Adobe, Mastercard and Visa alert merchants of the upcoming Magento update

Adobe, Mastercard et Visa alertent les commerçants de la mise à jour imminente de Magento Cybersecurity

Payment services Visa and Mastercard, as well as Adobe, made late efforts this month to encourage online store owners to update their platforms. As of June 30, the Magento 1.x platform will reach its official end-of-life date (EOL). After which Adobe plans to stop offering security updates.

Stores that have not been updated to the latest 2.x branch and are still using Magento 1.x installations will become very vulnerable to hacker attacks. The danger is considered high because for three years, hackers have been extensively exploiting Magento bugs to enter stores and insert the theft code of payment cards into payment forms – in a form of attack known as name of “web skimming” or “Magecart”.

Threat of non-compliance with PCI DSS standard

At the beginning of the week, Mastercard issued a security alert to its customers on this subject. In the alert, a copy of which ZDNet was able to access, the company said that its Mastercard Account Data Compromise (ADC) team, responsible for investigating security breaches that impact cardholder data, found that incidents of skimming on the web have multiplied in recent years. Most of these incidents were attributed to websites using older versions of Magento online store software.

Mastercard said that 77% of the companies investigated in these incidents did not meet requirement 6 of the PCI DSS standard (security standard for the payment card industry), the rule that requires store owners to use up-to-date systems.

The Mastercard alert follows Visa’s sending of one of its own alerts in April. Like Mastercard, Visa has warned store owners to update to the latest version, Magento 2.3.x, to avoid attacks on their stores. But while Mastercard has adopted a lighter tone with its customers, Visa has been very blunt in its warning, stating that if merchants do not update outside the Magento 1.x branch, they would end up no longer comply with the PCI DSS standard.

The loss of PCI DSS accreditation is a disaster for online stores or any other business that handles card payments online, as they could become directly responsible for the damage they cause to their customers.

An already delayed end of life

But the two payment processing companies are not the only ones to have warned their customers against the end of life of Magento 1.x. The same goes for Adobe, the company that now owns Magento software and the cloud server for hosting Magento stores.

Adobe, which acquired Magento in May 2018, has been more than gracious and forgiving of Magento 1.x store owners. The 1.x branch was launched in 2008 and was initially expected to reach EOL in November 2018. Three years earlier, in 2015, the Magento team had released version 2.0, a highly anticipated update, which was a complete rewrite and an architectural overhaul of the previous and archaic 1.x version.

Unfortunately, the community of Magento store owners has not welcomed the new 2.x version with open arms. Due to the large number of break changes between the two versions, many store owners have chosen to stay on the old version 1.x and avoid having to reimplement their stores from scratch and avoid extended downtime – which is a fairly common practice in the webdev community.

After Adobe bought the old Magento team, the store owners asked the company to delay the end of life of the 1.x branch, which Adobe accepted, pushing the official end of life to 1er June 2020.

When the coronavirus pandemic struck, Adobe again gracefully delayed the end of life for Magento 1.x, moving it from 1er June 30 to give store owners more time to deal with last-minute accidents on their sites and to adapt to working hours at home.

Increased vulnerability

On June 22, Adobe released the latest security updates for the Magento 1.x industry, and said it would be the last, asking store owners to update to Magento 2.x. Nearly 110,000 stores still operate Magento 1.x.

But, unfortunately, although the store owners knew from the end of 2018 that an end of life was imminent, many did not act. About 75% of current Magento stores are still operating in the 1.x industry. According to the cybersecurity company SanSec, nearly 110,000 stores still operate the 1.x branch, while only 37,500 stores operate the newer branch.

Once the 1.x version reaches EOL on Wednesday, any further exploitation of the Magento 1.x flaw will be a disaster for the online store market, as there will be no patch coming. Skimming attacks are more frequent than ever, firewalls are only a temporary solution, and store owners will most likely have to seriously consider updating their sites, despite crashes and downtime. that this implies.

Source: ZDNet.com

Source: www.zdnet.fr

Rate article