What is Digital Skimming?
Digital skimming—also known as e-skimming or online card skimming—occurs when cybercriminals steal credit card information or payment card data from visitors to your online store. Attackers use malicious code injections to skim payment data from input fields on existing payment forms or hijack unsuspecting users to fake checkout pages. Once cybercriminals collect the payment data, they are free to go shopping on the user’s dime or resell the card information on the dark web for use in future carding attacks.
How Do Digital Skimming Attacks Happen?
Why Are Digital Skimming Attacks Hard to Detect?
To evade detection, digital skimmers use obfuscation techniques to hide the skimmer code and geofence their target website to a country or region. The injected code waits for users to fill out forms with their credit card numbers or other customer data. The information is transmitted directly from the user’s browser/device to a site controlled by the attacker.
Website operators often lack visibility into what happens inside their users’ browsers when their client-side code is changed. And because skimmers usually do not change the functionality of the site, users frequently remain unaware that their data is being stolen. It is common for digital skimming attacks to go undetected for quite some time.
How Do Magecart Attacks Relate to Digital Skimming?
Magecart is a style of digital skimming attack that centers on e-commerce. The name “Magecart” originally referred to hacker groups that targeted e-commerce sites on the Magento platform, though Magecart attacks have spread far beyond Magento since then. Magecart hackers inject a skimmer into checkout pages or modify paths to checkout pages to skim sensitive information.
What is the Business Impact of Digital Skimming?
Digital skimming can severely damage reputation and consumer trust. Users often stop engaging with a business that exposes their sensitive data to bad actors, and prospective consumers may see bad press and choose to shop elsewhere. In fact, 56% of consumers say they won’t shop on a site that compromised their data. Reputation damage can negatively impact revenue, stock value, and growth.
Furthermore, digital skimming can open your business to regulatory fines. Many countries and states have passed data privacy legislation — including the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) — which impose fines on businesses that fail to protect user data.
How Are Companies Fighting Digital Skimming Attacks?
Traditional cybersecurity solutions like web application firewalls (WAFs) are not enough to protect the client-side against digital skimming attacks. Some companies are placing their bets on static scanning of their site, not realizing the dynamic nature of skimmer code. Solutions like sandboxing create significant hurdles in the website development process and break continuous integration/continuous deployment cycles.
Content security policies (CSP) are also the first resort for many web application security professionals. CSPs were originally used for protection against cross-site scripting and alone don’t provide any protection against the use of a compromised trusted domain to inject a skimmer on the website. Furthermore, CSPs are difficult to manage because they require a lot of tuning.
Stop Digital Skimming with HUMAN
By leveraging real-time, behavior-based analysis and machine learning models, Compliance and Supply Chain Defense provides full visibility and control over first-, third- and nth-party scripts running on the client-side. The solution detects and mitigates unauthorized PII access, data exfiltration events, and known script vulnerabilities to prevent digital skimming.