Adobe has added two-factor authentication (2FA) throughout the Magento platform in response to the widespread number of attacks where skimmer scripts are deployed on hacked e-commerce sites to steal customers’ credit cards.
“Using 2FA security will better protect you from malicious users attempting to perform unauthorized logins in three different areas: Magento.com accounts, Cloud Admin, and the Magento Admin,” Adobe says.
The Magento 2FA extension supports multiple authenticators including but not limited to Google Authenticator, Authy, Duo, and U2F keys. 2FA applies to Magento Admin users only and it is not available for online store customer accounts.
This 2FA extension will automatically install as a Core Bundled Extension (CBE) when installing or upgrading to Magento Open Source or Commerce 2.4.X.
Compromised admin accounts behind 75% of Magecart attacks
According to the Adobe Security Operations team, roughly 75% of all web skimming (also known as Magecart or e-skimming) attacks were caused by the attackers being able to deploy card skimmer scripts on Magento Commerce websites via compromised admin accounts.
Nation-state hackers are also involved in such attacks, as shown by web security company Sansec which recently discovered that the North Korean Lazarus (Hidden Cobra) hacking group has been stealing payment card info from customers of large U.S. and European retailers for at least a year.
With 2FA, Magento admins will have an additional layer of authentication to decrease the attack surface for skimming attacks by preventing threat actors from gaining access to the site through the admin portal using a compromised account.
“While 2FA on the Magento Admin is optionally available on all supported versions of Magento Commerce, beginning with the release of 2.4, 2FA will be enabled by default for the Magento Admin and cannot be disabled,” Adobe explains.
Magento admins will be required to first configure 2FA before logging into the Admin accounts through the UI or a web API.
More information on the new Magento Admin 2FA soon-to-be-released functionality can be found on the Two-Factor Authentication DevDocs page.
Online merchants advised to upgrade to Magento 2.x
Payments processor Visa urged merchants in April to migrate their online stores to Magento 2.x before the Magento 1.x platform before June 2020 when it reached end-of-life (EoL) to avoid exposing their customers to Magecart attacks and to prevent falling out of PCI DSS compliance.
Because no security fixes will be provided by Adobe for Magento 1 after reaching EoL, “any sites that have failed to migrate will be vulnerable to security breaches and pose an increased risk to the security of payment card data,” Visa’s advisory explained.
The U.S. Federal Bureau of Investigation (FBI) issued a separate warning in October 2019 to increase awareness on Magecart threats targeting both SMBs (small and medium-sized businesses) and government agencies that process online payments.
The FBI also advised online shop owners to keep their software updated highlighting it as one of the main mitigation measures against web skimming attacks.
Web stats site BuiltWith shows more than 191,000 live Magento installs out of which roughly 67,000 are Magento 2.x online shops, with the platform powering 12% of all e-commerce sites per HostingTribunal’s stats.
Adobe said in September 2018, when it announced Magento 1’s June 2020 EoL, that approximately 8,000 sites were migrating to Magento 2 every quarter, adding to the already existing 30,000 Magento 2 sites.