Card skimming gets more aggressive

November 2018 Security Services & Risk Management, Cyber Security

Card skimming – the act of copying data from a credit card either to make a physical or virtual copy of the card – is not a new tactic for criminals. As a result, many an unsuspecting card payer has been unpleasantly surprised by unauthorised payments made on their card after using it at a restaurant, doing online payments or at the shops.

Simeon Tassev
Simeon Tassev

However, the introduction of mobile card payment devices, increased security at pay points and ATMs, and 3D payment authentication for online payments has all but thwarted criminals seeking to make a quick buck from duplicating credit cards. Although small-time criminals still make use of physical card skimming devices and not all online portals have built in authentication, most have set their sights on more lucrative opportunities, where they are able to copy multiple cards with less traceability.

The recently uncovered MagentoCore skimmer scam has upped the ante, being described as the most successful skimming campaign to date, with over 7 993 online stores hosted on the Magento global ecommerce platform being affected over a six month period. Fifty-one million customers around the globe have made purchases from Magneto merchants, and the malware shows no signs of stopping any time soon.

With over 250 merchants using the open source Magneto platform, the hacker group responsible for MagentoCore continues to target new brands. According to industry expert and the person responsible for uncovering this threat, Willem de Groot, the hackers use a script called a ‘payment card scraper’ or ‘skimmer’ once they’ve breached the site and modified its source code to load the script along with its legitimate files. The script usually loads on store checkout pages and secretly records payment card details entered in payment forms, data that it later sends to a server under the hackers’ control.

What makes the malware so attractive to cybercriminals is that it is so incredibly difficult to trace, and the copying of hundreds of cards per day gives them the ability to copy far more data than ever before. Businesses and card users alike need to not only become more aware of the risks of online payments, but also protect themselves and their customers from threats.

What can retailers do?

Skimming is only one of many security risks that retailers with an ecommerce portal need to take cognisance of. It’s essential that they have a full risk management strategy in place which assigns risks a priority and puts the right technology in place to protect both themselves and their customers.

They need to perform regular checks on their customer facing websites, factoring in vulnerability scanning, web security scanning, code review, penetration testing and various other tests to ensure the website performs optimally and securely. Those retails who do not make use of a third-party two-factor authentication payment platform should ensure they have one in place.

Retailers who do outsource their functions, such as to an ecommerce platform, should ensure they have some sort of liability cover included so that if the platform is hacked, neither they nor their customers carry the risk.

It’s also important that they ensure their compliance is up to date and well managed. Compliance with regulations such as Payment Card Industry Data Security Standard (PCI-DSS) help to ensure that the minimal controls are in place to protect their own and their customer’s information during transactions. Other regulations such as the Protection of Personal Information (PoPI) Act and the General Data Protection Regulation (GDPR) gives them guidelines on how to protect their customer’s information across the board, too.

What can consumers do?

Many people today have a card and partake in some form of online purchasing, whether directly from a retail chain or through a third-party platform. Here are some tips to ensure consumers protect themselves:

• Check that the website is secure. A secure website will have a valid certificate, usually demonstrated by a locked padlock icon. Some tips on checking if a website is secure can be found at

• Deal with reputable vendors. This may not always be possible, and there are many exciting and trustworthy ecommerce stores that open up on a daily basis. However, where possible, opt for the sites that are well known and trusted.

• Ensure that the site has 3D security enabled, where shoppers are redirected to a third-party platform, often a financial institution’s platform, to verify that they are making the purchase through a security code being sent to the purchaser.

• Shoppers can also make use of a virtual card, which they load up with a pre-set amount of money in order to make online payments. A virtual card is a card created by a virtual card provider similar to a gift card. Many banks and third party virtual card providers are available today so that shoppers can add a layer of protection to online shopping.

• Mobile payment applications such as SnapScan or Zapper offer a safer method of payment for shoppers, so they should look for providers that offer this as a payment option.

• Remember that there is no 100% safe way to shop online or in store when using a card. Shoppers should be vigilant and if they are unsure, rather skip the purchase and find an alternative payment method.

It is highly likely that cybercriminals will only get smarter, targeting vulnerabilities in ecommerce and online retail platforms wherever possible. Both retailers and shoppers need to ensure they are aware of the risks and protect themselves wherever and however possible.

For more information, contact Galix Networking, 086 124 2549,,


Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

Putting secondary storage to work
September 2019 , IT infrastructure, Security Services & Risk Management
By 2022, more than 80% of enterprise data will be stored in scale-out storage systems in enterprise and cloud data centres, up from 40% in 2018.

ContinuitySA offers Complete Continuity Practitioner in October
September 2019, ContinuitySA , Training & Education, Security Services & Risk Management
ContinuitySA is offering its popular five-day Complete Continuity Practitioner Programme on 21-25 October 2019 at its offices in Midrand.

Security workforce compliance tool
September 2019 , Security Services & Risk Management
To maintain service excellence across a security workforce is impossible without the help of information systems and technology.

Call back the past
September 2019, SCAN RF Projects , Security Services & Risk Management
Two-way radios are still very relevant in the security world and have gone through significant advances over the past few years to enable them to keep up with the expectations of people in today?s connected world.

Check Point appoints new regional director for Africa
September 2019 , News, Cyber Security
Check Point Software Technologies has appointed Pankaj Bhula as regional director for Africa.

ISO standard for protecting personal data
September 2019 , News, Cyber Security
Tackling privacy information management head on: first ISO standard for protecting personal data has been published.

The hunt for the Carbanak group
September 2019 , Editor's Choice, Cyber Security, News
Tomorrow Unlocked has released a free four-part documentary that tells the story of the notorious Carbanak APT group and its $1 billion bank heist.

Building automation vulnerable to hacks
September 2019 , News, Cyber Security
New vulnerability revealed in Internet-connected building automation devices at the DEF CON IoT Village that could impact critical building systems.

Proficient operational security management
September 2019 , Security Services & Risk Management
The quest to establish an organised and integrated security operations programme based on a Plan-Do-Check-Act (PDCA) cycle for continuous improvement is paramount for a successful security operation.

Increase security efficiency, decrease costs
September 2019 , Security Services & Risk Management, Integrated Solutions
Trackforce offers customisable mobile and web applications to increase security operational efficiency and lower costs.