Macy’s is a popular shopping destination and a breach before christmas shopping is a scare. On October 15 it notified customers of a magecart card-skimming device. The unauthorized code on payment page (checkout & wallet) could have accessed name, address, city, phone, email, payment card number, card security code, card month/year of expiration.
Why It Happened ?
Magecart card skimming code was added to payment checkout and wallet page. Magecart is known for digital credit card theft. This unauthorized code was stealing sensitive information such as card details, cvv, motnh of expiration etc. It is the digital form of a card skimmer which otherwise affects a POC. In this kind, one may insert malicious code on pages that take card information for online payments. This information later may directly be misused by the attacker or post selling in the black market. An anonymous investigator in this case reported an error log file was tampered to include malicious code. It is almost impossible for a customer to understand this kind of threat, the retailers have to maintain strict testing and security standards to prevent it.
Macy’s informed the federal law enforcement, had a forensic firm do a thorough investigation, notified the affected customers, notified the card companies whose customers were involved. They have also arranged to provide identity protection services free of cost for a year
What Can You Learn ?
The above attack used various loopholes at various stages and we can list a few mitigation steps from it.
- Alert On Malicious Activity proper controls to alert systems whenever there is unexpected behaviour is a must. This will reduce window of misuse
- Testing & Fixing Bugs continuous testing of bugs and fixing areas from where malicious code can be injected
- PII regulations within the company for careful distribution of PII. Collection of PII only restricted to only when absolutely necessary