December 12, 2019
We are probably all aware of the methods that are being used to skim credit cards at payment terminals. Typically, this kind of hack is done by placing some sort of device over the card slot that captures all data and/or films the people that are using the payment terminal. Although this method of skimming has been known for a long time and card vendors are taking action to prevent it, the method remains popular and is actually on the increase.
In fact, skimming kits are readily available and can be bought at relatively low cost on so called dark marketplaces. The downside of physical skimming is that you need to have access to the terminal when you place the skimming device and when you want to harvest the data. This is why this kind of skimming is particularly popular at unmanned terminals like, for instance, fuel stations.
Converting card data into cash
When a criminal wants to turn the card data into money, he or she can use two options: 1. Sell the data online at a low cost per credit card. 2. Buy a card writer to create cards that can be used to pay for non-traceable goods that can be sold. This effectively launders the money. Gift cards are an example of such non-traceable goods. Gift cards are anonymous and can easily be sold on a legit second hand market place. Luckily this is not completely without risk for the criminal: A criminal could still get caught and recognized on CCTV when purchasing or spending the cards.
Online credit card skimming
Online credit card skimming (the act of skimming a website) is perhaps not as well known by the public. But the fact that it is not very well known, does not mean that it is not possible. In fact, it is very much possible and it is already being used on a large scale across the globe. Skimming websites is potentially far more lucrative because it can give a hacker access to hundreds of thousands of credit card credentials per incident. Also, the person doing the skimming (the hacker) does not need to have physical access to the payment terminal, making it harder to catch the criminal.
That online skimming has become a large scale method for professional hacker networks and that it is becoming more popular, has been proven by companies that do analysis in this field. One of these companies (RiskIQ) has created a historic database of websites that they can use to do perform data analysis. By doing this, they are able to detect changes that have occurred over time on the front ends of these websites. From their analysis, they were able to prove the existence of a group of hackers that started out by solely focusing on Magento implementations. This group is known as the Magecart group. Since then numerous parallel groups have appeared and worryingly, they also broadened their horizons by looking at other platforms. Amongst the incidents that have been found, there are already some very large victims. One of these is British Airways where the transaction data was harvested of about 380.000 transactions in a couple of weeks before being detected.
The supply chain of your website
Harvested information can be turned into money in the exact same way as physically skimmed cards but because the number of harvested cards can be in the hundreds of thousands, it is more convenient to sell them as a database on dark marketplaces.
Solutions for safer payment pages
Should we all become very afraid of this? Well, yes and no. While as a consumer you have very little control over this, as a website owner you can definitely do a number of things to reduce the risk of being hacked. These things consist of:
- Take a close look at the whole supply chain of the website, especially on checkout pages. Is everything on those pages absolutely needed?
- Do not use external third-party scripts on checkout pages that hold sensitive data
- Do not place marketing ads on your checkout pages.
- Do not place analytics scripts on the checkout page. You already know that the user converted and you can put analytics on all other pages included the “thank you” page
- Use strict Content Security Policy (CSP) headers that determine where the page can post to or get data from. The downside of this is that it is hard to configure strict CSP’s on a site that uses ads that can typically come from any location.
- Isolate payments as much as possible on an HTML level from the rest of the website. A redirect to a separate payment page that just holds the payment form and nothing else could be a good idea and also a trusty old fashioned IFrame sandbox could be your friend in this case.
Credits: Thanks go out to Dark Net Diaries and RiskIQ for making me understand and enabling me to write this blog about it.