Online shoppers beware: Those ATM skimming devices are now on some retail websites
The holiday shopping season is upon us, and gift buyers who prefer online to traditional brick-and-mortar stores have something new to worry about.
E-skimming is posing a threat to bargain-hunters and splurgers alike, because thieves insert a skimming code on retailers’ checkout pages to snatch credit card information and personal details. The cyber criminals then sell the stolen data or use the info to make purchases themselves.
As more Americans go the e-tail route, scammers are adapting; gone are the pickpockets that bumped into marks in crowded stores to steal wallets. Fifty-six percent of shoppers said they plan to shop online this holiday season, according to the National Retail Federation.
The U.S. Department of Homeland Security issued a warning about the new e-commerce vulnerability as part of National Cybersecurity Awareness Month, which is October.
“Any business accepting online payments on their website is at risk of an e-Skimming attack,” the feds explained. “This threat has impacted e-commerce companies in the retail, entertainment, and travel industries as well as utility companies and third-party vendors.”
There’s big money to be stolen via e-skimming.
Online and other non-store sales, which is how the NRF presents holiday retail data, are expected to grow 11% to 14% over last year—$162.6 billion to $166.9 billion versus 2018’s $146.5 billion.
Skimming itself isn’t new, but the old-school in-person method involved an actual device placed where the victims physically insert their cards, like ATMs and gas-pump credit card readers. The e-version relies on editing JavaScript code.
The FBI advises companies to make sure their websites are secure, limit network exposure by using segmentation, install patches from payment platform vendors, and use code integrity checks, among other best practices.
(32)