E-commerce sites are trying to keep up with sophisticated skimming schemes, but chances are your credit card information will still be compromised. A security expert offers advice.
TechRepublic’s Karen Roby talks with Aanand Krishnan, founder and CEO of Tala Security, about protecting consumers’ identity while shopping online. The following is an edited transcript of their interview.
Aanand Krishnan: I think identity theft is becoming, unfortunately, top of mind for consumers, and the online world in particular is becoming a sort of a scary place. We have seen a massive spike, especially in the last few months, in the number of what we would call credit card skimming or credentials skimming attacks on the web. In November, for example, Macy’s came out and said that Macys.com had been compromised, and that they had lost user credentials and credit cards to a skimming attack.
SEE: Brute force and dictionary attacks: A cheat sheet (free PDF) (TechRepublic)
If you’re not familiar with a skimming attack, here’s how it works. You go to your favorite e-commerce store to purchase something and you’re entering your credentials, your credit card information, and you expect that information to go from your device, to the merchant, or maybe it’s a banking institution, or the payment processor. In the case of a skimming attack, the attacker–because they’re able to execute malware or malicious code on your machine–is able to take a copy of that information and send it from your browser to their malicious server. And because in this attack, the transaction actually goes through, neither you nor the merchant actually know that the skimming even happened. The attacker basically got a copy of your credit card information, and this is why these attacks are not only successful, but they’re also very hard to detect.
In many cases we find that websites, e-commerce sites in particular, have been compromised for several months, sometimes even over a year, before they get wind of the fact that they have been compromised. This credential skimming problem and credit card skimming problem, which is variously known as formjacking or Magecart, have become a big problem. We actually estimate that there are hundreds of thousands if not a couple of million websites today that have active skimmers on them, which means that the chances of you or any one of us hitting a website that has one of these skimmers is very, very high. It is absolutely the responsible thing to do for us to be aware of these attacks and be very careful when we make purchases online.
SEE: Welcome 2020 with 20% off* your TechRepublic Premium annual subscription (TechRepublic)
Karen Roby: What do we need to do to stay safe?
Aanand Krishnan: I think that’s a very difficult question, frankly, to answer because the reality is this is a problem that first and foremost is the responsibility of the merchants, the e-commerce sites, or the banking institutions, or whoever it is that you’re transacting with. And secondly, the reality is that regulations and data privacy laws haven’t actually kept up with it. For example, we saw that British Airways in the UK, which lost about half a million credit cards, was fined by the GDPR. They were fined about $200 million. I think that the privacy regulations and the regulators are getting wind of this, and they’re acting on it, but they’re not there yet.
SEE: British Airways data theft demonstrates need for cross-site scripting restrictions
So as a consumer, what do we do? I think the reality is we’re going to be shopping, but I would recommend two or three things.
One is educate yourself. Be aware of the problem in the first place. Be aware of the fact that you might be visiting a website that does have skimming.
Number two, obviously, look into your bank accounts, your credit card accounts, and look for any weird transactions that could be indications of your credit cards already being compromised.
Number three, just follow very good hygiene. Do simple things like don’t click on emails that might infect your machine with malware. Keep your browser clean. A lot of people we notice, for example, are downloading free software that ends up installing adware, spyware, all kinds of malware in their browser–don’t do that. Don’t download things that you don’t need. And if you go to the browser, make sure that you can clear out all those extensions. It’ll provide you a better and a much safer browsing experience.
These are some things that consumers can do, but you’re right, it sometimes sounds like it’s all bleak out there, but the positive thing is that e-commerce companies that we talk to from Tala, they are actively working on solving this problem, and companies like us and regulators and industry bodies are actively looking at this problem.
Karen Roby: How aware do you think consumers really are of the risks?
Aanand Krishnan: I think there was a statistic that shows the probability that at least one of your cards in the wallet has been already compromised and is on the Dark Web is almost close to 100%. I don’t think the awareness is that high. However, a lot of people that I know unfortunately get wind of it when their bank calls them and says, “Your debit card or your credit card has been compromised, we need to send you a replacement one.” That has happened to me several times in the last couple of years, and I would imagine that it’s happened to a lot of people. I know a lot of people for whom this has happened.
I think people are knowing about it because their bank replaces their credit cards or their credit card company does that. However, I think the average consumer is really not aware of how easy it is technically to perpetuate these kinds of cyberattacks on websites to be able to do this kind of skimming. Awareness has to grow, and I think that is one of the biggest challenges that, frankly, we as an industry face, as a cybersecurity industry faces. How do we make consumers aware that their sensitive data–and by the way, it doesn’t have to be credit cards… it could be healthcare data, it could be your Social Security number, your street address–all the personal details that you are entering into a website could be compromised.
I really hope that something good comes out of it, which is that the industry is waking up and we’re going to do a much better job of protecting consumers, but consumers and consumer awareness is going to play a very significant role in pressuring merchants, pressuring e-commerce companies and banks, as well as vendors like us to do a far better job than we have in the past.