Computer programmer writing code in front of the monitors at late night.

Retailers need to be wary of online credit card skimming, writes Vikas Uberoy.

In today’s golden age of online shopping, consumers take to the Internet, punch in a few credit card details, and happily receive products at their doorstep in record time. The thing they are taking for granted, however, is the assumption that their online vendor is well-known, vetted, and therefore secure. But despite the complete normalisation and adoption of online shopping, this is certainly not always the case.

Consumer data is a valuable commodity and increasingly is the primary purpose of attacks on websites. Compromising websites that are also used as payment platforms enable criminals to harvest credit card numbers along with private, personally identifiable information (PII) making these site particularly lucrative. Unfortunately, it’s not very difficult for savvy criminals to hack these sites, harvest data and use or sell this information quickly.

In a sense, this is the digital equivalent of credit card skimming, a process of stealing someone’s credit card details at a physical ATM or at self-serve stations where ATM cards are used (gas stations). In the same fashion that criminals can tamper with an ATM card reader, so too can they harvest data from a website’s checkout page. 2018 saw a significant spike in skimmer attacks, mostly credited to the Magecart Group, and the trend has continued into this year, with cybercriminals targeting online stores to steal payment details from unaware customers at a rapid pace.

There are many different ways that cybercriminals can go about these kinds of skimmer attacks, from hacking the shopping site itself, to compromising its supply-chain. With Australian businesses embracing an omni-channel retail approach and moving their sales online in order to thrive in the digital era, how can local companies can identify, manage and/or avoid skimmer attacks?

Know your enemy  

Despite the prevalence of skimmer attacks, identifying this type of threat can be challenging. Unlike other kinds of cyber theft, there are often not any visible signs that a skimmer has been injected into a website.

Further complicating matters is the fact that the threat actors that compromise ecommerce sites operate in many different ways. In the instance where the target is a high-profile site, cybercriminals will often customise their attack for maximum impact, while in other cases, attacks are automated for lesser value targets to exploit vulnerabilities in the content management software.

In either case, information is stolen in real-time as customers enter their data into the checkout page. A remote malicious server receives that unencrypted data and the attackers can then immediately start reselling the details in underground carding forums.

Not just a one stop shop

While big name brands such as British Airways, Ticketmaster and Delta have been the victim of these kinds of skimmer attacks in the past, small online retailers that process their own payments are usually the most at risk. These targets are often less protected and easier to breach, often not noticing they’ve been impacted for considerable lengths of time, making them easy pickings for cybercriminals to go after.

No matter what the website or occasion, shoppers should always exercise caution anytime they enter personal data online as they are placing their trust and sometimes sensitive information in the hands of the retailer. In the case of British Airways, the business was the victim of a 15-day Magecart attack that infiltrated its payment and baggage claim information page, fooling consumers to collect both PII and payment details.

When customer financial details are compromised in these kinds of attacks, the credit card companies will typically reimburse the victims, however it’s harder to salvage the other types of personally identifiable information (PII) such as a name, address or email addresses. In some unfortunate cases, this information can be exposed and lead to secondary attacks such as spearphishing, where an individual or business is targeted via an email or digital scam leveraging the stolen information.

To stop the threat of ongoing attacks a remediate a skimmer attack, businesses need to do more than just remove the skimmer code from their website. They need to identify the original source of the attack. To achieve this, retailers can work with their IT and security partners to review logs to find the point of entry and reveal how long the criminals had access to the site.

Best defence is a good offence

Once the source is identified following an attack, it is important that ecommerce sites remediate the issue to prevent further theft and fortify themselves against future attacks. While there is no silver bullet in preventing web-skimming attacks, there are measures that can be taken to mitigate the risks.

Operating an ecommerce website that processes payment information means that certain fundamental measures are needed to protect consumer information. Small and large online retailers must adhere to security requirements from Payment Card Industry Data Security (PCI-DSS), a framework that defines the baseline physical, technical, and operational security controls, needed to protect payment card account data. Given the large volumes of information that are collated and processed across these sites, it is usually a safer (and easier) practice to outsource the handling of financial transactions to larger, trusted parties. This enables businesses to minimise the often overwhelming task of managing these data sets and allows them to focus on their primary business, knowing that there meeting these compliant requirements and that payments transactions are in safe hands.

As well as meeting these PCI compliance measures, online retailers need to keep on top of day-to-day security measures. Online retailers should regularly apply patches to protect potential vulnerabilities, update passwords and enforce stricter access control requirements to increase security overall.

In today’s connected and digital world, it’s no longer a case of if a security breach will occur, but when – and how bad. Retailers with an online presence need to ensure that they keep security top of mind to create the most secure digital environment for their customers. Not only will these measures build consumer trust and confidence, but it will help to safeguard against cyberthreats like skimmer attacks, making both businesses and their customers more secure.

By Vikas Uberoy, Regional Director, Malwarebytes ANZ.