A cyber-security firm has said it found a malicious script injected into the British Airways website, which could be the cause of a recent data breach that affected 380,000 transactions. A RiskIQ researcher analysed code from BA’s website and app around the time when the breach began, in late August. He claimed to have discovered evidence of a “skimming” script designed to steal financial data from online payment forms.
Commenting on the news and offering insight are the following security researchers:
Javvad Malik, Security Advocate at AlienVault:
The BA breach is still being investigated, so we won’t know for sure how the actual attack was undertaken until an investigation is complete, but the RiskIQ theory is plausible and brings to light useful reminds for all other companies.
Some security learnings other companies can take away from this include:
- It’s important for businesses, particularly those which conduct online transactions to remember their websites and apps will nearly always be the first point of attack. Therefore, it is important to invest in solid security controls and ongoing assurance checks to validate the security. This includes a mixture of penetration testing, code reviews, and vulnerability scanning.
- Security extends beyond the company to the supply chain. It is not enough to simply trust a third party will do its best to prevent itself being used as a conduit for malicious activity. Companies should establish parameters within which third parties can operate and monitor for any unauthorised deviations.
- Enterprises should learn from the experiences of others. If indeed the BA attack is the same as the Ticketmaster one, then other online businesses should also be aware and protect themselves from such attack vectors. The use of threat data can help companies keep up to date and informed of new attacks.
In summary, having good web application security, monitoring, threat detection, and threat data will be most beneficial to organisations.
Jake Moore, Ssecurity Specialist at ESET:
“Whilst the recent attack on BA seems to have been targeted with specific malicious code injected into its website, the attackers are most likely trawling 1000s of websites looking for opportunities to take advantage of. Hackers are likely to have used a “cross-site scripting” attack which identifies web page components that are poorly secured with. With infrequent monitoring of these webpages, they then inject their own code into it to alter the site’s behaviour. As the particular attack doesn’t actually penetrate the company network, it is usually harder to identify and stop and simply carves any data inputted into the site at the time of entry. The problem is, there is little more that BA could have done apart from inspecting the site’s code to monitor modifications on a more regular occurrence.
We are currently sitting on an extremely unstable digital platform where hacks can go undetected for far too long which is damaging confidence and not to mention share prices. We desperately need to build a stronger and more robust financial transfer system that encrypts and verifies more often. I do not think BA are hugely to blame here and hopefully with this, along with other recent large attacks (namely Ticketmaster), we will see a shift in more secure transactional systems in the future.
I find it astonishing that we have spent so much money on multi-factor authentication when it comes to logging into accounts and sending money via bank accounts, yet if I view someone’s card number at the till and they flip it over to view the “security” CVV number on the back, I could then go on a shopping spree all over the world undetected. We are all starting to use our phones to verify our identity so why can’t we introduce multi-factor authentication as standard when it comes to online payments attached to our cards? It would instantly reduce the demand for stolen credit card data as it would simply not work without the verification form the card owner.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.