2019 shone a spotlight on how web technology is truly shaping business for better and for worse. At one end, it was a year of Magecart style attacks and the ensuing record-breaking fines; on the other, it was a year of growth for Neobanks who have leveraged modern web technology to redefine the paradigm of banking. Web security was a common bond. What should we be looking out for over the coming year (and beyond) with respect to web security in general and specifically in areas such as banking and ecommerce?
Banking: Neobanks have already initiated the battle to wrest away a good chunk of market share away from the ‘traditional banks’ (especially within the millennials segment). The incumbents, naturally, are trying to catch up on this front, betting on their own digital banking retail brands. In the UK, some of the biggest banks are launching a wave of new standalone online banks. This is largely viewed as an experiment with new technology and brands as they try to keep the digital challengers at bay. In one such example, Royal Bank of Scotland’s Mettle, which launched back in November, will be focusing on small businesses. RBS aims to offer a mobile phone-based means of managing invoices and expenses, targeting Mettle at micro-enterprises and sole traders.
Battling for supremacy
November also witnessed NatWest (a subsidiary of RBS) launching a digital bank to compete in this thriving Fintech space. Cloud-based bank Bo, which is live on both Apple’s App store and Google Play, is expected to compete directly with the likes of Revolut and Monzo, both well-known challenger banks in this space.
Magecart: Magecart grew to prominence in the last half of the decade, for sure. And whilst the 2010s were just their "beta" stage, we can be sure that the 2020s will get much rougher - many more attacks and huge fines imposed until proper attention is given to the weaknesses of the web supply chain and the lack of client-side visibility.
The Magecart credit card skimming approach is most often to insert the malicious skimmer’s code into their target’s third-party providers - essentially known as web supply chain attacks. Starting in 2018, and continuing through 2019, there has been a clear pattern in supply chain attacks targeting the enterprise: a web-based vector of attack. The attack on British Airways, but also Equifax, Ticketmaster and Forbes were all achieved via malicious code that was injected into company websites via third-parties and then run in its users' browsers. In this way, a company's website or web app have become the perfect stages from where to steal user’s data.
Content Security Policy won't be enough
Many believed (and still believe) that Content Security Policy (CSP) is the way to go - yet, its many shortcomings mean that it won’t be enough to deter motivated attackers. In the light of bigger fines and bigger payouts to customers - in the UK there are already PPI style outfits offering compensation to customers who have been financially affected - companies can’t afford to wait for a cure that may never arrive. Instead, by detecting a Magecart outbreak in real-time with a web page monitoring solution, the Enterprise can mitigate Magecart before it does any real damage. We expect to see this approach gaining traction, especially once the C-suite takes notice, driving the need for solutions to take centre stage.
Rui Ribeiro - CEO and Co-Founder, Jscrambler