Internet browsing on point-of-sale (POS) or property management machines that have the capability to take credit cards is a one-way ticket to data compromise.
The following post is a segment in the Auditing Archives series. Hopefully the security failures I’ve seen while auditing businesses will help inspire better practices to ensure your own business security.
Virtually all ecommerce sites add or include third party scripts to their website. Google Analytics, for example, provides a free, in-depth view into site traffic and visitor demographics. Other common third parties include widget manufacturers, marketing firms, and social media platforms.
See also: PCI 3.0: What You Need to Know
The problem comes when a web developer includes third party script on pages that accept sensitive information (e.g., payment page, login page). If that third party script code has been compromised and modified to perform additional or other actions than its original intention, a hacker could use the modified script to glean sensitive data from the page. This new ‘evil script’ can locate stored variable values (credit card numbers, passwords, and other sensitive information) and send them back to its creator.
Auditing Archives: The Case of the Evil Java Script from SecurityMetrics
.svg)
