Card skimming – the act of copying data from a credit card either to make a physical or virtual copy of the card – is not a new tactic for criminals. As a result, many an unsuspecting card payer has been unpleasantly surprised by unauthorised payments made on their card after letting it out of their sight for five minutes whether it be at a restaurant, doing online payments or at the shops.
by Simeon Tassev, MD and qualified security assessor at Galix Networking
However, the introduction of mobile card payment devices, increased security at pay points and ATMs, and 3D payment authentication for online payments has all but thwarted criminals seeking to make a quick buck off of duplicating credit cards. Although small-time criminals still make use of physical card skimming devices and not all online portals have built in authentication, most have set their sights on more lucrative opportunities, where they are able to copy multiple cards with less traceability.
The recently uncovered MagentoCore skim scam has really upped the ante, being described as the most successful skimming campaign to date, with over 7993 online stores hosted on the Magento global ecommerce platform being affected over a six month period. Fifty-one million customers around the globe have made purchases from Magneto merchants, and the malware shows no signs of stopping any time soon.
With over two hundred and fifty merchants using the opensource Magneto platform, the hacker group responsible for MagentoCore continues to target new brands. According to industry expert and the person responsible for uncovering this threat, Willem de Groot, the hackers use a script called a ‘payment card scraper’ or ‘skimmer’ once they’ve breached the site and modified its source code to load the script along with its legitimate files. The script usually loads on store checkout pages and secretly records payment card details entered in payment forms, data that it later sends to a server under the hacker’s control.
What makes the malware so attractive to cybercriminals is that it is so incredibly difficult to trace, and the copying of hundreds of cards per day gives them the ability to copy far more data than ever before. Businesses and card users alike need to not only become more aware of the risks of online payments, but also protect themselves and their customers from threats.
What can retailers do?
Skimming is only one of many security risks that retailers with an ecommerce portal need to take care of. It’s essential that they have a full risk management strategy in place which assigns a risk factor to their risks, giving them a priority and putting the right technology in place to protect both themselves and their customers.
They need to perform regular checks on their customer facing websites, factoring in vulnerability scanning, web security scanning, code review, penetration testing and various other tests to ensure the website performs optimally and securely. Those retails who do not make use of a third party two-factor authentication payment platform should ensure they have one in place.
Retailers who do outsource their functions, such as to an ecommerce platform, should ensure they have some sort of liability cover included so that if the platform is hacked, neither they nor their customers carry the risk.
It’s also important that they ensure their compliance is up to date and well managed. Compliance with regulations such as Payment Card Industry Data Security Standard (PCI-DSS) help to ensure that the minimal controls are in place to protect their own and their customer’s information during transactions. Other regulations such as the Protection of Personal Information (PoPI) Act and the General Data Protection Regulation (GDPR) gives them guidelines on how to protect their customer’s information across the board, too.
What can consumers do?
Many people have a card, today, and partake in some form of online purchasing, whether directly from a retail chain or through a third party platform. Here are some tips to ensure consumers protect themselves:
* Check that the website is secure. A secure website will have a valid certificate, usually demonstrated by a locked padlock icon.
* Deal with reputable vendors. This may not always be possible, and there are many exciting and trustworthy ecommerce stores that open up on a daily basis. However, where possible, opt for the sites that are well known and trusted.
* Ensure that the site has 3D security enabled, where shoppers are redirected to a third party platform, often a financial institution’s platform, to verify that they are making the purchase through a security code being sent to the purchaser.
* Shoppers can also make use of a virtual card, which they load up with a pre-set amount of money in order to make online payments. A virtual card is a card created by a virtual card provider similar to a gift card. Many banks and third party virtual card providers are available today so that shoppers can add a layer of protection to online shopping.
* Mobile payment applications such as SnapScan or Zapper offer a safer method of payment for shoppers, so they should look for providers that offer this as a payment option.
* Remember that there is no 100% safe way to shop online or in store when using a card. Shoppers should be vigilant and if they are unsure, rather skip the purchase and find an alternative payment method.
It is highly likely that cybercriminals will only get smarter, targeting vulnerabilities in ecommerce and online retail platforms wherever possible. Both retailers and shoppers need to ensure they are aware of the risks and protect themselves wherever and however possible.