Customers need to keep security of web applications and mobile apps up to date

Just two weeks ago, British Airways announced that credit card details of over 380 000 of their customers were stolen from their website and mobile app.  Hackers obtained names, street and email addresses, credit card numbers, expiry details and security codes – enough information to steal from customers’ bank accounts. 

BA joins the ranks of other airlines that have admitted data breaches in recent months.  A month ago, Air Canada confirmed a data breach on its mobile app, which the airline said may affect up to 20 000 people.  Attackers may have accessed basic profile data, including names, email addresses and phone numbers — but also more sensitive data that users may have added to their profiles, including passport numbers and expiry date, passport country of issuance, NEXUS numbers for trusted travellers, gender, dates of birth, nationality and country of residence.  Delta Air Lines said earlier this year that customer data had been stolen after a security lapse at one of its third-party customer support service vendors.

The hackers behind the BA data breach are suspected to be the threat actor group known as Magecart.  The group acts globally and, in the same week that the BA compromise was reported, two additional companies fell victim to them – a push notifications services provider, Feedify, and an online retailer Groopdealz.  Ticketmaster, a global entertainment ticketing service, was another of its victims earlier this year.  Magecart seems to have made online skimming (stealing card details and personal information while you transact) their main business and as many as 7 500 individual e-commerce sites have been infested with their skimming malware.

The impact of such data breaches on the companies involved is massive.  Notwithstanding the reputational damage, personal data losses carry with them a penalty of up to 4% of annual global revenue under the General Data Protection Act (GDPR).  Companies are also required by the GDPR to report the data breach to the regulator within 72 hours of the organisation becoming aware of it – even if not all the details are known.  Where the breach poses a high risk to the consumer (data subject), those individuals affected must also be informed without undue delay.  Hacked organisations are often compelled to offer identity theft insurance to affected customers.

Efficient and effective breach detection and response is vital, and the GDPR places a greater burden on businesses than ever before to ensure that they have robust cyber security procedures and policies in place, that they are able to detect and identify data breaches swiftly, and that they implement efficient and effective procedures for breach investigation and reporting.  Lack of such preparation almost guarantees maximum penalties.

Of course, prevention is far preferable.  To this end, it helps to understand what cybercriminals do to take control of your infrastructure, and take steps to mitigate against it.  In many cases, hackers used a ‘cross-site scripting’ attack, in which they target a poorly developed or maintained web page component and inject their own code into it, to alter the target web site's behaviour.  In the case of the BA breach, their Android app was built off the same code as the compromised portion of the airline's website – not an unusual practice – and this resulted in the app being compromised too (according to threat detection firm RiskIQ).  

Thus, it is important your web applications and mobile apps undergo frequent security testing and maintenance.  The BA baggage handling application, which was not updated since 2012, is suspected to have been the initial weak point through which hackers planted their malware (RiskIQ).  Similarly, in nearly all cases, the other 7 500 sites compromised by the Magecart group were missing vital patches or ran outdated versions of software.

The risks lie not only with your web and app services. Don’t forget about the security of third-party plug-ins – such as web traffic monitoring, advertising management or automated chat solutions.  These too can be a potential access point into your infrastructure – as in the case of Ticketmaster where a poorly integrated customer support chat application was used to plant the data skimming script on to the website.

Poor credential management, especially in respect to administrator and developer passwords, is also a frequent root cause.  Hackers rely on weak password policies (default and weak passwords or lack of change intervals) to establish a foothold in your network and launch further attacks from within – effectively bypassing perimeter controls.  Consider implementing solutions such as one-time passwords, to strengthen privileged access controls and regularly review access privileges to your e-commerce infrastructure.

When it comes to mobile apps, data breaches are frequently attributed to insecure data storage and leakage, poor implementation of cryptographic controls, bad client password policies and improper session handling (a situation referring to the continuance of the previous session for a long period even when the user has switched from the application).  Good practice guidelines for secure mobile app development have been published by both OWASP (Open Web Application Security Project) and NIST (National Institute of Standards and Technology).  Use these to guide your development efforts and ensure your apps are effectively tested for security before publishing to the App stores.

Lastly, when in doubt, consult a security specialist.  Regular check-ups go a long way to keeping your services safe for consumers.

Kris Budnik is the lead partner for PwC Cyber Africa, with 20 years’ operational and advisory experience in the industry. Kris has led engagements in Information Security Architecture, Information Security Audit, Advisory and Consulting, and is a subject matter expert in IT and Cyber-Security, Vulnerability Management, IT and Security Governance, Data Privacy, as well as Systems Risk Management and ICT Compliance Management. In his professional capacity, working as a volunteer to the IT Governance Institute (ITGI), Kris has contributed to the development of the COBIT 4.1 Implementation guide, COBIT Control Practices, VALIT 2.0 as well as the VALIT Assurance guide. Kris also serves as a Board Subcommittee advisor on Cyber, as CISO, or as an advisor to the CISO, at a number of large and medium size retail and financial services institutions.