Kaspersky researchers published a new blog on June 24, explaining how some hackers are using Google Analytics to steal credit card information. As you probably know, Google Analytics is one of the most popular tracking tools for marketing. The purpose of this article is to talk more about their discovery. In addition, we will increase awareness of website security and ways to further strengthen our solutions.
How do hackers steal credit card information?
According to the Kaspersky blog , crooks inject malicious code into pages with vulnerabilities. Then they steal admin password using brute force attack. They can also use third-party plugins or resources to access the source code. If you have forms on your website that have not escaped a certain type of data or are not filtering out certain information, they can also use them as a gateway to access your system. Once they can inject malicious code, they will find a way to save all user activity on the site, including credit card information and some personal data. They therefore manage to steal credit card information by playing on the credibility of Google Analytics.
How does Google Analytics come into play?
Many antivirus companies like Kaspersky or Norton develop solutions based on the Content Security Policy (PSC), which lists all the services authorized to collect certain personal data on a user's browser. Thus, if by chance a user has an anti-virus and the malicious code tries to collect data, it will be automatically blocked. In other words, if a trustworthy code or script passes the anti-virus check, then it will collect data safely. Google Analytics is one of the most popular tools for marketers. Many website owners blindly trust their security when using it on their site. Obviously, Google Analytics is in the list of trustworthy services. This is why hackers take advantage of this to obtain information about users.
What measures should you put in place to avoid falling into the trap?
The purpose of this article is not to convince you not to use Google Analytics. Until proven otherwise, it is the values and data derived from the Google Analytics software that make certain companies live. However, you should never trust one tool 100% to manage the security of your solution's customer credit card information. Here are some steps you can take to avoid putting your customer data at risk.
Require users to use only secure passwords.
If you have a website that requires users to create an account, forcing users to only create hard-to-obtain passwords can help in some cases. You can, for example, ask them to combine special characters, character strings and alphanumeric values.
Implement two-factor authentication
Many companies use two-factor authentication or phone number validation to combat password guessing. The idea is to ask a user to provide an additional way to log into their account. For example, with phone number validation, after entering the password, the user will receive an SMS with an additional code to enter.
Avoid overloading your website with plugins.
These are great tools like WordPress, Drupal or Joomla that will help you build a website quickly. One of the drawbacks of these tools is that people rely too much on third-party plugins or resources to run their business. Therefore, they have less control over their data. That said, if you can limit the number of third-party resources or do proper research on the plugins you use, it can help.
Update your website regularly.
If you use a particular solution for your website, taking the time to apply updates can help. Website development communities work daily to improve solutions. More often, the new version will be accompanied by patches to solve certain vulnerabilities. Thus, failure to update your websites will lead to significant losses in the short or long term.
Protect your forms from hackers
Website forms are another famous portal for hackers. You must therefore be careful with all the data you receive from the forms of the site. Here are some of the approaches we typically use to protect sites and customer credit card information:
- Using Captcha to prevent spam – There are many types of Captcha you can use, and one of the most popular is Google Recaptcha
- Avoid certain special characters. At the backend of your website, you can use the script to check and remove certain character types.
- Filter all data sent by your website. We can never trust any information submitted by a user. This is why it is important to automatically check all data before sending it, in order to avoid any problems.
Scan your website regularly.
When you run your website on a daily basis, you cannot trust all activity on your server. If you scan your site regularly, you will be able to detect the presence of malicious code on your site. There are many tools you can use for this purpose. Some of them are:
- Virus Scanned (Linux server), the virus scanner is a tool you can find on the control panel (Linux) to scan your websites.
- Site lock.
- Protection of hyperlinks
Other measures you can put in place to protect your site
There are many different measures you can put in place to protect your site and customers' credit card information. Here are a few :
- Forbid IP address
- Protect DDOS
- Use robots.txt to block bad robots.
Conclusion and final remarks
As we can see in this article, we cannot claim to have a completely secure website. For example, as long as we use third-party resources or monitor a site 24/7, we will always face vulnerabilities. However, as website owners, everyone can make sure to apply best practices to avoid some apparent weaknesses. How likely are you to trust certain giants with your data? Will you trust them 100% assuming they are always reliable? Thank you for reading our article, if you need help improving the security of your website, you can contact us .