How Backdoors In Client-side Of Web Applications Can Lead To Breaches and GRC Compliance Issues?

February 14, 2020

How Backdoors In Client-side Of Web Applications Can Lead To Breaches and GRC Compliance Issues?

The client-side browser front-end of web any application is a gateway in and out of our virtual kingdoms. The scripts executed by the client-side web browser are also great access points for malicious hackers and thieves to collect sensitive personally identifiable information (PII). By ignoring these significant client-side vulnerabilities, we can be making big mistakes that can ultimately lead to data exfiltration and adversely affect Governance, Risk and Compliance (GRC) requirements. How can we prevent that without overwhelming ourselves?

Why Did Client-side Security Become A Lucrative Attack Surface?

The web is no longer just a place to market and sell. It's where organizations operate, help customers learn, purchase, and enjoy their products and services.

The digital user experience is the core of the ecommerce customer experience. Current trends, such as enhancing the experience coupled with digital market business intelligence gathering, and best of breed technologies continue to move software logic to the client-side of web applications. This also increases inherent environment complexities. The web browser front-end, aka ‘digital user experience’, actively ingests customer/user information at data input points that can include some very sensitive information.

As the web front-end code runs on unmonitored and untrusted devices, many application security flaws are being leveraged by malware and malicious actors to capture credentials, financial transactions, payment card data, and permit legitimate third-party vendor tools to facilitate unauthorized access to sensitive data.

News alerts and announcements of client-side breaches, including e-skimming and Magecart malware infused cyber attacks demonstrate many examples where web applications and website architectures have been compromised. Many mobile applications are also being compromised via skimming malware, web-based supply chain attacks.

What Is At Stake?

Let’s look at the most popular targeted data assets and determine if such data assets are worth protecting:

  • Payment card data
  • Authentication and authorization credentials
  • Financial records
  • Customer Personally Identifiable Information (PII)
  • Patient Personal Health Information (PHI)

The street language of risk assessment and mitigation is ultimately measured in currency (dollars, British Pounds sterling, Euros, etc.) Evaluating security related risk to web front-end data in terms of monetary value is an important step towards prioritizing the protection of the most critical of information assets.

According to payment card industry sources, failing to comply with the PCI Data Security Standard (DSS) and resulting data breaches could result in industry-imposed fines, penalties and unwelcomed litigation. Fines from the major card brands for PCI DSS non-compliance can range from $5,000 to $100,000 US depending on the level of verified due diligence exercised by a compromised business entity. The less due diligence demonstrated by a breached organization, the higher the fines, penalties and liabilities. Other breach related consequences can include the following:

  • Settlements, legal costs, judgments and litigations
  • Fines, penalties, and fraud losses
  • Termination of accepting payment cards
  • Diminished sales
  • Going out of business
  • Cost of reissuing new payment cards
  • Higher future costs of compliance

These questions will help in deciding where client-side security lands on your ecommerce risk management priority list:

  • What happens if your web application has been breached yesterday or even today?
  • What will be the PCI compliance-related forensic investigation costs and associated fines, penalties and liabilities?
  • What will be the cost of remediating breach related vulnerabilities?
  • Are CCPA, GDPR and other privacy regulations applicable? What are those related potential costs
  • What about lost revenue? How critical is it in terms of brand damage?
  • Will business continuity be impacted?
  • What about lost employee productivity?
  • And more...

When Bad Things Happen

Magecart related malware attacks were confirmed to have successfully breached at least 19,000 Internet domains in 2019 alone. Macy’s, Ticketmaster, American Cancer Society, P&G's First Aid- Beauty, British Airways, Newegg, and many other organizations have reported successful digital skimming attacks. The vast majority of cyber skimming victims, however, are inflicted upon small to medium-sized organizations with 50 to 1000 employees. Costs of web skimming breaches can range from tens of thousands to hundreds of millions of dollars along with a high probability of putting some affected entities out of business.

$650 Million to $6 Billion

Lawsuits liability

$230 Million

GDPR fine notice

$10’s of millions

Legal, Forensics, and other costs

Brand safety and reputation

Leadership changes

Hundreds more web supply chain-based breaches of the front end user experience:

About authors

Ivan Tsarynny is CEO and co-founder of Feroot Security, Member GDPR Advisory Committee at Standard Council of Canada, and is based in Toronto, Canada.
David Mundhenk, CISSP, CISA, PCI QSA, PCIP, is a Principal Security Consultant for the Herjavec Group, and a founding member of the PCI Dream Team.