Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

credit card skimmers (in JS)


MrPhil

Recommended Posts

An interesting (and concerning) article: https://arstechnica.com/information-technology/2019/03/a-new-rash-of-highly-covert-card-skimming-malware-infects-ecommerce-sites/?comments=1 . It seems there are ways to inject encoded Javascript credit card skimmers into shops (Magento, so far, has been hit hard). One of the comments brought up Content Security Policies to control where Javascript comes from on your site.

Link to comment
Share on other sites

Hey PHil, thanks for this article!  I actually shop at one of the six they say is still infected although I haven't in a while.  cajungrocer.com sells as you would guess, Cajun food and ship nationwide.  Actually, they had an OSC based site at first then switched to a slow ass Magento several years ago.

 

I'm not really a dog.

Link to comment
Share on other sites

I've seen some Magento sites that are set up better and not so slow, but more ofthen than not, they are slow.  I try to make my site as fast as I can.  I also try to make my site secure.  Actually, your post got me going on running different security scans on my site and I impremented a few changes to improve security.  At the same time, I spent some time scanning cajungrocer.com and they are not very good for security.  Problem is I like many of the items they sell, but they have a lot of room to improve.

Here's a couple of the additions I made to my .htaccess today.

Header always append X-Frame-Options SAMEORIGIN

Header set X-XSS-Protection "1; mode=block"
Header set X-Content-Type-Options nosniff

A while back I added this

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

I also set secure cookie and some other settings. 

I'm not really a dog.

Link to comment
Share on other sites

  • 2 weeks later...

Indeed, the bastards never do :( .

Let me take the opportunity to clarify that this is not the same thing as "credit card skimmers" found attached to physical ATMs, gasoline pumps, etc. (things that take credit and debit cards). They read and record magnetic stripe data, and usually there is a small camera nearby to record you entering the PIN. New cards can be created with this data and used to suck dry your account. Always keep an eye open for loose or mismatched parts where you stick your card in, and try to conceal your use of the keypad (get up close to it, possibly shield it from your hand -- you never know where the camera is). Signs directing you to use a specific gas pump, etc. are another tip-off. Report suspicious setups to the store manager or the police. Enjoy Spring and stay safe!

Link to comment
Share on other sites

  • 3 weeks later...
  • 4 weeks later...

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...