We’ve all had warnings about card skimming, supposedly prevalent in petrol stations and restaurants. In fact, anywhere that takes a card as payment. More appropriately known as digital skimming, fraudsters are using it more and more to separate us from our cash.
It used to be limited to stealing data from physical cards, but it now extends to websites that accept online credit card payments as we move to online transactions.
Online Security has skimming firmly on its radar.
Digital Skimming originated with the physical tampering of POS devices, usually ATMs and hand-held card payment devices. A hidden device was attached to the device to copy card information from the magnetic stripe as it was inserted or swiped. The thief retrieved the device and copied the card information, reset, and replaced it. Nowadays, they are more sophisticated to allow the collection of chip-and-pin information, even over RFID.
It can be difficult to identify a skimming attack. The code is usually heavily camouflaged. Typically, about 20 lines of “innocent” code hide one line with malicious behavior.
The code allows the hacker to steal payment information in real-time. As you pay, your payment information is relayed to the hacker’s server.
As more and more people use “Card not Present” payment methods, the trend for physical skimming is definitely downward, while digital skimming from websites is markedly upwards.
The Purpose of Digital Skimming
There are several reasons for digital skimming, but the basic one is to obtain financial information. The information can be sold on the deep web or used to buy items from online stores.
Online Security watchers have identified two principal attack vectors:
- A Supply-Chain attack. Thieves have found it more effective to compromise the payment gateway code downloaded from third-party-websites and open-source libraries. Simply put, they modify the code to contain the malicious code downloaded to gateway users.
One of the more common ones is the so-called Magecart code exploit. Over the last eighteen months or so, it has been responsible for the breach of over 12 third-party vendors and several hundreds of thousands of customer data thefts. Unusually, no single hacker or group claims responsibility for Magecart.
The name comes from mage.js, a component of the very popular Magento e-commerce framework that was compromised with one additional script line. As a result, over 7,000 individual e-shops that use Magento were compromised.
The technique is being broadened by hackers to cover other popular e-shop development frameworks like Techrabbit.
Skimming is generally not noticed by the cardholder until they see unauthorized or unusual charges on their accounts. That can be for several months. It can also be because the hacker isn’t attacking the website directly with a Supply-Chain attack. They are attacking the systems being used by a third party working with the merchants.
A fraudster can quietly work away stealing data for months before being detected. IBM reckon that it takes about a year to identify a large data breach. Even the most aware and compliant merchants can be targeted.
As with other hacks, protection and detection is a continual battle between the white hats and the black hats. As quickly as one hole is plugged, the hackers find and exploit another one.
There are simple Online Security server-side and client-side measures:
Apply Content Security Policies. Use CSP headers to restrict communications and data transfers between domains. Block transfers to suspicious or unauthorized domains.
Simply put, the client needs to activate a browser extension that provides user-level control or a CSP style control over script actions and information transfers to unknown domains. The extensions will differ for different browsers. Two such are “ScriptSafe” and “ContentBlockHelper”.
Privacy-focussed browsers like FireFox and Brave Browser allow users to prevent scripts being loaded.
Physical Card Present Measures
- Don’t let your card out of your sight. Waiters sometimes “take the card to the machine”. That is where the physical skimmer is.
- If the ATM “Looks Funny” or has loose or perhaps additional bits, go somewhere else.
Bottom line, digital skimming is real. Don’t be complacent about it.