Just another third-party application

Last month the Poker Tracker website was compromised by a web-based card skimming site. Online poker players use the Poker Tracker software to improve their chances of winning by making decisions based on statistics compiled from the opponents’ gameplay, reported Bleeping Computer.

According to Malwarebytes researchers, the vulnerability that affected Poker Tracker stems back to the implementation of an outdated CMS in a tool that is used for tracking hands in online poker. The scenario was first discovered when one of their customers queried a Magecart related alert when they opened their Poker Tracker software.

As with many of these technologies, there are various things that need to be considered. In an ideal world from a consumer perspective, technology should be tested and have an independent third party verify that security controls and due diligence have taken place in the creation and deployment processes. This would result in a support structure in place, which would allow for both a proactive and reactive approach to security.

How people are vulnerable

As opposed to stoking fear with the typical security persons approach, there is little that can be done if a motivated attacker has broken a piece of technology that you are using and planted a skimmer in this technology.

A testament to this is the ‘sustained attack’ that targeted iPhone and its users, which was reported by Google researchers in February this year. A patch was released days after notification but the two years these exploits were being used is ample time for a breach to have been taking place.

How to mitigate

There are core lessons to be learnt from this hack, both for users and developers.

When creating technology, always be sure there is a strong patching policy for any framework that is being used. As much as I dislike it, having formalised SLAs with your technology owners to practice and maintain robust patching policies is something that should always be considered.

Always be wary of installing software from sources that are not entirely trusted. Just because you have to pay for software doesn’t mean there is a development team ready and waiting to support and patch the technology. According to Malwarebytes, “Poker Tracker rapidly identified the issue and removed the offending Drupal module”, which is an appropriate response. An independent third-party review of their technology and a more proactive patching policy, however, may have stopped this exploit before it became an issue.

Be wary of JavaScript libraries. They may not be what you expect and make sure you are getting the latest safe versions from trusted locations.

For users, be proactive with your security: this will allow you to react promptly when a compromise happens. There is no magic bullet other than to put controls into place to make it less likely for your data to be unnecessarily exposed.

Always be cautious of software running on your device, especially if it is a device you use for both processing transactions and gaming.

Have a proactive blocking system installed and its signatures updated. This is a good advertisement for Malwarebytes as its blocking worked as intended on a previously flagged domain. Windows Defender has also come on leaps and bounds since its initial release and could be considered too.

With virtual/disposable payment cards being more accessible, payments methods should be rotated and recycled if possible. Revolut and Monzo support this feature. Taking this proactive step earlier in the payments process adds a safety net for users in case card data is compromised.

Get into the habit of questioning processes that may put somebody’s data in a potentially compromising position. Small changes enacted by many people can eventually turn the tide in compromises where no technically based solution is available.

 As one of edgescan’s product architects, David Kennefick is an essential part of the company’s senior management team. He supports and maintains edgescan’s enterprise clients making sure they have the tools to control and manage IT security risk.