Massive data breaches are now a common thing. So common that I have largely stopped writing about most of them, simply because it happens too often and has become, unfortunately, the new normal. Still I feel that the data breach of British Airways, where the credit card and payment information of reportedly 380,000 customers was stolen, deserves a special mention.
British Airways has announced the incident on its own website. The news was also covered in the news. A group of attackers was able to basically scrape the credit card and payment details of customers making transactions through the British Airways website or their mobile application between August 21 to September 5. The incident was ultimately discovered (unfortunately with a substantial delay), British Airways reported it to their customers, and the attack was analyzed by RiskIQ.
I would like to point out a few observations:
1. There was no way for end-users to protect themselves
For anyone out there who would buy stuff online, here is the unfortunate reality: There is nothing you could have done as an end-user to guard yourself. With the traditional "skimmers" in ATM machines, you can at least inspect the machine physically, and observe if something additional is attached to the card slot. Here you cannot. Or, well, you could... You can right click on the web page and choose "inspect element" and then try to observe the code or the network queries that the site makes (obviously this would already require substantial expertise and is well beyond the abilities of most "end users"). But because of the way in which modern websites are usually developed, they would normally make 20-30 or more requests to several obscure external sites (one of my clients had 90+ external queries on the front page alone), even if you were a VERY well informed and professional end user, you could not possibly notice anything out of the ordinary.
In the case of British Airways, the skimmer script was sending the stolen information to this kind of URL:
Even if you look at this as a very professional end user, this does not look like it is anything out of the ordinary. You would not easily notice that baways.com is not actually an official domain of British Airways. Unfortunately it is normal for websites and web applications to make queries to messy, complicated URLs that are not even the same address as the original site. If I was to point out such things in a code or architecture review meeting, most developers would just explain that this is "normal" and would tend to try to avoid doing anything about it.
The only way to be safe would have been to not transact online. Unfortunately. And as an IT industry, this is really not the outcome that we want. That means we have failed to do our job.
2. The whole thing happened in code running in the browser
British Airways has said that they do not store the CVV confirmation code of the payment cards on their servers. And that is a very good thing indeed. But the data wasn't even stolen from their servers, it was taken right out of the end-users' browsers. CVV was included. Whatever sophisticated encryption technologies or intrusion detection systems they may have purchased and implemented in their networks was not even a factor. The data was already stolen before it ever reached that point. It was all in the code that executed on the browser of the end user.
Now, to those who develop code that runs in the browser (web developers): Could this happen to your application? Do you actually personally know the code that you ship and deploy to production? Are you sure that it does not contain code that would leak or steal the data of your customers?
We do consultations to web developers all the time. Time and time again we tell our customers that their application has too many third party dependencies. We tell them that the app calls too many external URLs. And it integrates too many third party providers. And regardless of this, in the end the developers often end up adding more. "This is how these things are developed nowadays", a developer once explained the situation to his boss in an audit meeting. Yes they are indeed. And look at where it leads us. In the case of British Airways alone, almost half a million credit cards.... Don't you think it's time to change these ways in which these things are developed?
3. The British Airways mobile application is not a native mobile application
As mentioned, this case was just one of many. More will come. And more will keep coming, until such time that we really start taking care of our code and the quality of our programs. Companies, developers, CIOs, please seek help. We at J&E and Eqela can help. And other experts can help. But please, let us start taking this seriously. It is no longer enough to buy firewalls, antiviruses and other security add-ons. We will need to fix, monitor and maintain the actual code behind all this, there is really no other way. Otherwise this will only keep getting worse.