured by evil-payment-company.com to good-payment-company.com so the merchant still receives payment for their order. We've worked on cases where this has occurred and where it has gone unnoticed for several months.

This blog post has given you an introduction into how most merchants accept payments and how most bad guys steal this data. In part 2 I'll delve into the misconceptions about e-commerce security that we hear every day.

ABOUT TRUSTWAVE

Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.

Latest Intelligence

Discover how our specialists can tailor a security program to fit the needs of
your organization.

Request a Demo