How to prevent digital skimmer attacks threatening e-commerce
Image courtesy of iStock
by Monica Eaton-Cardone, Chief Information Officer, Global Risk Technologies
As e-commerce expands, so does the threat from credit card skimming. In recent months, a malicious code known as Magecart has been responsible for exposing hundreds of thousands of credit card accounts to hackers. The threat extends to all websites that accept credit card payments, including point-of-sale kiosks.
Magecart isn't a person or group, but a seemingly-decentralized global campaign to commit fraud. The one thing all the attacks have in common is the mage.js script, from which it takes its name.
A recent Ticketmaster U.K. hack — an attack that may have exposed up to 5 percent of Ticketmaster's global userbase to digital skimmers — was also a Magecart incident. But how do these criminals manage to do so much damage with a simple script? Even more important than that: how can businesses protect themselves from becoming the next victim?
How it works
The script essentially works like a card skimmer installed on a physical card terminal. By injecting the malicious script, hackers can steal payment information in real time during checkout. The information is then relayed over to a collection server run by the criminal.
Once the perpetrator has the cardholder's data, they can use that information to make fraudulent purchases online. They can also bundle multiple cardholders' information and sell it on a black market to other fraudsters.
The breaches aren't especially hard to stop once identified. However, they take a long time to detect because the hackers aren't usually attacking the merchant directly. Instead, they usually attack the systems belonging to a third-party that works with the merchant.
This backdoor tactic lets the fraudster quietly steal data for months without being noticed; as a result, it takes an average of one year to identify a large data breach. Even if a merchant is up-to-date with PCI compliance standards and antifraud best practices, they can still be targeted.
E-commerce: The path of least resistance
Part of the problem is that more and more of the fraud burden is shifting from the card-present to card-not-present environment. That trend had been in place for years, but it accelerated rapidly after the EMV liability shift in October 2015. Now, fraudsters see the e-commerce environment as the "path of least resistance," and focus their energy on attacking e-commerce sellers.
The Magecart script has been found in more than 800 different sites already, and there could be hundreds or thousands more sites out there waiting to be identified. Even though none of these merchants are necessarily responsible for the attacks, they will most likely get the blame.
Equifax, Target, Sony…most high-profile data breaches are associated with the consumer facing business involved. And, even after a hack is identified and resolved, there is a lasting stigma associated with the brand.
The IBM study sourced above identified the average cost per data breach as $3.86 million. Of course, that only counts the initial, direct costs of the breach. The PR damage from a major attack could be exponentially greater than the direct losses and can last for years after the fact.
Defending against attacks
Online merchants can't afford to take a passive approach to this threat. The best chance they have of protecting their business is to be proactive. Some risk mitigating practices and behaviors I recommend include:
- Data encryption: Encrypted data is unreadable without the key, making it useless to hackers.
- Risk assessment: Regular scans for vulnerabilities can identify risk sources.
- Fraud indicators: Perform regular scans of all systems and identify signs of a potential breach.
Of course, no single tool or strategy can be effective against losing profits and revenue on its own. For example, we can chalk roughly 52 percent of all data breaches up to human error of system glitches. Then add the fact that a data breach is just one of countless threats facing merchants in a dynamic marketplace. That's why sellers need to have a much broader, more comprehensive approach if they hope to fight revenue loss successfully.
Each tool in a merchant's arsenal can address certain threats. When you leverage multiple complementary tools, though, you have broader coverage.
I'm talking about a multilayer approach to fraud prevention and risk mitigation. For example, data encryption can help by limiting the scope of a data breach, but it can't do anything about account takeover fraud or post-transactional threats like cyber shoplifting. Only by combining encryption with two-factor customer verification, geolocation and other tools can merchants really start to see true fraud protection.
Merchants who fail to respond to data vulnerabilities and new threats like the Magecart script are leaving themselves open to be victimized. But those who only focus on data security and forget about other threat protections are just as vulnerable.
Monica Eaton-Cardone is an entrepreneur with expertise in technology, e-commerce, risk relativity and payment processing. She is COO of Chargebacks 911, and CIO of its parent company, Global Risk Technologies.