As the final post in our series on cybersecurity awareness, this week we will focus on e-skimming. You may be thinking, what the heck is that? The only skim I like is the milk for my coffee! E-Skimming is a practice that involves stealing credit card information from customers on online stores. During e-skimming, hackers gain access to your online store and deploy a skimming code. This skimming code will collect payment card information from anyone that makes a purchase from your e-commerce site. The hackers then use the skimmed information to steal money and identities from unsuspecting consumers.
So who is at risk for an e-skimming attack? Any business that accepts credit card payments in one form or another is vulnerable. This could be an online store like Target, it could be your bank or even your utility provider if you pay online. And how do these hackers gain access to these online portals to get the code installed? That can occur in a myriad of ways including:
- Gaining access to a company's cloud hosting account through a vulnerable endpoint
- Hacking online marketplace platforms such as Shopify or Volusion or
- Phishing a retailer's administrator account and placing the skimming code inside the online store.
No matter what method hackers choose to get access to your e-commerce, once the malicious code is activated, it will immediately begin collecting, in real time, all credit card information that users are entering into the storefront or payment section. Once collected, hackers either choose to sell the lists of cards on the dark web or begin using the cards to make fraudulent purchases.
Many times, e-skimming attacks can go unnoticed by a business and by customers of a business until they realize their cards are being used by bad actors to make unauthorized purchases or bank withdrawals. The most likely way a business finds out it has been a victim of a e-skimming is by customers reporting fraudulent charges after shopping on their website.
With the holidays coming and the COVID-19 pandemic pushing consumers towards online shopping, businesses offering e-commerce options for customers must be vigilant about e-skimming. Here are some simple tips to keep your business safe.
- Keep your software updated. When you receive a notification that your software needs to be updated, take heed! Software companies provide patches and updates for their products for several reasons. One of the most important is that there have been security vulnerabilities found, and the patches will close up those holes. If the software company you're dealing with allows for automatic updates, opt for this option if possible. Don't rely on emails from companies or links they place into emails. Those are red flags for phishing. Visit your software company's website if you don't have automatic updates and update manually if necessary.
- Default is NOT the way to go! Most software comes with a default password, and a lot of times, companies just stick with that password. This is a really bad idea. If you Google default password on software, you can often find what those credentials are, and that leaves the door open for bad guys. Change all default passwords to create strong, unique passwords for any systems you may have.
- Be PCI SSC Compliant. PCI is the Payment Card Industry and SSC is their Security Standards Council. This global group of the major players in the credit card industry is in place to "enhance global payment account data security by developing standards and supporting services that drive education, awareness and effective implementation." PCI SSC provides guidance on what your online business can do to adopt data security standards for safe payments worldwide.
- Monitor and analyze your web logs. The only way to spot an anomaly in your web logs is to frequently monitor them for suspicious activity. Make sure you take the time to stay up-to-date on monitoring of web logs and when you see something out of the ordinary, take the necessary steps to investigate and rectify any issues.
Protecting your online business from e-skimming is critical to your operations. But what happens if you've already fallen victim? The Cybersecurity and Infrastructure Security Agency recommends the following steps:
- Identify where the skimming code came from and how it got into your business
- Save a copy of the skimming script or malicious loader domain to report to law enforcement
- Change all compromised credentials to strong, unique passwords
- File a report with law enforcement
As National Cybersecurity Awareness Month comes to an end in a few days, we hope that the tips provided in our series of articles has given you some useful information on how to keep yourself, your business and your customers safe from possible cyberattacks. A Managed IT Services Provider can provide the support you need to keep your business protected if you do not have an in-house IT staff to handle these matters. With a Managed IT Services Provider, you can rest easier knowing you have a professional on your side to help protect your business and keep you up and running.