E-Commerce merchants who are still using Magento version 1.x as their on-line shopping cart will soon run out of time to move to a supported version!
When Magento version 2.0 was released back in November 2015, E-Commerce merchants and developers were informed that Magento version 1 had a limited shelf life and would become obsolete. The initial end of life date given was November 2018, however push back from developers and merchants alike resulted in a revised end of life date of June 2020.
As an experienced Information Security Consultant and PCI QSA one of the first questions I ask is “What was the reasoning behind extending the end of life date of an obsolete and potentially weak E-Commerce shopping cart application?” The answer given at the time of the extension was that merchants and developers needed more time to migrate to the more recent versions of Magento. Fast-forward 18 months and the extension given to migrate e-commerce websites to the more secure version of Magento is almost upon us.
Visa have now issued an “Urgent Action Required” Acquirer Advisory communication emphasising that the end of life date is now upon us. Their concern is understandable as there are still many web shops out there that which are still using Magento version 1.
My next question is “Why are these merchants and developers still using Magento version 1.x?” One answer is that merchants and developers have a lack of understanding about how breaches can occur. Hackers prefer easy targets because they have to put less work into gaining entry into the systems. How some hackers can find these “easy targets” is by using Google Dorking searches to identify websites that have weak attributes, and this will include version information from whatever shopping cart or content management system is in use.
Google Dorking is straightforward and involves using the full potential of search engines to create search queries with the aim of finding specific website attribute information. If these queries were aimed at identifying certain versions of Magento in use, then this search would result in a “shopping list” of websites that are still using version 1.x and are potentially vulnerable to attack.
Unfortunately, entities still using Magento version 1.x are now in a precarious position with significant increased risk of a data breach at a time when online shopping is becoming more common. Hopefully, these entities have already made plans to migrate their obsolete version of Magento. Alternatively, they could add extra layers of protection such as Web Application Firewalls (WAF’s) and File Integrity Monitoring (FIM) to reduce the risk in the short term whilst they migrate.
One thing is for sure, the use of Magento version 1.x past the end of this month will affect merchant PCI DSS compliance. Most E-Commerce merchants using Magento as their shopping cart will be completing a PCI DSS Self-Assessment Questionnaire A (SAQ-A) annually if they have properly descoped.
Where PCI Approved Scanning Vendor “ASV” scans are required quarterly, scans will begin to fail once patches are no longer being issued, and if the situation continues, sooner or later, the merchant will be breached.
Merchants still using Magento version 1.x after this month will need to ask themselves some hard questions relating to how they can still provide their customers with security and integrity of their credit & debit card information whilst shopping online.
If you are still on Magento version 1, you’re pretty well out of time and should be looking to other mitigation mechanisms to reduce the risk while you get your E-Commerce website migrated over to version 2.x. One Compliance can help you identify which processes and technology mitigate your risk. It will only ever be a temporary plug though. The correct approach is to migrate, but we knew that in November 2015.