Kaspersky’s researchers published a new blog on June 24, explaining how hackers are using Google Analytics to steal credit card information. As you probably know, Google Analytics is one of the most popular tracking tools for marketers. The purpose of this article is to talk more about their discovery. Besides, we will increase awareness of website security and ways to strengthen our solutions further.
How do hackers get to steal credit card information?
According to Kaspersky’s blog, crooks inject malicious code into pages with vulnerabilities. Then they steal the administrator’s password using a brute force attack. They can also use plugins or third-party resources to access the source code. If you have forms on your website that have not escaped a certain type of data or that do not filter certain information, they can also use them as a gateway to access your system. Once they can inject malicious code, they will find a way to save all user activity on the site, including credit card information and personal data. Therefore, they manage to steal information on credit cards by playing on the degree of credibility of Google Analytics.
How does Google Analytics come into play?
Many anti-virus companies like Kaspersky or Norton develop solutions based on the Content Security Policy (PSC), which lists all the services authorized to collect certain personal data on a user’s browser. So, if, by any chance, a user has an anti-virus and the malicious code tries to collect data, it will be blocked automatically. In other words, if any trustworthy code or script passes the anti-virus check, then it will collect data safely.
Google Analytics is one of the most popular tools for marketers. Many website owners blindly trust their security when using it on their site. Obviously, Google Analytics is on the list of trustworthy services. This is why hackers take the opportunity to gain information about users.
What measures do you need to put in place to avoid falling into the trap?
The purpose of this article is not to convince you not to use Google Analytics. Until proven otherwise, the values and data derived from Google Analytics software support some companies. However, it would be best if you never trusted a tool 100% to manage credit card information secure on your solution’s customers. Here are some steps you can take to avoid putting your customer data at risk.
Force users to use only strong passwords.
If you have a website that requires users to create an account, forcing users only to create hard-to-get passwords can help in some cases. For example, you can ask them to combine special characters, character strings, and alphanumeric values.
Implement two-factor authentication
Many businesses use two-factor authentication or phone number validation to combat password guessing. The idea is to ask a user to provide an additional way to log into their account. For example, after entering the password, the user will receive an SMS with an additional code to enter with the validation of the phone number.
Avoid overloading your website with plugins.
These are great tools like WordPress, Drupal or Joomla that will help you build a website quickly. One of these tools’ downsides is that people rely too much on plugins or third-party resources to run their business. As a result, they have less control over their data. That said, if you can limit the number of third-party resources or do some proper research on the plugins you use, it may help.
Update your website regularly.
If you have a particular solution for your website, taking the time to apply the updates can help. The website development communities work daily to improve solutions. More often, the new version will be accompanied by fixes to address certain vulnerabilities. Thus, failure to update your websites will lead to significant losses in the short or long term.
Protect your forms from hackers
Another famous portal for hackers is website forms. It would be best if you were careful with all the data you receive from the site forms. Here are some of the approaches we typically used to protect customer sites and credit card information:
- Using Captcha to Avoid Spam – There are many types of Captcha that you can use, and one of the most popular is Google reCAPTCHA
- Avoid certain special characters. At the backend of your website, you can use the script to check and remove certain types of characters.
- Filter all the data sent by your website. We can never trust information submitted by a user. That is why it is important to automatically check all data before sending it to avoid any problems.
Scan your website regularly.
When you manage your website daily, you cannot trust all the activity on your server. If you scan your site regularly, you will be able to detect malicious code on your site. There are many tools you can use for this purpose. Some of them are:
- Virus Scanned (Linux server), Virus scanner is a tool you can find on the control panel (Linux) to scan your websites.
- Protection of hypertext links
Other measures you can take to protect your site.
There are many measures you can take to protect your site and customer credit card information. Below are some other measures:
- Forbid IP address
- Protect DDoS
- Use robots.txt to block nasty robots.
Conclusion and final remarks
As we can see from this article, we cannot claim to have a completely secure website. For example, as long as we are using third-party resources or not monitoring a site 24/7, we will still face vulnerabilities. However, as website owners, everyone can make sure to apply best practices avoiding some apparent weaknesses.
How likely are you to trust certain giants with your data? Will you trust them 100% assuming they are always reliable?
Thanks for reading our article, if you need help improving your website’s security, you can contact us.