Skimming attacks occur when malicious actors steal credit or debit card data, create fake accounts, and then spend money that doesn’t belong to them. Skimming costs customers and businesses more than $1 billion each year. The rise of e-commerce presents a new opportunity for attackers to compromise and capture data online during the purchase and checkout process.
Here’s what companies need to know about the evolution of skimming attacks, how they target digital consumers, and what they can do to reduce their total risk.
Skimming 1.0
First-generation skimming methods relied on physical card readers such as those on ATMs or point-of-sale (POS) terminals. By installing additional hardware on top of existing card scanners or readers that mimicked the form and function of legitimate devices, users unwittingly swiped their cards or entered their PINs only to have them stolen by criminals.
Armed with this data, fraudsters created new cards that worked just like their original counterparts, making it possible for them to spend someone else’s money in-person or online. To counter attacks, chip-based cards using the Europay, Mastercard and Visa (EMV) standard were developed, which helped frustrate attacker efforts.
The uptick of online purchasing, however, has created a new opportunity for attackers: web skimming.
Skimming in Cyber Security
While online shopping was already on the rise, pandemic pressures pushed it to the purchasing forefront. Offering speed and safety, digital card transactions have seen massive growth over the past two years.
Given the non-physical nature of these transactions, it’s logical to conclude that attacks would largely dissipate — without a device to compromise, how could attackers capture credit and debit card data?
Enter Magecart, now one of the most popular web skimming tools available. Much like its generation 1.0 counterpart, this digital skimming technique looks to capture card data in use. Attackers first look for e-commerce sites with minimal security measures and inject malicious payloads that bury themselves in legitimate site code. When customers move to the purchasing stage and enter their card details, skimming malware captures, copies and transmits credit data back to malicious actors, who then use this information to create digital replicas and defraud customers.
In some ways, digital attacks are more dangerous than their physical counterparts. Since e-commerce sites don’t store credit card information, attackers have found ways to target the point of digital sale and obtain even more detailed data.
The Impact of Digital Data Loss
Data loss due to attacks can lead to negative impact in three key areas:
- Consumer confidence: Trust plays a critical role in consumers’ willingness to provide their credit or debit card information online. Successful attacks undermine this trust and make customers far less willing to make purchases or share digital data, in turn, reducing your total sales volume.
- Remediation and reputation costs: Once attacks are identified on your site, it’s critical to address them quickly and completely. In some cases, however, this means temporarily shutting down digital purchasing until all traces of compromise are identified and eliminated. In practice, this is costly — from a revenue and reputational standpoint.
While your site is down, you’re not generating revenue, and substantial spending may be required to improve overall security. Customers, meanwhile, may not wait until your site is fixed; instead, they may choose to take their business elsewhere.
- Operational compliance: Compliance is also a concern. Rules such as PCI DSS, CCPA and other local legislation can lead to fines or penalties that may impact operations if companies can’t deliver on due diligence requirements around data collection and protection.
Credit Where Credit is Due
To reduce the risk of digital attacks, companies must take proactive, protective action that prevents malicious actors from installing malicious code.
This starts with regular updating and patching of your site to help ensure attackers can’t exploit previously unknown vulnerabilities. It’s also worth partnering with security and compliance experts to conduct a risk assessment of your current security posture and penetration testing to pinpoint potential problems.
If you’ve been victimized by attacks, incident response and forensic services from trusted providers can identify the attack vectors used by cybercriminals and help your teams craft an effective remediation strategy.
Skimming has gone digital, and now poses a significant threat to customer credit data, company reputation and effective regulatory compliance. By proactively protecting systems with scheduled patching, regular risk analyses, and continuous vulnerability and penetration testing, however, businesses can limit the impact of skimming at scale.
Ready to reduce the risk of successful skimming? See how HALOCK can help.