Several online stores in Hong Kong vulnerable to credit card fraud

Release Date: 18 Oct 2016 1641 Views

HKCERT is aware that a security researcher has recently disclosed a study: 5900 online stores found skimming (read it here). The study described technique used by cybercriminals to intercept payment data on vulnerable websites. In the study, a list of about 5,900 online stores vulnerable to ‘online skimming’ was disclosed (read it here). Some shops with .hk domain or hosted in Hong Kong are on list.

 

From the researcher article, cybercriminal can breach unpatched or outdated eCommerce application on websites, and put a ‘wiretap’ in the application to intercept the payment data.

 

Here are the potential impacts from the above disclosure:

  • Cybercriminals can make use of the list to breach vulnerable websites to perform actual credit card frauds.
  • Shop owners and customers in Hong Kong may experience financial loss. For shop owners, it can also affect their business reputation, and may even lead to authority investigation and lawsuit.
  • Online shopping is a global business activity. Customers in Hong Kong may also experience financial loss regardless of the online shop location.

Here are some advices from HKCERT on the above issue:

 

As shop owner:

  • HKCERT will try to contact the affected shops with .hk domain or hosted in Hong Kong. If you received such notification, please do not ignore it. Contact us for any inquiries.
  • Please refer to Magento eCommerce Web Application Security Guide for cleanup and protection.
  • Even your shop is not on list, you are also advised to perform regular ‘health check’ on your website. You can refer to our list (read it here) on tools and references for ‘health check’.
  • If you website involved vendor customization, check with your vendor on the above ‘online skimming’ issue.

As customer (individual or organization):

  • Though the above issue did not involve any breaching on client side, you should perform basic security measures (e.g. install security software, apply security update for OS and software etc.).
  • Make sure the online shopping websites provide secure HTTP connection, i.e. HTTPS. Check the identity of shop against the website domain carefully.
  • Check your credit card transaction history or statement regularly to inspect any abnormal credit card usage.

Share with

Previous

The banking trojan – Acecard

18 Oct 2016 2062 Views

We use cookies to give you the best possible experience on our website. By continuing to browse this site, you give consent for cookies to be used. For more details please read our Cookie Policy.

PRIVACY POLICY