A Looming Deadline for eCommerce

In This Issue:

  • Magento is reaching end-of-life next summer
  • Gone phishing in accounting
  • What not to do, part 8,991,062

Magento Is Reaching End-Of-Life Next Summer)

Between 200,000 and 240,000 Magento online stores will reach EOL next year. The most widely-used version of Magento (software used to create e-commerce sites) will be out of support next summer. As such, it will no longer be receiving security fixes. Online stores are already an attractive target to hackers, and the number of payment card skimming operations is on the rise. Once the security fixes stop, any site still running Magento 1.x is going to be as full of viruses as a supervillain's bioweapons lab. 

You might think this is not applicable to you—if so, you might want to double-check that assumption. The article states that "Magento is, by far, today's most popular technology for hosting an online store."



There's a version 2 of Magento. Actually, there has been for some time. People have avoided upgrading, not because there’s anything wrong with the version, but because this kind of migration is disruptive and a right royal pain. 

Time to stop procrastinating. If you're one of the thousands of companies using the old version of Magento, you have between now and next summer to plan and execute your upgrade. Otherwise you face the public relations nightmare of telling customers that their payment cards have been stolen, with a side order of regulatory compliance issues.



Read More >

Gone Phishing in Accounting

It would not be a good week to be this guy: Nikkei worker tricked into transferring $29 million into scammer’s bank account.

Don't be too quick to blame the accounting staff, though. These scammers are really, really good at what they do. And this kind of scam is becoming increasingly popular. Accounting Scams Continue to Bilk Businesses.




Read Florida city sends $742K to fraudsters as it bites the BEC hook. This article has a list of steps to take to prevent this type of fraud. The short version: business processes are a critical part of defending against this sort of attack. Before making changes to an account, check and double-check that the changes are authorized. Preferably in person. 



Read More >

What Not To Do, Part 8,991,062

Baffled by bogus charges on your Amazon account? It may be the work of a crook's phantom gadget. What not to do: fail to detect or respond to a breach in progress, despite multiple customers reporting the fraud directly to you. 

Men paid $100K by Uber to hush up hack plead guilty to extortion scheme. What not to do: 1) Pay a hacker to keep quiet about the breach. 2) Just don't tell customers that a bunch of their information was stolen.


1) If multiple people report that you have a data breach, investigate. Do not sweep this under the rug. Make sure anyone doing customer support has a clear process to follow if a customer says you are under attack.

2) Don't hush up a breach. In a lot of places it is now illegal to do so. Even if you dodge that bullet, you'll probably face civil suits from customers.


Read More >

Podcast of the Week

You shouldn't pay a ransom; it just encourages more extortion. No, wait, you should pay a ransom, because what if your backups somehow got infected? But it's like negotiating with terrorists. You definitely should never pay a ransom. Except for when you should. 

Response to ransomware is a contentious topic. Here's some more information to add to your decision matrix: Smashing Security #151: Frankly, Sometimes Paying the Ransom Is a Good Idea.

Resource of the Week

Does your organization obsess over metrics? Cybersecurity is a notoriously difficult thing to measure. Sure, your defenses make you safer, but by how much? Could you put a dollar figure on it?

Resources for Measuring Cybersecurity. This is a place to start if you’ve been tasked with gathering data.

One of the few things that is measurable is the cost of a breach. The latest research on that is here: How data breaches affect stock market share prices. Spoiler alert: the guy was dead the entire time. Okay, wrong movie. Spoiler alert: prices go down.

Podcast of the Week

Mozilla says ISPs are lying to Congress about encrypted DNS 

Some background:

Video of the Week

A Warning About Viruses From Weird Al. How often is anti-phishing training funny?

Quick Links

Get Your Copy.