Credit card skimming – the use of hardware or software to steal credit card details – has long been a problem for retailers and the credit card industry.
Whether criminals attach physical skimming machines to ATMs or inject skimming software into eCommerce applications, skimming hurts customers and retailers alike. But a recent wave of targeted skimming attacks by the Magecart criminal group and others increases the stakes for retailers.
Magecart’s skimming software has stolen hundreds of thousands of numbers across several major campaigns. In September, British Airways revealed that the details of 380,000 customers had been stolen, including personal and payment information. Ticketmaster’s customers were the targets of a similar attack. Security researcher Willem de Groot recently reported that 8,000 Magento stores were running the MagentoCore.net skimming software.
How Is Skimming Software Injected Into eCommerce Stores?
Criminals often exploit known vulnerabilities to compromise eCommerce stores. Magento’s spokesperson says that almost all of the infected sites hadn’t been patched or updated correctly.
Researcher Willem de Groot believes that most of the skimmers were injected via compromised accounts on eCommerce sites. The attackers use bots to guess usernames and passwords until they hit on the right combination.
Supply chain attacks
For high-value victims such as British Airways, the criminals create sophisticated strategies with dedicated infrastructure and custom software.
Targeted attacks may involve phishing and other social engineering strategies which cannot be defeated with simple security precautions, but the majority of attacks against Magento and WooCommerce stores leverage vulnerabilities that are easily mitigated.
- Update and patch. eCommerce stores are almost always compromised because they have not been patched with security fixes and updated to recent versions. If a store is not kept up-to-date, it is only a matter of time before it is compromised.
- Use two-factor authentication on admin accounts. In an ideal world, store administrators would choose long and random passwords that can’t be guessed by brute-force bots. We don’t live in an ideal world, but two-factor authentication removes some risk by insisting on a second, harder-to-guess factor.
- Monitor security news and software vendors. The news of Feedify’s compromise was widely reported. Magento maintains a Security Center with regular updates. There are dozens of sources for security alerts about WordPress and WooCommerce. With tools such as Google Alerts, you can track news about the software you use so that you don’t miss important security alerts.
The massive scale of skimming attacks against eCommerce in recent months is something that all retailers should be worried about, but with a few security best practices, the chances of being infected by skimming malware is low. eCommerce businesses without the expertise to secure their site against skimming, should get professional help and use managed eCommerce hosting that will take care of basic security precautions.
Latest posts by Graeme Caldwell (see all)
- Credit Card Skimming is an Increasing Risk for eCommerce Retailers - June 6, 2019
- 5 WordPress Security Myths Smart Site Owners Know Aren’t True - November 7, 2017