The Threat of Online Skimming to Payment Security
According to the PCI Security Standards Council, and the Retail and Hospitality Information Sharing and Analysis Center (ISAC), a growing threat that merchants and service providers need to be aware of is Web-based, or Online Skimming.
What does this mean?
‘Skimming’ is a common method of stealing credit card information by using a small electronic device that scans and stores card data from the magnetic stripe. Stolen credit card information can be used to make fraudulent purchases online or to clone new cards.
But online skimming attacks infect e-commerce sites with a malicious code known as ‘sniffers’ or JavaScript (JS) sniffers, and are extremely difficult to detect! Once a site is infected with this code, payment card information is ‘skimmed’ during a transaction without the merchant or consumer being aware the information has been compromised.
After obtaining the data, the group sells the information on the Dark Web.
According to Security Boulevard, the group primarily responsible for the tactic is known as ‘Magecart.’ In the past, the group hacked British Airways, NewEgg and Ticketmaster. In fact, Magecart has hacked over 6,400 sites since their inception.
How it works
The group exploits existing vulnerabilities in Websites in order to compromise them. Common ways Magecart gains access include brute force login hacking where hackers try to login using a huge list of known common passwords; 3rd-party plugins that help the site accomplish a specific purpose; and ‘phising’ and ‘social engineering,’ in which criminals gain access to credentials by using deception through social media or via email.
PCI Security Standards Council and ISAC says examples of these attacks to third-party applications and services include advertising scripts, live chat functions, and customer rating features. Once compromised, these third-party services are used by attackers to inject malicious JavaScript into the target websites.
The code is often triggered when a victim submits their payment information during checkout. Different threat actors gather different details including, billing address, name, email, phone number, credit card details, username, and password. The malicious code, the organizations say, logs the payment data either locally on the compromised website or remotely to a computer controlled by the threat actors.
Detection Best Practices
Examples of PCI DSS Requirements providing ‘detection’ controls include:
- Reviewing code in order to identify potential coding vulnerabilities
- Use of vulnerability security assessment tools to test web applications for vulnerabilities
- Audit logging and reviewing logs and security events for all system components to identify
anomalies or suspicious activity - Use of file-integrity monitoring or change-detection software
- Performing internal and external network vulnerability scans
- Performing period penetration testing to identify security weaknesses
PREVENTION Best Practices
The best protection to mitigate against these attacks is to adopt a layered defense that includes patching operating systems and software with the latest security updates. Some examples from PCI DSS include:
- Disable unnecessary ports/services/functions and configure components securely in accordance with industry accepted system hardening standards
- Implement malware protection and keep up to date
- Restrict access to only what is absolutely needed and deny all other access by default
- Use strong authentication for all access to system components
- Conduct proper due diligence prior to engagement of third-party service providers and monitor service providers’ PCI DSS compliance status
Contact Electronic Money Company today at 505-296-2847 to discuss ways to help you prevent criminals from getting at your data. Ask us or your insurance company about data breach protection!