Nippon Ichi Software, a popular Japanese gaming developer, has confirmed that hackers had compromised the checkout page of its American arm NIS America, thereby stealing payment card details of customers for over a month before NIS discovered the breach.
Hackers were able to steal addresses and payment card information of NIS America’s customers who paid via credit card to buy products on its website between 23rd January and 26th February this year.
In an email sent out to affected customers, NIS America informed them that the breach took place on online stores owned and operated by NIS America, including store.nisamerica.com and snkonlinestore.com between 23rd January and 26th February. The firm added that the covert hacking operation to led to the loss of customers’ personal and financial details like names, addresses, credit card numbers, expiration dates and CVV security codes, and email addresses.
Here’s an excerpt from the email sent by NIS America to affected customers:
“On the morning of February 26th, we became aware of a malicious process that had attached itself to our checkout page. This process was being used as far back as January 23rd, 2018 to skim personal information provided by our customers during checkout after they placed an order at our store.
“After entering their billing, shipping, and payment information, the customer would be temporarily redirected to an offsite web page not owned or operated by NIS America, Inc. This malicious process would record the information provided by the customer during the checkout process, including credit card information, billing address, shipping address, and email address. Afterward, the malicious process would return the customer to the NIS America store page to complete their transaction.
“Transactions conducted in this manner were still successfully completed on the NIS America store pages. However, the payment information recorded by the malicious process could be used for fraudulent charges in the future. Fraudulent payments could be attempted at any storefront that accepts credit card payments, not just NIS America, Inc. store pages.
NIS America values customer information at $5
While it did not reveal the number of affected customers, NIS America said that after discovering the breach, it took the affected websites offline to investigate entry and exit points. It also took steps subsequently to improve the security of its websites and to ensure a similar operation could not take place in the future.
To compensate customers for the loss of data, NIS America added that it is offering $5 discount codes that affected customers can use in their future purchases. “We understand that this is a small token, but we hope it will show our commitment and appreciation of our customers as we begin to regain your trust,” it said. It remains to be seen how the courts will view the ‘compensation’ offered by NIS America to customers if such customers choose to initiate a legal action against the firm.
“Data in the wrong hands – especially payment card information – can have a huge impact on customers, far beyond the unauthorised use of their cards. Credit card information, combined with other user data from other breaches and social media, builds a complete profile. In the hands of fraudsters and criminal organisations, these valuable identity sets are usually sold to other cybercriminals and used for myriad criminal activities, both on the Internet and in the physical world,” said Ryan Wilk, vice president, delivery at NuData Security Inc.
Wilk added that existing technologies like passive biometrics is making stolen data valueless by verifying users based on their inherent behaviour instead of relying on their data, thus making it impossible for hackers to access illegitimate accounts.
“Analysing customer behaviour with passive biometrics is completely invisible to users. It has the added benefit of providing valid users with a great experience without the extra friction that often comes with other customer identification techniques. When fraudsters try to use stolen customer data or login credentials, they will find the data is useless. The balance of power will return to customer protection when more companies implement such techniques and technology,” he added.
Lack of PCI compliance
The latest breach of NIS America’s checkout page reminds us of a similar incident involving OnePlus that took place earlier this year. In January, researchers at security firm Fidus recently revealed how OnePlus’ checkout page that accepts payments from visitors featured security vulnerabilities due to PCI non-compliance as well as for not using iFrame by third-party payment processors. These vulnerabilities could enable hackers to intercept financial details of customers before they could be encrypted.
According to PCI requirements, website owners are required to use iFrames by third-party payment processors as such pages are encrypted and any details added by customers cannot be intercepted by hackers.
‘Interestingly enough, the payment page which requests the customer’s card details is hosted ON-SITE and is not an iFrame by a third-party payment processor. This means all payment details entered, albeit briefly, flow through the OnePlus website and can be intercepted by an attacker.
‘Whilst the payment details are sent off to a third-party provider upon form submission, there is a window in which malicious code is able to siphon credit card details before the data is encrypted,’ the researchers noted.
A recent study by WhiteHat Security also revealed that retailers exhibit several risky behaviours with security vulnerabilities on their sites that could be considered serious in comparison to the online risks faced by other industries.
According to the researchers, the most commonly occurring “critical vulnerability classes” facing the retail industry were insufficient transport layer protection, cross-site scripting, information leakage, brute force attacks and cross-site request forgery.