Deep Dive: Responding To The Rising Threat Of eSkimming

Fraudsters have refocused on attacking eCommerce in recent years. Online shopping is becoming more popular among consumers, giving cybercriminals more opportunities to exploit digital channels for their schemes. Many are also finding it less profitable to attack in-person debit and credit card transactions at point of sale (POS) terminals because of the added security measures they deploy. A multitude of bad actors who once sought to skim these card details from ATMs and POS devices are thus shifting their efforts online with eSkimming, in which they attempt to steal consumers’ payment details during digital checkouts. 

Online payments fraud was no small problem in 2019, with 42 percent of consumers reporting at least one instance that year in which bad actors tried to use their payment details. These attacks are ramping up in 2020 as the COVID-19 pandemic has driven more customers online to avoid the risks posed by visiting brick-and-mortar stores. This surge in eCommerce is making digital fraud an even more lucrative prospect for cybercriminals, and the FBI noted a 400 percent rise in reported cyberattacks in April compared to the rates observed before the pandemic. The issue is unlikely to abate, too, with the portion of U.S. consumers who regularly shop online expected to rise from 43 percent this year to 91 percent in 2023. 

A form of digital fraud called eSkimming is especially because merchants often struggle to detect and respond to it, with even major companies like Puma and Macy’s falling victim in recent years. This month’s Deep Dive examines this growing threat, how it works and what merchants can do to defend themselves against it. 

Card Skimming Meets eCommerce

Fraudsters launch eSkimming attacks by inserting malicious software code into merchants’ online platforms, allowing them to copy customers’ payment details during checkout. One such attack against Macy’s in 2019 occurred when fraudsters inserted malicious scripts into the retailer’s checkout and “My Wallet” pages, where customers’ payment credentials were stored. Fraudsters who obtain these details can either use them for their own ends or sell them on the dark web, where they can receive up to $45 for a single debit or credit card credential, such as a CVV code. 

Merchants may struggle to detect eSkimming because it is perpetrated through the ongoing collection of customer details and does not prevent shoppers from completing their purchases. Such schemes may also target systems that are outside retailers’ control, making them hard to notice and enabling fraudsters to attack the various third parties on which businesses rely to power their online retail experiences. 

Detection Challenges

To help their sites run smoothly, eTailers often collaborate with third parties to roll out applications, widgets or other features and malicious code inserted into even one of these offerings could pose a serious problem. The average website uses 31 third-party integrations, which could make it challenging for retailers to determine which is compromised — assuming they even realize something is wrong. 

Fraudsters’ alterations to third parties’ codes are often subtle. Cybercriminals can insert pieces of malicious script with as few as 20 characters into third-party services’ software codes for chatbots or shopping cart applications. Fraudsters can then gain access to systems belonging to every retailer using the third party’s services, granting them a lot of potential power from one attack. Other strategies involve hackers infiltrating companies via improperly secured cloud hosting system accounts or by adding malicious code to merchants’ retail platforms. The sheer variety of eSkimming techniques is likely the reason merchants take an average of 13 days to detect and defuse them. 

Sellers therefore may presume that they are fraud-free because the code they integrate comes from trusted third parties and appears legitimate unless scrutinized on a granular level. Consumers would thus assume their eCommerce journeys are safe because they are transacting with well-known retailers and unaware of the third-party risks.

Battling Fraud

Merchants can better safeguard their systems from eSkimming attacks by more thoroughly vetting third parties and limiting the information to which they have access. Retailers should also direct their IT teams to regularly review and update any third-party code being used, and businesses may find it helpful to avoid using such scripts for functions that involve handling sensitive customer payments data. These precautions can ensure that fraudsters would be unable to steal this information even if they compromise third parties’ platforms. 

Retailers can mitigate the damage and work to restore customers’ trust should these safety measures fail by quickly informing all affected shoppers about the eSkimming attacks. This allows customers to monitor their accounts and deactivate their payment cards. 

Merchants will always face fraud-related challenges regardless of the channels through which they sell, and criminals’ attacks are becoming more sophisticated. Staying ahead of these bad actors means understanding the dangers eSkimming poses and ramping up monitoring efforts so as to continue offering consumers convenient and safe eCommerce options.