Posted in Security

Criminals have discovered a way to skim credit card data from online stores

The annual hyperactive shopping season starts from Black Friday in late November and will continue to early January. News of hacked online stores that leak customers’ credit card and personal data to criminals are not welcomed by e-commerce merchants just now. Unfortunately, that’s exactly what is going on. Here is what you should know if you are planning to shop online.

What happened

The latest victim for virtual card skimming is department store Macy’s online shop in the US. Macy’s hasn’t published information about the incident, but has informed officials. Security Week found reports that describe how for one week in October 2019, criminals were able to steal payment card and personal data of customers who shopped at Macy’s online store.

The overall idea for the skimming operation has been borrowed from credit card skimming machines that sometimes are discovered, for instance, at petrol stations and ATMs.

The biggest difference between a real world card skimmer and an online store card skimmer is that there is no way for a shopper to detect the virtual card skimmer. It is hidden in the program code that runs on the store’s servers and it is not visible to customers at all.

online credit card skimming chart, Trend Micro
Chart by Trend Micro.

This is how online card skimming works

Security experts believe that Macy’s is a victim of Magecart, also known as Fin6, type of attack. Trend Micro discovered in early October 2019 that more than 3000 online stores were victims of this card skimming attack already then.

The large number of successful infiltrations results from a successful attack into Volusion’s network. Volusion is an enterprise that processes payment card data for thousands of stores. For criminals, it was the prime target.

Volusion spokesperson stated after the leak was discovered:

“Volusion was alerted of a data security incident and can confirm that it was resolved within a few hours of notification. A limited portion of customer information was compromised from a subset of our merchants. This included credit card information, but not other associated personally identifying details. We are not aware of any fraudulent activity connected to this matter.”

Here is how criminals did it. Hackers managed to insert a piece of their own software code into the system that processes card payments. Because Volusion provides payment processing as a service to multiple online stores, the software code for the service must be shared. This shared code was stored on Google Storage cloud service. Experts believe that’s where the hackers managed to crack in and insert their own code into the payment system.

When a normal payment processing transaction is ongoing, criminals’ code is executed with it, and customer data is copied to criminals’ servers in parallel.

Technically, it is a brilliant scheme. Customers can not detect it, and the stores are highly unlikely to detect it. Only a suspicion of an unknown web site address that was a destination for traffic from the payment system raised a red flag that led to the discovery of the scheme.

hacked countries by payment card skimming. by Trend Micro
 Countries where online shoppers accessed the card skimmer hidden in payment processor’s system. Chart by Trend Micro. 

What can ordinary online shoppers do to protect themselves from virtual card skimming?

The old wisdom was to shop at reputable e-commerce stores only that manage credit cards and personal data well. It doesn’t apply anymore.

Someone stealing your payment card and someone stealing your personal data are two different things. A payment card can be canceled and possible damages negotiated with a credit card company or bank (although I am pessimistic about the outcome because a customer has willingly given the card data to a third party). Anyhow, damages can be limited when the card is canceled.

Some believe that always using a credit card is the best option, whereas others believe a payment card linked to an account with low balance (and without any kind of credit) limits potential losses effectively. I tend to choose the latter option.

Losing personal data can actually be worse in the long run. If criminals get both the card and personal data, they can proceed to other crimes.

There are techniques to detect if any piece of software has changed in an IT system. That’s something online stores and their service providers should consider.

One thought on “Criminals have discovered a way to skim credit card data from online stores

Leave a Reply

Your email address will not be published. Required fields are marked *