Card skimming - the act of copying data from a credit card either to make a physical or virtual copy of the card - is not a new tactic for criminals. File Image:IOL
Card skimming - the act of copying data from a credit card either to make a physical or virtual copy of the card - is not a new tactic for criminals. As a result, many an unsuspecting card payer has been unpleasantly surprised by unauthorised payments made on their card after letting it out of their sight for five minutes, whether it be at a restaurant, doing online payments or at the shops.

However, the introduction of mobile card payment devices, increased security at paypoints and ATMs, and 3D payment authentication for online payments has all but thwarted criminals seeking to make a quick buck off duplicating credit cards.

Although small-time criminals still make use of physical card skimming devices and not all online portals have built in authentication, most have set their sights on more lucrative opportunities, where they are able to copy multiple cards with less traceability.

The recently uncovered MagentoCore skim scam has really upped the ante, being described as the most successful skimming campaign to date, with more than 7993 online stores hosted on the Magento global e-commerce platform being affected over a six-month period.

Fifty-one million customers around the globe have made purchases from Magento merchants, and the malware shows no signs of stopping any time soon.

With more than 250 merchants using the opensource Magento platform, the hacker group responsible for MagentoCore continues to target new brands. According to industry expert and the person responsible for uncovering this threat, Willem de Groot, the hackers use a script called a “payment card scraper” or “skimmer” once they’ve breached the site and modified its source code to load the script along with its legitimate files.

The script usually loads on store checkout pages and secretly records payment card details entered in payment forms, data that it later sends to a server under the hacker’s control.

What makes the malware so attractive to cybercriminals is that it is so incredibly difficult to trace. Many people have a card, today, and take part in some form of online purchasing.

Below are some tips to ensure consumers protect themselves:

Check that the website is secure. A secure website will have a valid certificate, usually demonstrated by a locked padlock icon. Here are some tips to check if a website is secure.

Deal with reputable vendors. This may not always be possible, and there are many exciting and trustworthy e-commerce stores that open up on a daily basis. However, where possible, opt for the sites that are well-known and trusted.

Ensure that the site has 3D security enabled, where shoppers are redirected to a third party platform, often a financial institution’s platform, to verify that they are making the purchase through a security code being sent to the purchaser.

Shoppers can also make use of a virtual card, which they load up with a pre-set amount of money in order to make online payments. A virtual card is a card created by a virtual card provider similar to a gift card. Many banks and third party virtual card providers are available today so that shoppers can add a layer of protection to online shopping.

Mobile payment applications such as SnapScan or Zapper offer a safer method of payment for shoppers, so they should look for providers that offer this as a payment option.

Simeon Tassev is the managing director and qualified security assessor at Galix Networking.