Why iFrames alone won’t stop web skimming attacks from stealing customer data

Web skimming and Magecart headlines have taken the online world by storm over the past year as attackers have infected sites like Macy’s and Sweaty Betty, leaving organizations to consider what technologies will prevent these data breaches from happening to them. In many cases, security teams are tasked with understanding the differences between the protection offered by iFrames compared to the data-level protection provided by Instart Web Skimming Protection

Stopping data loss is getting harder as Magecart attackers employ new techniquesRelated Blog

Here is how companies should think about this:

  1. IFrames: Data in the iFrame is isolated from attack
    An iFrame provides web developers with the ability to embed one web page into another web page. For example, an organization using a third-party payment processor to complete transactions may host that code within an iFrame to isolate the sensitive information customers enter when they make a purchase. In this case, an iFrame would allow web developers to create their own checkout page, while leveraging a container for sensitive data processing. This would provide customers with a single, cohesive experience when checking out on a website. If an attacker were to target this checkout page with a web skimming attack, the iFrame would protect the sensitive customer information entered from any malicious JavaScript.

    Limitation: Not all sensitive data lives in iFrames. 
    While Magecart attackers have made headlines for stealing credit card numbers via web skimming, these attacks are also used to steal other personal data, such as usernames, passwords, emails, addresses, social security numbers, cookies, and various other pieces of sensitive information. This is where the protection offered by iFrames is limited. IFrames are only able to protect the data entered into them, such as a credit card number being entered into a website leveraging a third-party payment vendor’s iFrame. Unfortunately, all other data on the page, such as account login fields, website fields used to create an account, and cookies exist outside the iFrame’s container — leaving them vulnerable to malicious JavaScript.

  2. Instart Web Skimming Protection: Restrict data access directly in the DOM 
    Instart Web Skimming Protection provides data-level protection of the actual data in the Document Object Model (DOM). For example, any script attempting to read a field where a credit card number is entered would be blocked unless specifically whitelisted. This allows web developers to use all of the forms and cookies they require to create amazing web experiences and trust Instart to provide the precise controls over what first-party and third-party JavaScript is able to access on a web page, ensuring that bad scripts are unable to access the data in the first place.

    Limitation: Instart can’t protect data that doesn’t exist in the DOM.
    While Instart protects data entered into form fields and saved in cookies on your website from malicious JavaScript, it can’t protect data that isn’t actually present on a web page. In other words, Instart can’t put controls in place to protect data in iFrames because that data does not actually exist within the DOM of your website — it is in a proverbial container. That said, web skimmers aren’t able to see iFrame content either, making iFrames a secure mechanism to protect sensitive data. 

Important note: If your third-party provider is attacked, your customer information could be susceptible to theft, but the responsibility for that breach would fall on the third-party provider. However, as your website collected the sensitive information, your brand reputation could still be impacted since most customers don’t differentiate between your company and the vendors you choose to implement.

Protecting web apps from Magecart and other web skimming attacks will be a top priority for any organizations with an online presence. It’s essential for companies to  assess the types of content they have on their site — including third-party scripts and iFrames — and create a strategy to secure any and all information collected on their website. 

When putting together a comprehensive approach, it’s important to understand that you are responsible for securing all of the data you collect outside of an iFrame — whether from website forms, cookies, or scripts from third-party vendors. To avoid data being compromised by web skimming, a strong security strategy will require a combination of tools to protect all of the information on your website — relying on a single type of protection, such as iFrames, will leave customer data vulnerable to attack. 

Learn more about Instart Web Skimming Protection and register for a 30-day free trial.Get a FREE 30-day trial


*** This is a Security Bloggers Network syndicated blog from Instart blog RSS authored by Anton Kim. Read the original post at: https://www.instart.com/blog/iframes-and-web-skimming-attacks