What is “Skimming”?

The term “skimming”, in relation to finances, started with reporting lower invoice totals than what was actually collected. This allowed a white-collar criminal to “skim” money “off the top” of that invoice by taking the difference between what was collected and what was invoiced. In the paper invoicing world this was easier to execute as digital invoicing and product pricing with inventory became more difficult to manipulate.

Since then, however, the term “skimming” means stealing or reading payment information as it is being entered or swiped during a purchase or transaction A well-known example of this is a payment skimmer on ATMs or gas pumps. These skimmers exist in the physical world where touch or sight can help identify something abnormal.

Skimming Evolution

What’s next for skimming? Well as more and more transactions are being completed online, the term “skimming” or “eSkimming”, now relates to reading and stealing payment information as it is being entered on a checkout page of a website. These eSkimming attacks are almost impossible to detect from a consumer and business perspective. The attacks will mimic an existing website’s look and feel by overlaying a transparent input field overtop of the real one. From a consumer’s point of view, there is nothing different about the page or interacting with it. The information typed into the field acts as normal. From the business perspective, the code which creates this mimicked field is hidden and sometimes emulates existing code on the website; making detection difficult and remediation complicated.

These attacks, also known as Magecart, show no signs of slowing down. As more and more websites offer online purchasing, the temptation for cybercriminals to exploit this technique rises.

How common is it?

An article on CNBC has a great bit of information from Herb Stapleton, section chief for the FBI’s cyber division. In it he says, “It’s hard to put really — definite numbers around it. But one thing we know for sure is that millions of credit card numbers have been stolen, even over the course of the past two years.”

Millions of credit card numbers. Millions. It’s possible we all know someone who has been the victim of credit card fraud. Unauthorized purchases made using stolen credit card information is common, so common that many popular credit card companies have begun to advertise their consumer fraud protection policies.

What can be done about it?

As a consumer making purchases online, your best route is to utilize one-time use credit card numbers provided by your credit card company. Depending on your provider, these numbers are good for one purchase only or are time gated to work only for a set amount of time. These numbers should be used on ANY site that is collecting your credit card information.

As a website owner offering online purchases, your best route is to prevent these skimming attacks from being successful. The old ways of “detect and respond” simply do not protect your visitors from fraud and the hassle that comes with it. A solution which offers real-time prevention of these skimming attacks allows your visitors to shop on your site worry-free.
The only real-time prevention solution for eSkimming and Magecart attacks is Source Defense’s patented and purpose-built Client-Side Website Security Platform. If you’d like more information on how your website stacks up against this risk, please request a free website risk report from Source Defense here: Source Defense Website Risk Report 

The post Don’t Skim This: A Brief Introduction to Website Skimming appeared first on Source Defense.

*** This is a Security Bloggers Network syndicated blog from Blog – Source Defense authored by Randy Paszek. Read the original post at: https://sourcedefense.com/resources/blog/dont-skim-this-a-brief-introduction-to-website-skimming/