Card skimming, implemented through card reading slips on ATM machines, is familiar to many. Nowadays this type of credit card fraud is also appearing on the web. Of course, it is improved and adapted according to its new ‘habitat’. But the crux of the matter remains the same: the theft of credit card information for its use in criminal undertakings.
All the while protected HTTPS-connection won’t help to protect the data: since the malware is installed on the shop’s server, information leakage takes place even before the process of encryption. Often a break-in will leave no trace not only for the customer, whose data was abducted but even for the owners of the merchant websites.
Online skimming at first attracted serious attention to itself at the end of 2015, when researchers found over 3000 internet shops which were “pouring out” client cards’ information. For most of the identified websites, the skimming code worked over the span of a few months, and in certain places even more than half of a year. You don’t even want to imagine how many credit card numbers were compromised during this period.
Since then a year has passed. What are the results? Now the number of merchant sites with online skimming has increased significantly.
One of the factors which impact the increase of infected stores was that hackers learned to skillfully mask the harmful code, making its detection quite difficult. If a year ago just one type of online skimmer with a few modifications in the code was generally used, then today nine types of JS-scripts related to three different families are revealed.
However, the main reason for the spread of online skimming is that the managers of internet stores are not quite concerned to eliminate it. After the detection of the problem, the owners of the resources were at once informed by researchers about vulnerabilities that the data protection systems on their websites had. Unfortunately, the overwhelming majority didn’t react to that with due attention. Some simply did not respond to the warnings of specialists, some doubted the presence of spyware on their sites, claiming their data protection systems to be all in order.
Meanwhile, there are certain means allowing not only to escape these harmful “additions” but moreover to prevent reinstallation. This is a special software for scanning websites for the presence of vulnerabilities and changes in code able to exercise daily monitoring and report arising problems.
Insofar as the store owners are clearly not aware of serious problems, it is worthwhile for potential customers to take individual care of the protection of their data and their funds.
In order to do that:
- Check the domain of the specific store before making a purchase in it in reference to the list of compromised stores (for example, such lists can be found on the site MageReports.com)
- It is better to use large, tested internet shops, where there is at least some sort of expectation that online skimming and phishing (yet another modern day online disease) are tracked and intersected by information security specialists.
- It is preferable to have a separate card for online purchases, where funds are credited only in the amount necessary for the acquisition of goods.
- It is worthwhile to verify each bank operation (best with a one-time password, two-factor authentication).