What is online skimming / e-skimming and how can I prevent attacks?
Online skimming (also “e-skimming”, “web skimming” or “digital skimming”) is a form of online payment card fraud. There has always been a risk of card data being accidentally disclosed to fraudsters when entering payment data for an online purchase. While various safeguards have made this less likely, the fact is that online fraudsters have also upped their ante.
The number of online purchases has increased dramatically over the past twelve months due to Covid-19 and concomitant shop closures. And not only are more people buying online, the number of online shopping sites has also skyrocketed over the course of a year. To accommodate their customers, in particular quite a few small merchants have established online shops in addition to their brick-and-mortar stores. And my suspicion is that some have done so with undue haste.
This article is about online skimming, what this entails and precisely how you – as a merchant – can protect yourself and your customers against it.
What is online skimming?
Literally speaking, “skimming” is the taking – or skimming – of a layer (such as cream) from the surface of a liquid.
Skimming first became known as an offline – that is, real life – phenomenon. Headlines of recent years were filled with warnings about stolen cardholder data linked to compromised ATMs. Here, data from the card’s magnetic strip or chip is read – or more accurately “captured” – by a skimming device. The PIN is also espied by means of various methods (camera, keyboard reader).
Subsequently, the card is cloned; vending machines cannot distinguish a cloned card from the original. Using this counterfeit card, fraudsters are able to withdraw money, make purchases, etc.
The same thing happens in principle with online skimming but here it happens digitally, in other words, online.
To put it simply, what happens is this: Payment and credit card data is intercepted at online shops by means of malware and/or by malicious code that was injected via script. This intercepted data is forwarded in the background. Neither the merchant nor the customer will be aware that the payment data has been intercepted. As with offline skimming, the cybercriminals now have the card details with which they can commence other criminal activities.
Such attacks are very tricky to detect. The card data is “skimmed” unnoticed. At first, the customer and merchant generally don’t notice what has happened.
Where do hackers steal the card data?
Various and ever-evolving methods are in circulation. The goal is always the same. Malware is injected into the system to infect your site and read the data entered. Generally, there are two angles of attack:
- Directly on the website of the online shop
- On the site of your external payment processing service.
The second variant is particularly dangerous (or particularly lucrative, depending on which side you are on!). If a service provider is “hijacked”, all the online shops or companies whose payment transactions are processed via the impacted service provider are potentially affected as well.
The malicious code usually strikes when customers enter their data to conclude an online order. Apart from the credit card data, other private details such as addresses, names, e-mail addresses, telephone numbers, usernames and passwords can be compromised as well.
Which companies are at risk?
Do I, as a (small) merchant, need to bother?
Let me give you the bad news first.
- All online payment transactions are potentially at risk if insufficient security measures are in place.
- Small merchants are no exception. In fact, they actually face an even greater risk!
In 2019, some 43% of all online skimming attacks were directed against small merchants and shops. This makes them the largest target group of such cyber attacks.
The reasons are obvious:
- Lack of awareness of the problem of online skimming
- Insufficient data security
- Not having a large IT department (and thus usually inadequate know-how when it comes to IT security)
- Only a small – or non-existent – budget is allocated to security monitoring in the background.
Credit card scammers and cybercriminals are fully aware of all this, of course. (Smaller) merchants are a favorite target. Attempts to infect their systems with malicious software are launched time and again.
As a short aside: Every single day, an average of 12 attempts are made to log into the backend of my website by unauthorized entities (presumably robots). I’m puzzled as to why they bother since it’s not particularly exciting there. Nevertheless, just imagine the implications of a successful infiltration of your website, your online shop and your customer data!
In the end, just being aware of online skimming puts you one step ahead. This alertness will predispose you to take measures designed to prevent such attacks.
What can you do to protect yourself against online skimming?
Preventive measures against online skimming attacks
I recently published an article outlining some crucial measures you should put in place to safeguard card data. To a large extent, these measures also apply to payment transactions in online stores.
Below is a summary of the most important measures:
- Always keep software up to date, perform regular updates and follow recommended security measures
- Use secure encryption and robust passwords
- Strictly limit access to what is absolutely necessary; default settings should automatically deny any further access
- Use a firewall and antivirus software and ensure that they are always up-to-date
- Get comprehensive information about – and carefully vet – any external service providers.
Murphy’s Law: Anything that can go wrong will go wrong.
With this article about online skimming, I don’t want to paint a pessimistic picture. Oftentimes, everything goes smoothly and everyone is happy.
It’s always the same though …
when things go well and nothing happens, you either got lucky or the time and effort spent on security measures was “apparently” wasted.
But if you do nothing and something does go wrong, then you’re in big trouble. What this trouble entails will be discussed in detail in a forthcoming article on the subject of PCI DSS.
And keep in mind, if something can go wrong it will!
A QIR to safeguard your POS system
As a so-called “Qualified Integrator and Reseller” (QIR), I am certified by the PCI SSC (click on link for background info) to perform so-called “qualified installations”.
I will support you every step of the way, from the installation to going live with your payment application. Also, I make sure that you and your customers are on the safe side. And, finally, I check your existing systems and provide feedback on how to enhance their security – in the digital world for your online shop and in our physical world alike.
Please feel free to contact me here.
Wishing you all the best with your online card payments. May things always run smoothly for you!