Research: Customer Data Up for Grabs Due to Poor Site Security

Research: Customer Data Up for Grabs Due to Poor Site Security

July 23, 2020

Many global brands fail to implement controls to prevent data leakage and theft, according to new research from Tala Security’s Global Data at Risk – 2020 State of the Web Report.

 

The study, which analyzed the security posture of the Alexa top 1000 websites, found what the firm referred to as a “lack of security controls required to prevent data theft and loss through client-side attacks like Magecart, formjacking, cross-site scripting, and credit card skimming.”

 

These attacks exploit vulnerable JavaScript integrations running on 99 percent of the world’s top websites,” said Tala in a summary of the findings.

 

Only 1.1 percent of websites were found to have effective security in place—an 11 percent decline from 2019, according to the figures. And the research also found 92 percent of websites expose data to an average of 17 domains. 

 

“Nearly one-third of websites studied expose data to more than 20 domains. This provides some insight into how and why attacks like Magecart, formjacking and card skimming continue largely unabated.”

 

“This is PII, credentials, card transactions, and medical records,” said Tala researchers. “While most users would reasonably expect this data to be accessible to the website owner’s servers and perhaps a payment clearing house, Tala’s analysis shows that this data is exposed to nearly 10X more domains than intended. Nearly one-third of websites studied expose data to more than 20 domains. This provides some insight into how and why attacks like Magecart, formjacking and card skimming continue largely unabated.”

 

Tala said it found over 99 percent of websites are at risk from trusted, whitelisted domains like Google Analytics. These can be leveraged to exfiltrate data, underscoring the need for continuous PII leakage monitoring and prevention. 

 

Java Problems Persist and Worsen

 

Tala also says when benchmarked against a similar study in 2019, current research indicates that security effectiveness against JavaScript vulnerabilities is declining. The average website includes content from 32 third-party JavaScript vendors, up slightly from 2019. 

 

“Without controls, every piece of code running on websites—from every vendor included in the site owner’s website supply chain—can modify, steal or leak information via client-side attacks enabled by JavaScript,” said Tala. “In many cases, this data leakage is taking place via whitelisted, legitimate applications, without the website owner’s knowledge.” 

Previous-Article-CNP  Next-Article-CNP

New call-to-action

 

  • Share this Article:
Joan Goodchild

Lastest Fraud News