February 14, 2020
The client-side browser front-end of web any application is a gateway in and out of our virtual kingdoms. The scripts executed by the client-side web browser are also great access points for malicious hackers and thieves to collect sensitive personally identifiable information (PII). By ignoring these significant client-side vulnerabilities, we can be making big mistakes that can ultimately lead to data exfiltration and adversely affect Governance, Risk and Compliance (GRC) requirements. How can we prevent that without overwhelming ourselves?
The web is no longer just a place to market and sell. It's where organizations operate, help customers learn, purchase, and enjoy their products and services.
The digital user experience is the core of the ecommerce customer experience. Current trends, such as enhancing the experience coupled with digital market business intelligence gathering, and best of breed technologies continue to move software logic to the client-side of web applications. This also increases inherent environment complexities. The web browser front-end, aka ‘digital user experience’, actively ingests customer/user information at data input points that can include some very sensitive information.
As the web front-end code runs on unmonitored and untrusted devices, many application security flaws are being leveraged by malware and malicious actors to capture credentials, financial transactions, payment card data, and permit legitimate third-party vendor tools to facilitate unauthorized access to sensitive data.
News alerts and announcements of client-side breaches, including e-skimming and Magecart malware infused cyber attacks demonstrate many examples where web applications and website architectures have been compromised. Many mobile applications are also being compromised via skimming malware, web-based supply chain attacks.
Let’s look at the most popular targeted data assets and determine if such data assets are worth protecting:
The street language of risk assessment and mitigation is ultimately measured in currency (dollars, British Pounds sterling, Euros, etc.) Evaluating security related risk to web front-end data in terms of monetary value is an important step towards prioritizing the protection of the most critical of information assets.
According to payment card industry sources, failing to comply with the PCI Data Security Standard (DSS) and resulting data breaches could result in industry-imposed fines, penalties and unwelcomed litigation. Fines from the major card brands for PCI DSS non-compliance can range from $5,000 to $100,000 US depending on the level of verified due diligence exercised by a compromised business entity. The less due diligence demonstrated by a breached organization, the higher the fines, penalties and liabilities. Other breach related consequences can include the following:
These questions will help in deciding where client-side security lands on your ecommerce risk management priority list:
Magecart related malware attacks were confirmed to have successfully breached at least 19,000 Internet domains in 2019 alone. Macy’s, Ticketmaster, American Cancer Society, P&G's First Aid- Beauty, British Airways, Newegg, and many other organizations have reported successful digital skimming attacks. The vast majority of cyber skimming victims, however, are inflicted upon small to medium-sized organizations with 50 to 1000 employees. Costs of web skimming breaches can range from tens of thousands to hundreds of millions of dollars along with a high probability of putting some affected entities out of business.
$650 Million to $6 Billion
GDPR fine notice
$10’s of millions
Legal, Forensics, and other costs
Brand safety and reputation
Hundreds more web supply chain-based breaches of the front end user experience: