SecurityMetrics has shared this news article with HFTP members and stakeholders after discovering a significant increase in skimming tactics, especially electronic skimming. This blog post is intended to raise awareness about e-skimming, as it targets companies offering online payment options and is virtually undetectable by common security tools, such as antivirus software.

SecurityMetrics has shared this news article with HFTP members and stakeholders after discovering a significant increase in skimming tactics, especially electronic skimming. This blog post is intended to raise awareness about e-skimming, as it targets companies offering online payment options and is virtually undetectable by common security tools, such as antivirus software.

Skimming has always been a threat to retailers. Prior to the EMV chip on credit cards, approximately 80% of our forensic investigations were conducted in environments where the card was present, such as hotels, restaurants and hardware stores. The implementation of the EMV chip solved many problems with physical skimming, but did nothing to solve e-commerce skimming.

After implementing the EMV chip, the number of our point-of-sale (POS) forensic investigations or present card skimming dropped to approximately 22%. This type of skimming is no longer as prevalent as the profit motive for skimming cards from POS devices has been greatly hampered by the change. However, this has motivated hackers to turn to e-commerce skimming. Today, 85% of our investigations relate to e-commerce attacks, with “Magecart” and other “formjacking” heists being the most popular.

Formjacking attacks first appeared on our radar in 2017. In one of our earliest cases, a merchant was bleeding card data despite having strong security policies and procedures in place. SecurityMetrics experts ran virus scans, checked for malware, made sure their input fields were cleaned, and analyzed their code almost line by line, but we found nothing suspicious in the servers or databases. merchant data.

Eventually, during a simulated purchase through the checkout process, we found a piece of malicious code attached to a compromised third party. This code was only triggered when a client filled in the CVV field and no evidence of the malware was present on the web server. It only existed in the browser, and only when entering the credit card. This breach happened when a company was compliant with industry standards – they had layered security and there were no issues with their code. In this case, a third party they had used (i.e. an analytics company that tracked shopping cart data) had been compromised.

Card-present transactions have a long history of security best practices. If a merchant wanted to introduce third-party code into a POS card data environment, they often had to go through a series of internal and external validations before any additional code or processes were allowed. With e-commerce, it’s a different story. There’s a lot more going on in the shopping cart process.

Third parties can run data analytics on the shopping cart, and threat actors can hack these third parties to steal your shopping cart data. Or they can use “malvertising,” which are advertisements in the margins of a checkout or shopping cart page. Third parties connected to payment pages have given attackers plenty of opportunities to infect your environment and steal your customer data. In many cases, we see hundreds of external code elements in the checkout process when customer card data is present.

E-commerce skimming (or e-skimming) is particularly malicious because it is extremely difficult to detect. It is often undetectable by normal security measures such as firewalls, file integrity monitoring (FIM), or antivirus. Since attackers use third parties to store their malicious JavaScript to browse personal data, even if your website is not compromised, you can use someone else’s code from another website, or even a trusted entity, which is compromised.

Credit card skimming has undergone several evolutions. Old-fashioned credit card skimming involved placing a device on cash registers or gas pumps that would capture card data. This was difficult to do because you had to plug the skimming device into a power source or provide battery power. Today, with EMV, we are seeing a return to physical skimming devices that are as thin as a piece of tape and can harness the power of new EMV hardware, making this attack harder to detect.

However, with the expansion of online shopping and transactions since Covid-19, e-skimming has become a preferred method for capturing credit card data. Online skimming is rapidly gaining popularity and retail remains at high risk of hacking, which comes with increased liability.

The good news is that there is a new class of client-side or browser-side monitoring technology that monitors the payment process, even at the exact moment credit card data is entered by the customer, that can alert merchants as soon as malicious code is injected into the payment process.

One of our main goals as a cybersecurity company is to make organizations aware of security threats that could negatively affect them. We hope this blog has helped you see the threats you might be missing so you can keep your business safe.

Aaron Willis, CISSP, CISA, QSA is a Senior Forensic Analyst to Security measuresa company specializing in cybersecurity for SMEs and the payment industry.

Hospitality finance and technology professionals (HFTP) established in 1952, is an international non-profit association, headquartered in Austin, Texas, USA, with offices in the UK, Netherlands and Dubai. HFTP is recognized as the voice group for the finance and technology segments of the hospitality industry with members and stakeholders across the globe. HFTP uniquely understands pressing industry issues and helps its stakeholders find solutions to their challenges more effectively than any organization. It does this through its expert networks, research, certification programs, information resources and conferences/events such as HITEC