Online skimming and payment security are growing concerns for many e-commerce companies and online shoppers. To help companies and consumers better protect themselves from data theft, U.S. Chamber of Commerce SVP for cyber, intelligence, and security policy Christopher D. Roberti sat down with PCI Security Standards Council SVP and engagement officer for market intelligence and stakeholder engagement Troy Leach to provide guidance and best practices for navigating these online threats.This article was originally publishedon the PCI Security Standards Council's blog, PCI Perspectives on January 9.
Online Skimming and Payment Security
Q: What is online skimming? Is that the same thing as the Magecart attack?
Troy Leach: Web-based or online skimming attacks steal payment data information by infecting e-commerce websites with malicious code, known as sniffers or JavaScript (JS) sniffers. They are difficult to detect as once a website is infected, payment card information is “skimmed” during a transaction when the customer enters information from their device without the merchant or consumer being aware that the information has been compromised.
A term sometimes used in the press for this threat is Magecart. Magecart is an umbrella term used by some security researchers to describe several criminal hacking groups who are responsible for various online skimming attacks. The term has also been used to generally identify the type of attack being utilized by the groups. These attacks have been active since 2015 and represent the continuously evolving cyber threat behind several high-profile attacks against international organizations.
Q: So how exactly do these attacks work?
Troy Leach: Without the proper controls in place, these attacks can be very difficult to detect. That is what makes them so dangerous. Threat actors use various methods, all in an attempt to gain access and inject malicious code. These attacks are either directly into e-commerce websites or often into a third-party’s software libraries that merchants rely upon. Payment service providers may not be aware of the risk they create for their customers if they are not focused on security and the potential threats targeting them.
Once compromised, these third-party services are used by attackers to inject malicious JavaScript into the target websites. Because these third-party functions are typically used by multiple e-commerce sites, the compromise of one of these functions can allow an attacker to compromise many websites at the same time through mass distribution of the malicious JavaScript.
The code is often triggered when a victim submits their payment information during checkout. Different threat actors gather different details including, billing address, name, email, phone number, credit card details, username, and password. The malicious code logs the payment data either locally on the compromised website or remotely to a computer controlled by the threat actors.
Q: What businesses are at risk of this devious attack? Should small merchants care about this?
Christopher D. Roberti: Yes, any e-commerce implementation that does not have effective security controls in place is potentially vulnerable. Small merchants are no exception and might even be more at risk because they do not have large IT departments or budgets to monitor for such threats. Many small merchants rely on payment security third-parties, some of whom have been demonstrated to be susceptible to this attack.
According to the 2019 Verizon Data Breach Report 43% of cyber-attacks target small businesses. In fact, the Verizon report shows that cyber attacks on small businesses represent the largest share of all the attacks in the report. One reason for this is a lack of data security resources and knowledge. Cybercriminals are aware of this fact and that is why they are targeting small businesses in higher numbers.
Q: What are some prevention best practices to stop this attack form happening in the first place?
Troy Leach: The best protection to mitigate against these attacks is to adopt a layered defense that includes patching operating systems and software with the latest security updates. Some recommendations to prevent these types of attacks include:
- Verify vendors enforce security best practices
- Apply security patches for all software
- Restrict access to only what is absolutely needed and deny all other access by default
- Use strong authentication for all access to system components
- Implement malware protection and keep up to date
Q: What are some ways small merchants can learn more about cyber security in general and the threats they face?
Christopher D. Roberti: Cybersecurity is an important priority for the U.S. Chamber of Commerce – the world’s largest business organization representing the interests of more than 3 million businesses of all sizes, sectors, and regions. Our members range from mom-and-pop shops and local chambers to leading industry associations and large corporations.
The Chamber of Commerce hosts several high-profile cybersecurity summits throughout the year and we offer resources on our webpage aimed at helping small merchants better understand cybersecurity and the threats they face. Our Internet Security Essentials for Businesses 2.0 is a popular resource and good starting point for small merchants who want to learn more about these vital challenges.