Skimmers are so 2010. With the adoption of EMV “smart chip” credit and debit cards, skimmers on gas station pumps and other point-of-sale terminals have largely fallen to the wayside. Yet where there’s a determined criminal, there’s a vulnerability. Hackers are now turning to so-called “eSkimmers” and “formjacking” to steal credit card data online in a similar fashion to yesteryear’s physical terminal skimmers. Unfortunately, these threats could cause both merchants and cardholders a variety of headaches.
Despite the risks, ecommerce entrepreneurs commonly believe that skimmers are a brick-and-mortar problem. However, ecommerce is now more vulnerable to skimming than card-present POS terminals ever were. EMV chips have made it virtually impossible to spoof physical cards, but these chips do little to prevent card-not-present fraud.
Merchants Often Shoulder the Burden of Fraud
When it comes to managing fraud, businesses can leverage a variety of tools to fight back against bad actors out to steal your inventory and revenues. There are the “True” fraudsters — third-parties making purchases with stolen cards or payment data. You’ll also get first-party “friendly” fraudsters — cardholders that abuse the dispute process to commit theft; if their issuing bank approves the chargeback, they get their money back while keeping any goods received.
With third-party fraud— committed by someone other than the cardholder — the merchant almost certainly won’t win a chargeback dispute, due to their liability for processing fraud. As a result, preventing third-party fraud is crucial, especially for merchants. For ecommerce entrepreneurs, that means preventing eSkimmers and formjacking, among other things.
Entrepreneurs should educate themselves on the risks posed by chargebacks and fraud. It’s also crucial to develop strategies to prevent and mitigate the damages. Merchants must manage fraud proactively to ensure long-term success; a lax approach is an anathema to any thriving ecommerce business.
Traditional Skimmers Fall to the Wayside
Modern payment methods have delivered a ton of convenience to customers. There’s no need to deal with cumbersome checks or change at the till, a customer can simply swipe and go. Yet modern payment methods are, in many ways, more conducive to fraud than traditional cash. p>
For a long time, physical card skimmers ranked among the biggest threats. These devices could be placed on a payment terminal card reader. When the customer inserts their card into the terminal, the skimmer steals the information from the magnetic stripe. With data in hand, the fraudsters could then easily create a spoofed credit or debit card that could then be used to make unauthorized purchases.
Fraudsters often favored payment terminals in out-of-the-way places or that weren’t under constant surveillance. This made it easier to install the skimmers, and in many cases, the skimmers themselves were also less likely to be noticed. Gas station pumps, in particular, were a favorite target because the payment terminals are set up outside and were relatively easy to access unobserved.
In the past, fraudsters only needed the data hijacked by a skimmer to spoof a card. As a result, skimmers offered an easy way to engage in large-scale fraud. EMV chips, which are encrypted, have made it virtually impossible to spoof a physical card. Now, many criminals have shifted focus to eSkimmers, formjacking, and other similar exploits onto ecommerce merchants.
A Quick Look at Formjacking and eSkimmers
When online shoppers check out, they’ll often have to fill out an online form. This form might ask for payment credentials, shipping addresses, and other pertinent pieces of information. Hackers have figured out ways to insert malicious codes into these forms. As with traditional skimmers, formjacking allows unscrupulous parties to steal data. With card-not-present payments, they don’t hack the card, they hack these forms, then turn around and use that data on the same forms which do not require EMV encryption, meaning hackers can circumvent this security measure.
Besides credit and debit card numbers, eSkimmers can also collect birthdates, security question answers (e.g. What was the name of your first pet?), billing addresses, and more. With this data in hand, hackers can hijack someone’s identity. The fraudsters may even be able to set up credit cards or other payment methods in their name and use them to make unauthorized purchases, or they could take over an account and use saved payment methods.
So how do hackers actually insert malicious code? There are many different avenues, but one of the most common ways is to insert malicious code via a third-party ad network. Detecting malicious code in ads is extremely difficult and the vast majority of ads are safe. However, even a single corrupted ad can cause a lot of damage.
Most of the time, the eSkimmer operates quietly in the background, collecting information as it’s typed in and submitted. One popular type of eSkimmer software is Magecart. This malicious software will insert new fields into a checkout form. The collected data isn’t used by the ecommerce shop but is instead sent to the criminals. Some skimmers might simply and silently copy data typed in by the user.
Like skimmers on gas station pumps, an eSkimmer will often allow the user to complete their purchase, thus reducing the risk of detection. Once the data is gathered, it’s sent to remote servers, where it can be stored, then resold in bulk to other criminals or otherwise used to make illicit purchases.
Once the data is stolen, it can spread far and wide on the dark web. Actually tracking down who originally stole the data and where they got it from is often impossible. Cardholders do have recourse, however. They can simply file chargebacks to claw back any money spent on unauthorized purchases. Unfortunately, this means merchants are often stuck holding the bag, even if they did nothing wrong.
Organized Crime and eSkimmers
Organized crime is worth a special mention. When you think of organized crime, your mind might first wander to the mafia and stolen cargo shipments or protection racket schemes. Such criminal activity still occurs, but many criminal groups have diversified to cybercrime. You may have heard of criminal groups like Fancy Bear and REvil. Many of these organizations are believed to be connected to state-sponsored actors and powerful organized crime groups.
This is important because these groups can muster the sophisticated resources required to perpetrate skims at scale. As a result, businesses big and small need to take cybersecurity seriously. Even a seemingly minor slip-up, like forgetting to update a plugin on your website, can compromise your payment gateways.
Effective Risk Mitigation in an Era of Cybercrime
It’s important for online merchants to proactively combat chargebacks. Otherwise, data breaches and other issues will increase. If hackers successfully hit a company, not only could it cause immediate problems, such as increased chargebacks, but it could also hurt the company’s brand and market share.
Some steps merchants can take to improve security include:- Making sure software is kept up to date.
- Working with reputable shopping carts, gateways and payment platforms.
- Monitoring for suspicious transactions, such as orders being shipped to new addresses.
- Requiring users to set up two-factor authentication.
- Partnering only with reputable ad networks.
Even with the most robust cybersecurity security practices, however, businesses could still suffer at the hands of hackers. Often, this results in chargebacks. Fortunately, there are steps businesses can take to reduce fraud, chargebacks, and the associated risks.
Setting up a robust chargeback management process, among other things, will help companies mitigate the risks associated with chargebacks, which often stem from fraudulent activity. For example, a merchant could set up chargeback alerts that will allow them to resolve fraud before a chargeback is issued. If a purchase was clearly the result of third-party fraud, it’s best to simply refund the affected customer. This way, the merchant can avoid a rising chargeback ratio and expensive chargeback fees and penalties.
It’s also wise to have a responsive customer service department. Before filing a chargeback, many customers will first try to contact the retailer. With a proactive customer service department, you may be able to settle the matter entirely without involving banks. As with chargeback alerts, this will reduce the risk of a chargeback being filed.
There are many other steps merchants can take to mitigate chargebacks. Fortunately, powerful dispute management platforms like ChargebackHelp Plus now offer robust sets of tools straight out of the box. By leveraging a variety of strategies and tools, entrepreneurs and managers can protect their businesses.