Digital Skimming and Magecart
How to Mitigate Client-side Supply Chain Threats
When users create or log into an account, complete a transaction or submit a form of any kind, they are trusting you with their sensitive personal data. If your site collects credentials, credit card numbers and other personally identifiable information (PII), you are taking responsibility for protecting a piece of your users’ identity. But did you know that using client-side code from third-party libraries can put you at risk of a data breach and potentially make you noncompliant with data privacy regulations?
Third-party Code Leaves You Vulnerable
Real-world examples of client-side supply chain attacks include the recent attack on Segway that exposed the credit card data of its global users, and the infamous attack on British Airways that cost the company £183.39 million — approximately $229 million — in regulatory fines. The fine was ultimately lowered to £20 million, or $26.13 million — a relative victory, but still a huge financial loss that could have been avoided.
If your business suffers a client-side supply chain attack, the negative impact can be devastating. This includes regulatory fines, lawsuits, damage to brand reputation, loss of consumer trust, impaired site functionality and lower stock value.
How to Manage Client-side Threats
- Get real-time visibility into your client-side code - Maintain a complete view of the first-, third- and nth-party client-side scripts running in your environment.
- Analyze client-side code - Evaluate how scripts are interacting with your website, what additional scripts they are interacting with and if they are accessing sensitive information.
- Identify high-risk incidents - Determine PII, PCI and vulnerability incidents that response teams should prioritize. Actions such as HTTP requests to a new domain can signal that an investigation is warranted.
- Get 360-degree contextual details - Drill into specific incidents to gather additional information, including when it happened, what actions were taken, the domains involved and how many users were impacted.
- Continuously optimize - Analyze data to see incident trends week over week and track the reduction of PCI and compliance exposures, so you can optimize your future responses.
Enable Comprehensive Mitigation
CSP limits the threat of cross-site scripting (XSS) attacks by directing the browser to enforce certain client-side policies and restrict what scripts and resources it can load for a given website. For example, the script-src directive in CSP can specify an allowlist of known domains from which inline scripts can be loaded. Unfortunately, CSP is all or nothing. It can thwart an attack involving a malicious code injection from an unauthorized domain, but it must stop the whole script.
Reduce Your Risk in Real Time
When it comes to comprehensive mitigation, PerimeterX Code Defender has got you covered. This web app security solution provides comprehensive real-time visibility, control and mitigation of client-side threats to your website. By continuously monitoring and analyzing the behavior of all client-side scripts in real users’ browsers, Code Defender identifies script vulnerabilities, detects anomalous script behavior and proactively mitigates risk.
This ensures that your website is secure and compliant, while freeing your development team to focus on innovation. Learn more about Code Defender here.