New Form of Skimming Threatens Online Shoppers

Criminals can put skimming code on retailer websites.

October 29, 2019

ALEXANDRIA, Va.—The holiday shopping season is here, and online shoppers face a new security issue—e-skimming.

According to Fast Company, e-skimming occurs when thieves insert a skimming code on the check-out pages of a retailers’ website and collect credit card and other personal information from shoppers. The stolen data is then sold by the criminals or used to make purchases. 

Fifty-six percent of consumers said they plan to do online shopping this holiday season, according to the National Retail Federation, and the U.S. Department of Homeland Security has issued a warning about the new e-commerce vulnerability.

“Any business accepting online payments on their website is at risk of an e-skimming attack,” the Department announced. “This threat has impacted e-commerce companies in the retail, entertainment, and travel industries, as well as utility companies and third-party vendors.”

Online and other non-store sales, which is how the NRF presents holiday retail data, are expected to grow from 11% to 14% over last year—about $162.6 billion to $166.9 billion versus 2018’s $146.5 billion.

Skimming isn’t new, but the old-school method of physically placing a device where victims insert their cards, like ATMs and gas-pump card readers, is being replaced by the high-tech version that relies on editing JavaScript code.

The FBI advises companies to make sure their websites are secure, limit network exposure by using segmentation, install patches from payment platform vendors and use code integrity checks, among other best practices.