e-Skimming: FBI Warns of New Online Threat to Personal and Credit Card Information
Never heard of e-skimming until today? It is when threat adversaries compromise an e-commerce web site, whether through a vulnerability in the web server or the e-commerce software, and then introduce malicious code into the checkout process. The code is designed to send both the buyers personal and credit card details to the attackers, which is then later used for fraudulent purchases. What makes e-skimming terrible is users have no way of knowing the web site has been compromised until it is too late:
This new type of skimming is called e-skimming or Magecart.
Cybercriminals[sic] can gain access to your personal and credit card information in a number of ways. They can break into a web server directly or break into a common server that supports many online shopping websites to compromise them all and once a site has been compromised, the shopper can’t spot the difference.
“It’s nearly impossible for a consumer to detect that this has happened to them before the actual occurrence. The site that they would look at, which is already infected, would look no different to a consumer,” Stapleton said.
How do you avoid being the victim of e-skimming? There are a few important things to do:
- Utilize reputed web sites for online purchases, such as the Amazon's and Rakuten's of the world, to name a couple examples.
- Use a credit card, not debit card, when shopping online. Credit cards generally have fraud protection whereas debit cards do not. A bank account can be drained quite rapidly through debit card loss, and in most cases the funds are not replaceable. Contrast that with a credit card which has safety mechanisms built-in.
- Use a specific credit card only for online purchases, and one with a very low credit limit. This can restrict the amount of damage an attacker can do with a stolen card.
- Check credit card and bank account balances often. If either have applications with push notifications, ensure those are configured to alert on large purchase and failed transactions.
At the end of the day this is all about paying attention to detail and limiting risk by taking some specific actions. Catching e-skimming is nearly impossible as a customer, which is why the above is exceedingly important.