PCI SSC warns organisations about growing threat of online skimming

Organisations that accept online payments must urgently address the threat of web-based skimming, the PCI SSC (Payment Card Industry Security Standards Council) has warned.

The alert, issued in partnership with the Retail & Hospitality ISAC (information sharing and analysis centre https://rhisac.org/ ), highlights a recent increase in malware attacks targeting e-commerce websites to gain payment card data.

There’s a good chance that organisations and individuals have been compromised and aren’t yet aware, because the attacks are designed to draw as little attention to themselves as possible.

How does online skimming work?

Online skimming is a variation of a criminal tactic used to gain access to payment card information. Until recently, it was more commonly associated with physical fraud, in which criminals use a device (‘skimmer’) that interacts with a victim’s payment card.

One of the most common skimming methods is to place a duplicate card reader on top of an ATM’s payment card slot. Criminals can then siphon off card details as the card enters the machine.

This reader will typically be paired with a pinhole camera or duplicate keypad placed over the machine so that the fraudsters can log the customer’s PIN.

Online skimming works in much the same way, except the ATM is replaced by an online payment form and the physical skimming device is replaced by malicious code.

Magecart is the umbrella term used involving criminal groups exploiting vulnerabilities that mostly target Magento-based online stores or content management systems. A number of recent data breaches such as Ticketmaster/British Airways was believed to be part of such credit card skimming operations.

These skimming malwares such as JS Sniffer/Magecart targets Web Hosting companies/3rd party development firms that develops code for ecommerce firms. Once within the code hackers can manipulate the code and infect any other websites within the environment affecting other websites and its users.

These malwares are known to extract credit card details from shopping baskets and forms. When customers enter their payment card details, the malware ‘skims’ the information. The transaction continues as normal and neither the organisation nor the customer notices anything is amiss.

The only way to tell is if the organisation performs a thorough assessment of its security practices or the customer notices fraudulent payments coming out of their account. And by then, it is too late.

How are organisations infected?

There are many ways that an organisation’s website can be infected. The PCI SSC and the Retail & Hospitality ISAC highlight the threat of:

  • Plugin vulnerabilities;
  • Brute-force login attempts (aka credential stuffing);
  • Phishing scams and other social engineering techniques; and
  • Attacks targeting third-party applications, such as advertising scripts, live chat functions and customer rating features.

Any organisation that takes online payments is at risk, and those that are infected are often targeted again within days. They should therefore take extra care to clean affected systems and address any underlying vulnerabilities to prevent reinfection.

How to detect online skimming

The PCI DSS (Payment Card Industry Data Security Standard) outlines everything organisations need detect online skimming. They should focus on:

  • Reviewing code in order to identify vulnerabilities;
  • Using vulnerability security assessment tools to test web applications and vulnerabilities;
  • Audit logging and reviewing logs and security events for all system components to identify suspicious activity;
  • Running file-integrity monitoring or change-detection software;
  • Performing internal and external network vulnerability scans; and
  • Performing penetration tests to identify security weaknesses.

Organisations should also take this opportunity to review which third-party services they use.

It’s not good enough to say you weren’t to blame for a breach because the vulnerability occurred at a service provider. Organisations are responsible for who they work with, so they must only use services from providers they trust.

Protect yourself from online skimming

As a CREST-accredited provider of security testing, and a certified PCI QSA (Qualified Security Assessor) company, IT Governance can help with all your PCI DSS compliance needs.

Find out more about our cyber security and security testing products and services.