How to protect yourself from e-skimmers

The holiday shopping season is prime time for bad guys, and phishing emails, Black Friday and Cyber Monday scams, and identity theft are recurring threats year after year. Unfortunately, this year has the potential to be even worse than usual, since COVID-19 will force so many people to do their gift buying online. 

E-skimmers are an increasingly common cyberthreat that everyone should be aware of, as these malicious tools can be used to steal credit card details and more. In this short article, we’ll explain what e-skimmers are, and we’ll give you some ways to keep yourself safe from them when you’re shopping online. 

What are e-skimmers?

E-skimmers (also called web skimmers) are similar to the physical credit card skimmers that criminals use to steal credit card details at gas pumps and ATMs. Physical card skimmers are basically data harvesting devices designed to mimic ordinary card readers. If an unlucky consumer swipes their credit card through one of them, the skimmer will capture the sensitive data stored on the card’s magnetic stripe, which criminals can then use to perpetrate financial fraud.

Like their physical counterparts, e-skimmers are implanted at a point of sale in order to steal credit card details — but digitally, not physically: they are embedded in the code of the checkout pages of e-commerce websites. E-skimmers usually rely on malicious JavaScript code that can capture credit card numbers and other sensitive details entered into a website’s form fields at checkout; this information is then transmitted back to the bad guys.

To be clear: the malicious e-skimmer code resides on the webpage of the company’s own website, and therefore does not require any compromise of the victim’s computer in order to work! Unfortunately, this means that you can do everything right from a cybersecurity standpoint, and yet still fall victim to an e-skimmer attack if the website you’re shopping on has been compromised.

How do websites get e-skimmers?

There are a couple of different ways that websites are infected with e-skimmers. 

The most straightforward infection method occurs when an attacker manages to hack a company’s website. Once they have this kind of backdoor access to an e-commerce site, cybercriminals can simply place the malicious code directly on the checkout page themselves. 

Websites can also be compromised at scale through automated attacks that exploit unpatched vulnerabilities in e-commerce software. As recently as September 2020, thousands of websites running on an older, unsupported version of the Magento e-commerce platform were infected with e-skimmer code when hackers found a way to exploit a vulnerability in the outdated software.

Hacking websites isn’t always that simple, so there is also a less direct method of infection: so-called “supply chain” attacks. In supply chain attacks, the bad guys try to hack a third-party software component that is used by many different websites, since this is often easier to do than attacking a big, well-secured site directly. Last year, for example, a digital advertising company in France was compromised in this way, resulting in e-skimmer infections on multiple websites that hosted their ad code. The websites themselves were secure (sort of), but the ad network that they allowed to load code onto their sites had been compromised, and this resulted in the theft of their customers’ credit card details.

How to avoid e-skimmers

Responsibility for protecting the public from e-skimmers truly belongs to the companies that operate e-commerce sites, and they should be making every effort to ensure that their websites (as well as any third-party components that they use) are completely secure. 

But are there any precautions that an individual user can take? Absolutely! Here are 3 simple things you can do this holiday shopping season to keep yourself safe:

1. 1

   Don’t enter card details on small sites

   Large, well-established online vendors usually have robust security precautions in place, and this makes it much harder for cybercriminals to infect their sites with e-skimmer code. We’re not saying that you should avoid smaller sellers altogether — by all means, support the little guy! Just try to avoid using your credit card when you shop on those small e-commerce platforms. Instead, use a secure payment method (discussed below) or consider asking indie vendors if you can pay them directly using a service like Venmo.

2. 2

   Use secure payment services if possible

   You may want to avoid directly entering credit card data on all websites if you can, not just the little ones. Using a digital wallet service like Apple Pay or Google Pay is generally much safer than directly entering card data on e-commerce sites, because these services are extremely secure, and because they don’t share your credit card details with the merchants. Another reasonable option is to look for websites that use a reputable payment gateway service that will securely process guest payments. PayPal, for example, allows you to enter your credit card information on their domain for processing (in other words, you aren’t entering your card details on the site of the business you’re buying from, but on PayPal’s own site). This allows you to pay online without sharing your financial information with the merchant, and without having to enter your details on a potentially compromised domain.

3. 3

   Use one card (and watch it carefully)

   If you really need to pay for some things online with a credit card, that’s OK — credit card companies usually have anti-fraud systems in place to help flag irregular activity, and they generally make it easier to dispute fraudulent charges if it comes to that. If you do shop online with a credit card, keep close watch over your account for signs of unusual activity, and call the card company immediately if you spot any suspicious charges. Some experts also suggest using a single credit card to do all of your online shopping, as this makes it easier to keep track of things, and also minimizes your potential exposure to bad actors.

If you take these steps, you’ll go a long way to protecting yourself from e-skimmer threats during the upcoming shopping season. You may also want to read through these additional cybersecurity shopping tips (including recommendations for gifts to avoid), or take some time to learn more about the privacy issues around web browser shopping extensions.