Adobe has added two-factor authentication (2FA) across the Magento platform in response to the growing number of attacks where skimmer scripts are being developed on compromised e-commerce sites to steal customers' cards.
"Using 2FA security will better protect you from malicious users trying to make unauthorized connections to three different sections: Magento.com, Cloud Admin and Magento Admin accounts," says Adobe.
The Magento 2FA extension supports many authenticators, including key indicators Google Authenticator, Authy, Duo and U2F. 2FA is only valid for Magento Admin users and is not available for client accounts at e-shop.
This 2FA extension will be automatically installed as a Core Bundled Extension (CBE) when you install or upgrade to Magento Open Source or Commerce 2.4.X.
Violated admin accounts account for 75% of Magecart attacks
According to the Adobe Security Operations team, about 75% of all cyber attacks (also known as Magecart or e-skimming) are caused by attackers who were able to develop skimmer card scripts on Magento Commerce sites through infringing account admin.
Hackers funded by various states are also involved in such attacks, according to security company Sansec, which recently discovered that the North Korean hacking team Lazarus (Hidden Cobra) steals payment card information from customers of major US and European retailers for at least a year.
With 2FA, Magento administrators will have an extra level of authentication to reduce the chance of being hacked by hackers access on websites.
“While 2FA in Magento Admin is optionally available to all supported publications of Magento Commerce, starting with the release of 2.4, 2FA will be enabled by default for Magento Admin and can not be disabled ", explains Adobe.
More information on the new Magento Admin 2FA functionality that will be released soon can be found on the Two-Factor Authentication DevDocs page.
Online marketers are encouraged to upgrade to Magento 2.x
Visa payment processor urged merchants in April to transfer the online stores in Magento 2.x before the Magento 1.x platform reaches the end of its life in June 2020, to avoid exposing their customers to Magecart attacks and to prevent them from falling out of PCI DSS compliance.
Because there will be no security fixes from Adobe for Magento 1 once its life cycle is closed, “any sites that failed to migrate will be vulnerable to security breaches and will have increased risk for safety payment card data ", Visa explained.
The US Federal Bureau of Investigation (FBI) issued a separate warning in October 2019 to increase the sensitization on Magecart 's threats targeting both small and medium-sized enterprises as well as government agencies that process online payments.
The FBI He also advised online store owners to keep their software up to date, identifying it as one of the key mitigation measures against attacks.
BuiltWith Web stats website shows more than 191.000 live Magento installs, of which approximately 67.000 are Magento 2.x stores.
Adobe said in September 2018, when it announced that Magento 1 would reach the end of its life in June 2020, that approximately 8.000 websites were moving to Magento 2 every quarter.