Credit card skimming in the online world

December 12, 2019

We are probably all aware of the methods that are being used to skim credit cards at payment terminals. Typically, this kind of hack is done by placing some sort of device over the card slot that captures all data and/or films the people that are using the payment terminal. Although this method of skimming has been known for a long time and card vendors are taking action to prevent it, the method remains popular and is actually on the increase.

In fact, skimming kits are readily available and can be bought at relatively low cost on so called dark marketplaces. The downside of physical skimming is that you need to have access to the terminal when you place the skimming device and when you want to harvest the data. This is why this kind of skimming is particularly popular at unmanned terminals like, for instance, fuel stations.

Converting card data into cash

When a criminal wants to turn the card data into money, he or she can use two options: 1. Sell the data online at a low cost per credit card. 2. Buy a card writer to create cards that can be used to pay for non-traceable goods that can be sold. This effectively launders the money. Gift cards are an example of such non-traceable goods. Gift cards are anonymous and can easily be sold on a legit second hand market place. Luckily this is not completely without risk for the criminal: A criminal could still get caught and recognized on CCTV when purchasing or spending the cards.

Online credit card skimming

Online credit card skimming (the act of skimming a website) is perhaps not as well known by the public. But the fact that it is not very well known, does not mean that it is not possible. In fact, it is very much possible and it is already being used on a large scale across the globe. Skimming websites is potentially far more lucrative because it can give a hacker access to hundreds of thousands of credit card credentials per incident. Also, the person doing the skimming (the hacker) does not need to have physical access to the payment terminal, making it harder to catch the criminal.

That online skimming has become a large scale method for professional hacker networks and that it is becoming more popular, has been proven by companies that do analysis in this field. One of these companies (RiskIQ) has created a historic database of websites that they can use to do perform data analysis. By doing this, they are able to detect changes that have occurred over time on the front ends of these websites. From their analysis, they were able to prove the existence of a group of hackers that started out by solely focusing on Magento implementations. This group is known as the Magecart group. Since then numerous parallel groups have appeared and worryingly, they also broadened their horizons by looking at other platforms. Amongst the incidents that have been found, there are already some very large victims. One of these is British Airways where the transaction data was harvested of about 380.000 transactions in a couple of weeks before being detected.

The supply chain of your website

How is this kind of hack performed? Typically, it is done by adding a small piece of additional Javascript code to a third-party script on the checkout page that asks for the sensitive data. By adding a script on the page, it is executed by the browser. Given the fact that it runs in the page context in the browser, the script has access to all the data that is available in the browser including the data that was entered in the payment form. The script waits for the user to click on the submit button and right before sending off the form it first sends all the data to the hacker’s server that is used to store the data. After secretly storing the data, the form is submitted in the regular way so the user sees nothing out of the ordinary. To the user’s eye, the transaction completes normally.

Most sites use third party scripts and it is not uncommon for a website to include a large number of these scripts because they are helpful in some way or form. This ranges from an external live chat, via analytics and DSP networks to frontend Javascript frameworks that help optimize the UX. Third party scripts are a good way of adding a malicious script because these scripts are not controlled by the website itself.  Instead, they are directly added to the page by pointing to an external file location. With numerous third-party scripts on a page, a hacker just needs to compromise one of these systems to add their script to the page. With marketing ad network scripts on the page this can quickly equate to hundreds of possible third parties the hacker can choose from and that raises the statistical chance that one of them can successfully be compromised. Website owners should therefore carefully look at the complete supply chain of their website.

Harvested information can be turned into money in the exact same way as physically skimmed cards but because the number of harvested cards can be in the hundreds of thousands, it is more convenient to sell them as a database on dark marketplaces.

Solutions for safer payment pages

Should we all become very afraid of this? Well, yes and no. While as a consumer you have very little control over this, as a website owner you can definitely do a number of things to reduce the risk of being hacked. These things consist of:

1. Take a close look at the whole supply chain of the website, especially on checkout pages. Is everything on those pages absolutely needed?
   
   
2. Do not use external third-party scripts on checkout pages that hold sensitive data
   1. Do not place marketing ads on your checkout pages.
   2. Do not place fancy animations that use external Javascript libraries on checkout pages
   3. Do not place analytics scripts on the checkout page. You already know that the user converted and you can put analytics on all other pages included the “thank you” page
3. Use strict Content Security Policy (CSP) headers that determine where the page can post to or get data from. The downside of this is that it is hard to configure strict CSP’s on a site that uses ads that can typically come from any location.
   
   
4. Introduce a hash checksum on Javascript files that can be used to check the integrity of those files.
   
   
5. Isolate payments as much as possible on an HTML level from the rest of the website. A redirect to a separate payment page that just holds the payment form and nothing else could be a good idea and also a trusty old fashioned IFrame sandbox could be your friend in this case.

Credits: Thanks go out to Dark Net Diaries and RiskIQ for making me understand and enabling me to write this blog about it.