2019-11-22 00:00:00

Securitycard|criminal|hacking|online|payment|shopping|skimming|software|store

Criminals have discovered a way to skim credit card data from online stores

The annual hyperactive shopping season starts from Black Friday in late November and will continue to early January. News of hacked online stores that leak customers' credit card and personal data to criminals are not welcomed by e-commerce merchants just now. Unfortunately, that's exactly what is going on. Here is what you should know if you are planning to shop online.

What happened

The latest victim for virtual card skimming is department store Macy's online shop in the US. Macy's hasn't published information about the incident, but has informed officials. Security Week found reports that describe how for one week in October 2019, criminals were able to steal payment card and personal data of customers who shopped at Macy's online store.

The overall idea for the skimming operation has been borrowed from credit card skimming machines that sometimes are discovered, for instance, at petrol stations and ATMs.

The biggest difference between a real world card skimmer and an online store card skimmer is that there is no way for a shopper to detect the virtual card skimmer. It is hidden in the program code that runs on the store's servers and it is not visible to customers at all.

online credit card skimming chart, Trend Micro
Chart by Trend Micro.

This is how online card skimming works

Security experts believe that Macy's is a victim of Magecart, also known as Fin6, type of attack. Trend Micro discovered in early October 2019 that more than 3000 online stores were victims of this card skimming attack already then.

The large number of successful infiltrations results from a successful attack into Volusion's network. Volusion is an enterprise that processes payment card data for thousands of stores. For criminals, it was the prime target.

Volusion spokesperson stated after the leak was discovered:

“Volusion was alerted of a data security incident and can confirm that it was resolved within a few hours of notification. A limited portion of customer information was compromised from a subset of our merchants. This included credit card information, but not other associated personally identifying details. We are not aware of any fraudulent activity connected to this matter."

Here is how criminals did it. Hackers managed to insert a piece of their own software code into the system that processes card payments. Because Volusion provides payment processing as a service to multiple online stores, the software code for the service must be shared. This shared code was stored on Google Storage cloud service. Experts believe that's where the hackers managed to crack in and insert their own code into the payment system.

When a normal payment processing transaction is ongoing, criminals' code is executed with it, and customer data is copied to criminals' servers in parallel.

Technically, it is a brilliant scheme. Customers can not detect it, and the stores are highly unlikely to detect it. Only a suspicion of an unknown web site address that was a destination for traffic from the payment system raised a red flag that led to the discovery of the scheme.

hacked countries by payment card skimming. by Trend Micro
 Countries where online shoppers accessed the card skimmer hidden in payment processor's system. Chart by Trend Micro. 

What can ordinary online shoppers do to protect themselves from virtual card skimming?

The old wisdom was to shop at reputable e-commerce stores only that manage credit cards and personal data well. It doesn't apply anymore.

Someone stealing your payment card and someone stealing your personal data are two different things. A payment card can be canceled and possible damages negotiated with a credit card company or bank (although I am pessimistic about the outcome because a customer has willingly given the card data to a third party). Anyhow, damages can be limited when the card is canceled.

Some believe that always using a credit card is the best option, whereas others believe a payment card linked to an account with low balance (and without any kind of credit) limits potential losses effectively. I tend to choose the latter option.

Losing personal data can actually be worse in the long run. If criminals get both the card and personal data, they can proceed to other crimes.

There are techniques to detect if any piece of software has changed in an IT system. That's something online stores and their service providers should consider.

News

2025-01-15 08:59:00

Not to mention travel – when real life experiences in a destination don’t match the expectations and everything that can go wrong, goes wrong. Well, that’s the beauty of #travel. #Europehttps://klaava.com/nitpickers-travel-journal-travel-lessons-learned-in-2024/


News

2025-01-11 13:25:00

A conclusion from the Traffic Scorecard 2024 results is it takes about double the time to drive along the streets of London (the most congested city in #Europe) than the streets of Munich, which is ranked the 21st most congested European city. #traffic #travelhttps://klaava.com/the-cities-in-europe-where-people-are-stuck-in-traffic-most-often/


A shop dedicated to tasty juice

2025-01-09 14:04:10

arihak

A shop dedicated to tasty juice


in the busy old town center.

2025-01-08 16:16:08

in the busy old town center.


News

2025-01-07 14:56:00

A reminder for keeping your data safe when traveling. Why? It is likely that you have to access your most critical data in risky situations on the road.https://cybernews.com/privacy/how-to-protect-your-sensitive-information-while-traveling/


News

2025-01-02 16:33:00

What about the scenery, you who are hurrying to the other side?#streetphotography#streetphoto


News

2025-01-01 16:06:00

According to a survey, third of travelers are victims of online booking scams. Since it is so convenient to make travel reservations online, that’s what we do. The problem is that we haven’t adopted new methods to avoid online scams. #travel #scamhttps://klaava.com/a-traveler-is-more-likely-to-get-scammed-when-booking-a-trip-than-being-robbed-in-a-destination/


Perhaps road builders had too much time?

2024-12-29 15:19:44

Perhaps road builders had too much time?


News

2024-12-27 18:25:00

#Photography is full of so-called “rules” that can feel overwhelming. However, some of these “rules” are downright myths.https://www.diyphotography.net/debunking-seven-common-myths-photographers-still-believe-in/


What should I read next?

2024-12-25 15:18:22

arihak

What should I read next?


News

2024-12-23 11:34:00

Since #EU #DMA has specified #Apple as a #gatekeeper in #mobile devices, EU considers Apple should implement several iOS connectivity features, predominantly used for and by connected devices. For instance, notifications, automatic Wi-Fi connection, AirPlay, AirDrop, or Bluetooth audio switching.https://digital-markets-act.ec.europa.eu/commission-seeks-feedback-measures-apple-should-take-ensure-interoperability-under-digital-markets-2024-12-19_en


News

2024-12-21 14:51:00

Smartphone users in the US are not impressed with the latest artificial intelligence features on their devices with 73 percent of Apple users and 87 percent of Samsung users unsatisfied, according to a new study. #phone #AIhttps://petapixel.com/2024/12/19/majority-of-smartphone-users-are-unimpressed-with-ai-features-study-finds/


There should be enough ice already to open the hotel

2024-12-20 16:40:17

There should be enough ice already to open the hotel


Hiking on a mountain experience: the end of an ancient tunnel

2024-12-09 14:12:31

arihak

Hiking on a mountain experience: the end of an ancient tunnel


on a hot summer day

2024-12-02 18:47:01

on a hot summer day


Cloudy day in a valley

2024-11-25 16:31:59

arihak

Cloudy day in a valley


In the shade of a lone palm tree

2024-11-25 15:46:29

In the shade of a lone palm tree


an abandoned town?

2024-11-07 18:35:22

an abandoned town?


A quiet moment between heavy rain

2024-10-24 17:34:45

A quiet moment between heavy rain


Everyone loves a pretty mountain scenery

2024-10-24 16:54:02

arihak

Everyone loves a pretty mountain scenery