A Close Call Prompts Security Reassessment
Having worked in the industry for over 10 years, I consider myself a veteran cybersecurity professional. Still, that didn’t protect me against (almost) becoming a victim of malware-based credential theft. What looked like a formatting issue on my bank’s login page turned out to be malware, embedded on my computer, trying to steal my bank password.
This was a shock to me. I routinely update my operating system, maintain my antivirus software and I have a wealth of cybersecurity knowledge. Despite this, I still nearly fell prey to attackers! Ultimately, my well-trained eye is to thank for preventing a successful attack, but for most people, this story ends quite differently: with fraudulent transactions, falsified accounts, damage to their credit score, even the possibility of total identity theft and more. It was a sobering experience, but one that also highlighted how inadequately security solutions are at protecting users.
This incident happened at a time when multifactor authentication (MFA) wasn’t yet widely adopted. Naturally, there was a lot of potential for fraud. Although virtual keyboards were already in place to try and prevent those fraudulent activities, it still wasn’t enough. This was a clever way of defeating keyloggers, but that was just the tip of the iceberg.
A class of attacks known as man-in-the-middle (MiTM), and variations such as man-in-the-browser (MiTB), allow attackers to position themselves somewhere in the middle of communications, be it at the network level or somewhere else, and intercept sensitive information. This is exactly what almost happened to me. The near-miss of having my banking credentials almost stolen reinforced what I already thought: existing solutions, at the time, weren’t enough to protect users.
Back then, the onus was entirely placed on the user to guard and secure their credentials and information. Over time, this mindset has shifted, and today, companies are taking greater responsibility for user safety. This is especially true thanks to regulations like GDPR, CCPA and PSD2.
But with the adoption of MFA, more mature web application firewalls (WAFs) and even browser security mechanisms, why are data breaches growing year after year? Some of the latest stats show that the number of exposed records in Q1 2020 was 272% higher than Q1 2019 – and 2019 had already shown an increase of 17% over 2018.
The answer, it seems, is that companies are still playing catch-up when it comes to client-side security. With so many new online shoppers and the web evolving so fast, stopping attackers is becoming increasingly difficult. Today, the pattern seems to be that there is no pattern. Everything is chaos. Companies providing services online are under even greater pressure to protect end users and to make sure that security isn’t an afterthought, even as they pursue accelerated digital transformation. And with so many new stakeholders in the web supply chain, the attack surface is gigantic, and is still growing.
Web skimming attacks like Magecart, in which attackers were able to steal the sensitive data of hundreds of thousands of users in a matter of weeks while flying under the radar, reinforce the idea that the onus of security must be on companies, not users. It also shows that there’s a whole new class of attacks that take advantage of client-side security weaknesses for which a WAF, MFA and/or other security measures are simply not prepared.
Now, it’s time to change the way of thinking about cybersecurity, to understand the urgency of client-side security and the fragility of the web supply chain. Companies must ask questions like, “What are my clients actually seeing when visiting my website? What happens if one of our third-party code suppliers is breached? Which external domains are receiving data coming from my website?” By re-assessing their security posture in this way and finding the answers to these questions, companies can again start outpacing attackers, ensure compliance with regulations and keep their users safe.