Challenging Client-Side Security Protection as a "Silver Bullet"

Silver Bullet or Simply Part of a Multi-Layered Defence?

With the new PCI DSS Requirement 6.4.3 for eCommerce sites, much is being said around client-side security solutions to meet the PCI DSS Requirements and to combat digital skimming attacks. However, despite the hype, they fall short of being the industry's "silver bullet".

Understanding Client-Side Security

Client-side security solutions monitor your website's front-end code as it runs in your customer's browsers. These tools use JavaScript sandboxing and behavior analysis to identify and block potentially malicious code. Well marketed solutions include offerings from Human Security, SourceDefense, JScrambler and Reflectiz.

Addressing the Symptoms Rather Than Root Causes

When malicious code appears on your website, it indicates your infrastructure has already been compromised. While client-side protection might neutralize some malicious frontend code, it doesn't prevent attackers from infiltrating your system initially. Once attackers gain server access, they control:

• Your entire customer and order database

• All server-side code and business logic

• Access paths to internal systems and networks

• The ability to modify any code or content

Effective security should focus on preventing and/or detecting unauthorized access to your systems, not just limiting potential damage after a breach occurs.

The Fundamental Issue

While Client-side security tools make sense as a layer within a multi-layered defence, they should not to be treated as a standalone Silver Bullet, even with all the fanfare that is currently going with the new PCI 6.4.3 requirements.

Why?

When attackers control your server, they can easily:

• Remove the security script completely

• Modify security configurations to permit malicious code

• Modify the site to enable theft of customer data without detection by client-side solutions

The Supply Chain Threat

Vendors of client-side security often highlight supply chain attacks in their marketing - scenarios where criminals compromise trusted third-party service providers used by multiple merchants.

While these attacks are concerning, especially in light of recent events, our experience and data still shows that they are rare - yes, there have been multiple attacks in the last few years and security solutions should certainly be monitoring for these threats. But in comparison with direct server compromises, the supply chain attacks are currently a "much rarer event".

At Turaco Labs, our global monitoring shows digital skimming attacks have increased 6-fold over the past two years, affecting hundreds of thousands of online stores - yet only a small percentage involved third-party services. Again, Let me re-iterate, this threat should not be ignored and a security solution should be monitoring for these supply chain threats/issues; but in the context of our global stats, supply chain attacks in the eCommerce world are a much rarer event than the usual suspects.

Our Recommended Approach

To effectively protect against digital skimming, take a multi-layered approach:

1. Implement robust malware and vulnerability monitoring with ThreatView Advanced Edition

2. Establish effective patch management procedures

3. Monitor ALL changes to your website file system

4. Monitor all scripts launched on the site (and check for malware payload)

If you're still considering a client-side solution to "tick your PCI 6.4.3 box", perhaps ask potential vendors this critical question: "What does your solution do to prevent my store from being hacked in the first place?"

Focus your security on applying a multi-layered defence to your business - where you are able to monitor for threats and protect your online business using comprehensive security.