E-skimming: As Shopping Moves Online So Does Credit Card Skimming

As shoppers prepare to get out their credit cards and enter credentials on e-commerce sites for the upcoming Black Friday sales, the risk of fraudulent ‘e-skimming’ is worth spending a few minutes reading up on. 

Credit card skimming at ATM machines has been a long-standing issue with criminals making billions by stealing card information. As more shoppers moved online to e-commerce sites rather than purchasing from the high street, malicious actors had to evolve and find new ways to steal customer’s information. 

E-skimming is the injection of ‘skimming code’ on e-commerce checkout and card processing pages that captures credit card and personally identifiable information (PII) and sends the stolen data to a domain or server under their control. 

How it works 

There are different ways in which the skimming code can be introduced to a website. 

There may be vulnerabilities on the website that can be exploited to inject the code. Researchers have identified more than 40 different code-injection exploits, many of which can be very difficult to detect. Some are as small as 20 characters, which would require a line-by-line examination of the code. 

Access to a network could also be gained through a phishing email or a brute force attack of the victim’s administrative credentials. In a phishing email, the victim could be tricked into clicking a malicious link that downloads software onto their device, which would be used for e-skimming. 

Cross site scripting (XSS) is another method of e-skimming which redirects customers to a malicious domain in the checkout process that is made to look authentic but is instead solely used to capture and steal information through JavaScript code. 

Skimming code captures credit card information and PII as the customer enters it in real time. The information is sent to a server controlled by the actor. The information may then be used to make fraudulent purchases, or more commonly, sold on to others on the dark web. 

Avoiding e-skimming – for businesses 

For consumers, the reasons to avoid having your information stolen are obvious. However, for businesses, there are also reasons why preventing e-skimming on their platforms is paramount.  

First, the reputational damage can be severe. News breaking out that customer’s credit card information is being stolen when using a company’s site is likely to deter others from making future purchases. 

Senior director at US-based cybersecurity firm Binary Defense, Randy Pargman, explained to CNBC the risks for organisations who fall victim to e-skimming attacks, with reputational damage being a big concern. 

“That’s why companies put a lot of effort into making sure that their security is good, so they don’t have to notify consumers that they had lost their data because of a lapse in security,” he said. 

Heavy fines are also a concern. British Airways faced a £170 million fine after they fell victim to an e-skimming attack in 2018 from a well-known group named Magecart (with Magecart attacks being another named used to refer to e-skimming). 

Ways to minimise risk of being affected by e-skimming attacks as a business include: 

• Ensuring payment software is up-to-date, which will patch known vulnerabilities 
• Implementing code integrity checks 
• Monitor and analysing web logs for any suspicious activity 

Avoiding e-skimming – for consumers 

As a consumer, detecting if you are being victim to e-skimming can often be very difficult to determine. Herb Stapleton, section chief for the FBI’s cyber division explained, “It’s nearly impossible for a consumer to detect that this has happened to them before the actual occurrence.” 

“The site that they would look at, which is already infected, would look no different to a consumer.” 

However, there are still things that can be done to help protect yourself. 

• Use trusted websites and check for HTTPS – trusted and more reputable sites are less likely to be susceptible to e-skimming attacks. Additionally, ensure the page you are inputting your details into is operating HTTPS; this ensures data is encrypted. You can learn more about HTTPS here. 
• Monitor bank accounts – use online banking to regularly check up on your accounts to ensure there are no unusual transactions. 
• Consider using a virtual card – these are cards offered by some banks that allow you to limit the amount of money, or transactions, that can be performed by a card. This can limit the potential loss resulting from a breach. 
• Setup alerts – these can inform you whenever a transaction is made on your card, or you can set them up to alert you only when transactions over a certain threshold take place. 

For a business, Securiwiser is a cybersecurity service provider that provides reliable cybersecurity monitoring tools for your domains. Securiwiser’s service will monitor for suspicious activity that can alert you if something doesn’t look right, which includes potential e-skimming attacks.