The Problem with OpenSource – A Magento Case Study

On the heels of a rash of breaches, a new trend has been emerging at retail stores throughout the nation.  London-based security company, Forgenix, has recently been working with various organizations and officials to investigate a new series of data breaches.

Forgenix was able to identify a common link across many of the investigations they conducted was  e-commerce sites utilizing an OpenSource shopping cart solution called, Magento.  Magento, provides a basic platform that can create forms which collect and pass card data to a payment gateway allowing nonprofits and other organizations to accept payments.

In addition to the bare bones functionality of basic payment processing, the Magento shopping cart also posts their software’s code online, making them a truly OpenSource solution.  OpenSource solutions where the code is in the public domain for anyone to see is often seen as an advantage which allows greater transparency and security because experts can inspect the code.  In an OpenSource environment where members of the community can contribute modules and plugins for use, it is also relatively easy for criminals to submit malicious plugins and modules – which appear legitimate –  but will actually will steal information.

This is where the problem with OpenSource solutions comes to light: because all of the code is readily available, criminals are also able to view and inspect this code which often times allows them to identify portions of code that can be exploited. This is not to say that this does not occur with non-OpenSource solutions.  It is feasible for criminals to identify exploits in that code through other means. The real danger with OpenSource soltuions is the ease in which criminals can exploit its code for malicious intent.

How to Protect Yourself

Get a Check Up

If you are currently using Magento Shopping Cart you will want to go to the Forgenix website where you can enter your website address to check and see if your website has been compromised in this manner. If you continue to use Magento it highly recommended to regularly confirm that no plugins or modules were installed without your knowledge and continue to check the Forgenix website to make sure your site is still secure.

Use Secure Passwords and Two-Factor Authentication

Make sure that your web host utilizes strong passwords and has turned on two-factor authentication. This helps keep unwanted users out of your website and its settings, preventing unwanted plugins or modules from being installed without your knowledge.

Use Validated Service Providers

The best protection is to ensure that any solution which processes, transmits, or stores card data for your organization has gone through the process of validating their compliance with the Payment Card Industry Data Security Standards.  Look for your service providers on the Visa Global Registry of Service Providers, if you can’t find them there, ask them directly about their security and if they meet PCI Standards.  Be sure to ask for documentation that supports their statements.

Service Providers are becoming more critical to security and in recognition of this the Card Brands are updating their guidelines on their PCI Data Security Standards.  January 1st, 2015 the PCI Council will have new requirements in place for working with Service Providers.  These updated PCI Compliance requirements require merchants to work with Service Providers who are compliant with PCI.  If a merchant is working with a non-compliant Service Provider this will bring the merchant into non-compliance as well.  Selecting the right Service Providers from the start has never been more important.

OpenSource solutions are often an exciting collaborative effort, however; it is important to remember that just because something is OpenSource does not necessarily mean it is secure.  If sensitive data is at stake it very well may be the best option to stay away from an OpenSource solution.  After all you can’t put a price tag on protecting your customers’ payment data or the integrity of your Organization’s name.