eSkimming Is Back, And Fraud Fighters Are Onto It
The classics never get old, and that includes cybertheft oldies like eSkimming.
Warnings of ATM card skimming were commonplace until fairly recently, when multi-factor authentication (MFA) and other fraud defeaters slowly pushed it out of the picture. Now it’s back, riding an odious COVID-era whirlwind of fraud types new and old.
“Even eTailers that carefully monitor their platforms for suspicious activity may struggle to detect eSkimming, as fraudsters can conduct these attacks without compromising merchants’ back-end systems,” noted the Next-Gen Debit Tracker®, done in collaboration with PULSE, a Discover company. “Cybercriminals might instead infiltrate the third-party software that merchants’ websites use, such as shopping cart widgets.”
It’s a risky time for business, granted, but commerce makes its own luck at times like this, and new solutions to problems of any age are making transactions safer – particularly for thousands of new, digital-first SMBs, and others who don’t yet know the ropes and need an able assist.
Staying a Step Ahead of Cybercrooks
It seems strange somehow, but as the new Tracker observes, “eSkimming is emerging as an especially serious threat, and one such attack reportedly compromised 2,000 eCommerce sites in September. The websites involved in the incident were using an Adobe-owned software product that the company stopped supporting in late June. This appears to have created a vulnerability that hackers exploited, and the resulting eSkimming could have affected tens of thousands of consumers.”
That’s not great, as shoppers are shifting digital in droves, with one recent study finding that over a quarter of customers will use cash less than they did before COVID. “Many consumers are turning to card payments instead, linking them to mobile wallets or swiping or tapping them at the point of sale (POS). Fifty-five percent of respondents said they expect to use contactless cards more often both during the pandemic and after it recedes,” per the Tracker.
Better defenses are needed even among brand and retail legends like Puma and Macy’s.
“Fraudsters launch eSkimming attacks by inserting malicious software code into merchants’ online platforms, allowing them to copy customers’ payment details during checkout. One such attack against Macy’s in 2019 occurred when fraudsters inserted malicious scripts into the retailer’s checkout and ‘My Wallet’ pages, where customers’ payment credentials were stored. Fraudsters who obtain these details can either use them for their own ends or sell them on the dark web, where they can receive up to $45 for a single debit or credit card credential, such as a CVV code,” the Tracker states.
Taming Trojan Horses and Variable Fraud Tactics
Partners and third-party pair-ups are a double-edged sword for merchants, as collaborations help merchants and eCommerce brands with the eSkimming issue and its vicious cousins like card-not-present and digital ID fraud, but can also create vulnerabilities.
It requires superhuman powers, which platform partners are supplying in the form of artificial intelligence (AI) and machine learning (ML) that “know” what to look for.
“Merchants can better safeguard their systems from eSkimming attacks by more thoroughly vetting third parties and limiting the information to which they have access,” per the latest Next-Gen Debit Tracker®. “Retailers should also direct their IT teams to regularly review and update any third-party code being used, and businesses may find it helpful to avoid using such scripts for functions that involve handling sensitive customer payments data. These precautions can ensure that fraudsters would be unable to steal this information even if they compromise third parties’ platforms.”