EU Publishers: Clean up your cookies or get burned by GDPR

This article originally appeared in Digiday: https://digiday.com/sponsored/mediatrustbcs-008-eu-publishers-clean-cookies-get-burned-gdpr/ 

The ticking clock on the General Data Protection Regulation (GDPR) website is a stark warning for digital publishers behind on preparations for the EU’s massive expansion of data privacy rules. The GDPR is coming, and soon.

Europe’s privacy laws are tightening even further, potentially limiting the data that publishers can collect and the ways they can collect it. The GDPR is technology neutral: but – once again – it’s the cookie that will be caught in the GDPR’s crosshairs. The GDPR has broadened the scope of personal data to include online identifiers, such as cookies and other identifying code such as pixel fires or device fingerprinting). Cookies gathering user data without a lawful basis (e.g. consent) will fall on the wrong side of GDPR. That puts publishers at risk of potentially groundbreaking fines and penalties. That’s why we’ve prepared this guide to the three types of cookies to watch out for, and how publishers can manage them.

https://digiday.com/sponsored/mediatrustbcs-008-eu-publishers-clean-cookies-get-burned-gdpr/

Continue reading

Ecommerce: Payment card stealing malware

Authored by Chris Olson, CEO and Co-Founder, The Media Trust.

Malware compromise demonstrates how payment security standards are in dire need of an update for the digital environment.credit cards falling as dominoes

A bad actor has upped the stakes in his campaign to collect consumer payment card information by expanding his reach to mid-tier ecommerce providers across the US, UK and India, covering a range of industries including apparel, home goods, beauty and sporting event registrations.

Echoing a similar scenario observed over Memorial Day weekend in 2016, the bad actor injected a transparent overlay on top of the credit/debit card information block on a payment page so that a victim’s financial information is surreptitiously collected and sent to another party, not the e-retailer.

Considering these ecommerce firms earn anywhere from a $10,000 to $400,000 a day, the ecommerce firms risk significant revenue loss and negative consumer confidence. In addition, they also demonstrate inadequate security processes, even though these processes may comply with Payment Card Industry (PCI) standards.

[Please note, The Media Trust has a policy of not revealing the names of websites experiencing an active compromise. Affected ecommerce site operators were, however, notified of this breach.]

The big picture

The infection gradually spread to a number of small and mid-tier ecommerce sites in the US, UK and India, over the last few days. Upon analysis, The Media Trust discovered that each ecommerce provider uses the same open source content management system (CMS) to serve as the consumer-facing front end. The CMS platform’s master page script is infected with one of the several malicious domains. The malicious domain is present in the website’s footer section which means that it permeates every page of the site and not just the checkout page.

In addition, researchers detected multiple domain pairs, which were registered by the same bad actor within the past few months and labeled as suspicious by The Media Trust within two weeks of creation. The domains are now overtly malicious. To avoid detection, the malicious domains execute over varying time intervals and, in at least one instance, move from website to website across the three regions.

Scenario breakdown

In the course of supporting our clients, The Media Trust first detected the malicious actor via client-side scans of advertising-related content, i.e., creative, tags and landing page. The ecommerce site serves as the landing page for an advertising campaign.

The actor used multiple techniques to carry out his attack. In the following scenario, the landing page contains <assetsbrain[dot]com>, extraneous code unnecessary for the proper execution of a payment.

Image 1Malicious domain in the website’s footer

When the victim chooses to make a purchase via the checkout page, <assetsbrain[dot]com> performs two distinct actions: executes JavaScript to inject a transparent overlay on top of the payment card information block and drops a user-identifying cookie.

Ecommerce Post Image 2.pngExecution of transparent overlay

After input of card details, the malicious domain sends the information to <bralntree.com/checkPayments[dot]php>, an obvious spoof of a common payments platform.

Because the ecommerce operator doesn’t receive the card details, the shopper receives an error message and/or request to re-submit their payment information. The unauthorized cookie identifies the user and therefore does not execute the malicious script when the user re-enters the payment card information.

Online transactions remain a risky endeavor

In the realm of compromises, this infection highlights the inadequacy of current PCI security standards. Issued by the Payment Card Industry Council in 2005, the PCI Data Security Standard (PCI DSS) aims to protect cardholder data used during online financial transactions. Backed by the world’s largest credit card issues, PCI DSS requires online merchants to conform to a set of standards such as regular website and server vulnerability checks.

