The Visa and Mastercard payment processors, along with Adobe, have tried last-ditch efforts this month to get online store owners to update their platforms.
In three days, on June 30, the Magento 1.x platform is set to reach its official end-of-life (EOL) date, after which Adobe plans to stop offering security updates.
Stores that haven’t updated to the latest 2.x branch and are still running Magento 1.x installations will become highly vulnerable to attacks from hackers.
The danger is considered high as for the past three years, hackers have been heavily exploiting Magento bugs to breach stores and insert payment card-stealing code in checkout forms — in a form of attack known as web skimming or Magecart.
Mastercard and Visa get involved
Earlier this week, payments processor Mastercard has issued a security alert to its customers on the topic.
In a copy of this alert seen by ZDNet, the company said that its Mastercard Account Data Compromise (ADC) team, responsible for investigating security breaches impacting cardholder data, found that web skimming incidents have been growing in occurrence in recent years. Most of these have been traced back to websites running older versions of the Magento web store software.
Mastercard said that 77% of the companies investigated in these incidents were not in compliance with PCI DSS requirement 6, the rule that requires store owners to run up-to-date systems.
Mastercard’s alert comes after Visa sent one of its own in April. Just like Mastercard, Visa warned store owners to update to the latest branch, Magento 2.3.x, to avoid attacks on their stores.
But while Mastercard took a lighter tone with its customers, Visa was very blunt in its warning, making it clear that if merchants failed to update away from the Magento 1.x branch they would eventually fall out of compliance with the PCI DSS standard.
Losing PCI DSS accreditation is a disaster for online stores or any other company that manages online card payments, as they could become directly liable for the damages they cause to their customers.
Adobe delayed Magento 1.x EOL twice
But the two payments processors weren’t the only ones who have been warning their customers about the Magento 1.x EOL. So has Adobe, the company that now owns the Magento software and the cloud server for hosting Magento shops.
Adobe, which acquired Magento in May 2018, has been more than gracious and lenient to Magento 1.x store owners.
The 1.x branch was released in 2008 and was initially scheduled to reach EOL in November 2018.
Three years prior, in 2015, the Magento team released version 2.0, a much-needed update, which was a total re-write and architectural re-design of the previous and antiquated 1.x version.
Unfortunately, the Magento store owner community did not greet the new 2.x release with open arms. Due to the large number of breaking changes between the two versions, many store owners chose to stay on the older 1.x release and avoid having to re-implement their stores from scratch and avoid prolonged downtime — which is a pretty common practice in the webdev community.
After Adobe acquired the old Magento team, store owners asked the company to delay the EOL of the 1.x branch, which Adobe agreed, moving the official EOL back to June 1, 2020.
As the coronavirus (COVID-19) pandemic hit earlier this year, Adobe again graciously delayed the Magento 1.x EOL, moving it from June 1 to June 30 to give store owners more time to deal with last-minute breakage on their sites and accommodate work-from-home schedules.
But this was it; the final EOL push-back.
This week, on June 22, Adobe released the final security updates for the Magento 1.x branch, and said these would be the last, asking store owners to update to Magento 2.x.
Almost 110,000 stores still running Magento 1.x
But, sadly, despite store owners knowing from late 2018 that an EOL was coming, many have not acted. Around 75% of today’s Magento stores still run on the 1.x branch.
According to cyber-security firm SanSec, there are nearly 110,000 stores still running the 1.x branch, while only 37,500 stores are running the newer branch.
Once the 1.x reaches EOL this next Wednesday, any new Magento 1.x exploit will be a disaster for the online store market, as there would be no patch forthcoming.
In conversations with experts from the web security community, this reporter was told that new Magento 1.x vulnerabilities haven’t been spotted in a while. Many believe that hackers are sitting on their Magento 1.x exploits and waiting for the EOL to come around.
With web skimming attacks being more common than ever, firewalls are only a temporary solution, and store owners will most likely need to seriously consider updating their sites, despite the temporary breakage and downtime that this involves.