The affected ecommerce sites do not have certifications or seals demonstrating PCI compliance. Their privacy policies declare regular scanning and website security policy review; however, these processes are insufficient, since traditional web application security (appsec) solutions are not able to effectively detect malicious behavior executing via third-party code.

Proving the fallibility of traditional web application scanning utilities, all domains (ecommerce providers, initial malicious domain and spoofed payments platform) are considered clean by VirusTotal as of early morning May 16.

Protect your business by securing your revenue stream

Any size ecommerce provider can protect their revenue and reputation by adopting the following website risk management strategies:

  • Secure your CMS platform: Review security processes with the CMS platform and keep all code and plugins up to date.
  • Surpass PCI DSS standards. Demand more rigorous scanning of the entire website to identify compromise of both owned and third-party code not visible to the website operator.
  • Audit operations. Document all vendors and their actions when executing on your website. This helps you quickly identify anomalous behavior and establishes a remediation path.

The Blind Spot in Enterprise Security

Website security is overlooked in most IT governance frameworks. 

website security blindspot

Managing a website isn’t as easy as you think. Sure, you test your code and periodically scan web applications but this only addresses your first-party owned code. What about third-party code?

Considering more than 78% of the code executing on enterprise websites is from third-parties, IT/ website operations departments cannot truly control what renders on a visitor’s browser. This inability to identify and authorize vendor activity exposes the enterprise to a host of issues affecting security, data privacy and overall website performance. And, your website isn’t immune.

Masked vulnerability: What you don’t know can hurt you

The fact that the majority of the code executing on an enterprise website is not seen, let alone managed, does not absolve the enterprise from blame should something go wrong—and it does.

Much publicized stories about website compromises and digital defacement point to the embarrassing reality that websites are not easy to secure. But that’s not all.

Digital property owners—websites and mobile apps—are beholden to a series of regulations covering consumer privacy, deceptive advertising, and data protection. The U.S. Federal Trade Commission U.S. has dramatically stepped up enforcement of deceptive advertising and promotional practices in the digital environment over the past few years and recently signaled interest in litigating enterprises found to be violating the Children’s Online Privacy Protection Act (COPPA).

Data privacy regulations don’t only apply to minors accessing the website. The recent overturning of EU-US Safe Harbor and resulting EU-US Privacy Shield framework calls attention to the need to understand what data is collected, shared and stored via enterprise digital operations.

Don’t forget that these third parties directly affect website performance. Problematic code or behavior—too many page requests, large page download size, general latency, etc.—render a poor experience for the visitor. Potential customers will walk if your website pages take more than two seconds to load, and third parties are usually the culprits.

The problem is that the prevalence of third-party code masks what’s really happening on a public-facing website. This blindness exposes the enterprise to unnecessary risk of regulatory violations, brand damage and loss of revenue.

Seeing through the camouflage

This is a serious issue that many enterprises come to realize a little too late. Third-party vendors provide the interactive and engaging functionality people expect when they visit a website—content recommendation engines, customer identification platforms, social media widgets and video platforms, to name a few. In addition, they are also the source of numerous back-end services used to optimize the viewing experience—content delivery network, marketing management platforms, and data analytics.

Clearly, third parties are critical to the digital experience. However, no single individual or department in an organization is responsible for everything that occurs on the site—marketing provides the content and design, IT/web operations makes sure it works, sales/ecommerce drives the traffic, etc. This lack of holistic oversight makes it impossible to hold anyone or any group accountable for when things go wrong that can jeopardize the enterprise.

Case in point: can you clearly answer the following:

  • How many third-party vendors executing on your website?
  • How did they get on the site, i.e., were they called by another vendor?
  • Can you identify all activity performed by each vendor?
  • What department authorized and takes ownership of these vendors and their activity?
  • How do you ensure vendor activity complies with your organization’s policies as well as the growing body of government regulations?
  • What is the impact of individual vendor activity on website performance?
  • What recourse do you have for vendors that fail to meet contractually-agreed service level agreements (SLA)?

Questions like these highlight the fact that successfully managing an enterprise website requires a strong command of the collective and individual technologies, processes and vendors used to render the online presence, while simultaneously keeping the IT infrastructure secure and in compliance with company-generated and government-mandated policies regarding data privacy.

Adopting a Website Governance strategy will help you satisfy these requirements.

Take back control

What happens on your website is your responsibility. Don’t you think you should take control and know what’s going on? It’s time you took a proactive approach to security. The Media Trust can shine a light on your entire website operation and alert you to security incidents, privacy violations and performance issues.