Dear AppSec: I Was a Credit Card Skimming Attack Victim. (And It Sucks!)

23 June 2022

I am a credit card skimming attack victim. It happened about eight weeks ago, and to this day, we’re still dealing with the repercussions.

I was a card skimming attack victim. If you don't want your customers to become victims of skimming attacks, conduct a free assessment now. No strings attached. Click to Schedule.
I was the victim of a card skimming attack. If you care about your customers, check to see if your client-side security is adequate.

This is a true story. (Although I did substitute a few facts to protect the innocent.) And yes, while I work for Feroot, and this is appearing in our blog, I think it is important that cybersecurity professionals hear first hand from a card skimming attack victim—someone who is like every other customer that their business supports.

I also think it is important to let you know upfront that—YES—reputation damage is real. I have stopped engaging in online commerce with the two organizations that I suspect of being the possible source of the skimming attack—one of which we have done business with for over seven years.

I’ll get off my soapbox now, (for a few paragraphs at least), because I want you to hear my story. And after you’ve read this (and I hope you will read the whole blog), it’s my hope that you understand a little better how important standards like PCI DSS 4.0 are to client-side security.

(If you really just want to skip the story and go back to the soapbox, click here.)

Yup. A payment card skimming attack sucks.

If you’ve ever had your credit card skimmed (aka Magecart, JavaScript injection attack, e-skimming, formjacking, etc.)—that is, had your payment card information stolen online and reused by a criminal—you know how absolutely miserable the experience can be. First there is the heart-stopping moment when you check your credit card balance only to learn that someone purchased FIVE THOUSAND dollars in burner phones, appliances, car parts, eBay items, and bridal and prom dresses. (And you know it wasn’t you because, for starters, you look horrible in pink lace).

Then there is the issue of contacting your bank to alert them to the fraudulent activity. And, let’s be honest here, interactive voice response systems stink, particularly when you’re freaking out that there’s a whopping FIVE THOUSAND DOLLARS in fraudulent charges on your credit card, and you have to keep repeating to a robot:

I want to speak to an agent.

I. want. to. speak. to. an. agent. 

I WANT TO SPEAK TO AN AGENT!!!

But I digress.

In Case You Missed It…Let Me Say It Again…A Credit Card Skimming Attack Sucks

With your hands still shaking in fear and anger, you finally get to speak to a customer service agent. But that’s not the end of it. You have to let the agent know which purchases are legit and which are fraudulent…and suddenly you find yourself struggling to remember if you did, in fact, purchase a $12.99 meat claw (that happens to look like part of an X-Men costume…because… why not start barbecuing pulled pork since you’re stuck at home during Covid?)

Once you’ve run through the dozens of legitimate and illegitimate purchases, you’re still faced with disputing the fraudulent charges. Because contrary to most assumptions, while your bank or credit card company may temporarily remove the charges from your card, there is no guarantee they WILL remove the charges. They still need to conduct their own investigation to confirm the charges are, in fact, fraudulent before the charges are removed for good. And that could take a month or two. After that, you have to cancel your card. (And in the case of our bank, then listen to a pitch from the customer service agent on upgrading to additional benefits on your credit card. Really??!!??!!? You want me to upgrade? Are you sure you just heard me say that I had FIVE THOUSAND DOLLARS in fraudulent burner phone charges that you allowed on the current credit card, that apparently didn’t create a red flag for you?!!?!?!??)

Once you’re off your phone with the bank or credit card company, the waiting begins for that new little piece of grief-filled plastic to arrive. While you’re waiting, if you’re lucky, you have another payment card to make necessary purchases like gas and food. If not, well, I am sure you already know that your bank or credit card company really doesn’t give a damn if you need to put gas in your car, pay utility bills, or buy groceries.

Don’t Forget Your Automatically Scheduled Payments!

If all that weren’t enough, you still have to deal with all of the emails that start arriving telling you that the automatic payments you set up on your credit card (you know, the ones to your mobile phone company, Netflix, and the cable company) have all failed because your credit card is now canceled. This is followed by several hours of trying to remember who exactly you set automatic payments up with, and the individual logins to those accounts, so you can pay these vendors directly. (Wait, didn’t I have some other automatically scheduled payments? Oh, yeah! Patreon!! Oh wait. I also have a monthly recurring cloud storage charge too! Damn, how many have I forgotten?!?!!?)

Guess what? No one likes getting skimmed (and they’ll blame you—the business—because that’s what I’m doing!)

This is all true. I am the victim of a card skimming attack that involved FIVE THOUSAND DOLLARS in burner phones and prom dresses. (And to the scumbag, soul-sucking, #$%!!! loser, all I can say is Feroot is going to stop you!)

We’re pretty sure that the attack came from one of two places: our favorite pizza delivery place that uses a restaurant, point-of-sale, software-as-a-service (SaaS) solution or an online garden supplier that possibly was the victim of a malicious script embedded in a formjacking or JavaScript injection attack. In the case of the pizza place, we haven’t ordered from them since, because we just aren’t comfortable that their point-of-sale SaaS solution is safe. (And trust me, this hurts. We were once-a-week pizza and chicken wing orderers). As for the garden supplier, I had a friend ask where I had ordered my flowers. While I did give her the name of the online gardening source, I also attached the caveat that our credit card information had been stolen and that I wasn’t sure this business could keep her payment information secure.

Unfortunately, most folks may never know which business is responsible for the skimming attack, although a quick scan of the purchases you made on your credit card prior to the attack can provide some clues. 

And If the digital skimming attack is big enough, and the regulators get wind of it, there are cases where the attack may make the news, as in the notorious British Airways skimming attack that resulted in a $20 million dollar fine and a data breach involving 380,000 credit cards.

Dear AppSec: If You Read Anything, Please Read On From Here.

Now I want to go back to my soapbox, because…

  • Client-side threats are real—and your customers are the ultimate victims.
  • Businesses just aren’t paying enough attention to client-side security.
  • The client-side attack risk is growing as threat actors experience a decreasing ROI from server-side attack vectors.
  • Back-end intellectual property is NOT your only valuable possession. Your customers are one of your most valuable assets too.
  • Skimming attacks aren’t just about credit card data. Any kind of personally identifiable information (PII) available on dynamic web pages is fair game to a threat actor. This includes login credentials, names, addresses, phone numbers, social security numbers, and health care information.
  • Attacks aren’t just targeting e-commerce sites. Any business that touches payment information, credit card numbers, or PII is at risk of a client-side attack. This includes financial institutions, SaaS software solutions, media and entertainment companies, healthcare providers, cryptocurrency exchanges, and travel and hospitality.

I am fortunate. I can financially weather the storm while I wait for a new credit card. A lot of people can’t. Especially not if they’ve just been laid off. Or if they use their credit card to help supplement their income to put gas in their car to get back and forth to work. Yeah, I’ll say it one more time. A card skimming attack sucks. And they impact people financially.

What Is Client-Side Security and Why Is It Important to Protect Against a Card Skimming Attack?

Skimming attacks like this are the result of inadequate client-side security. 

The lack of knowledge and understanding about client-side security hit home recently for members of our team who attended the June Gartner SRM conference. Our team eventually got used to the quizzical expressions that appeared on attendees’ faces when we used the term “client-side security.” The response from attendees? Yes, we know what the “client-side” is, they countered. But, what is “client-side security?

This kinda blew our minds. And it really worries us.

Client-side security protects against a card skimming attack. It refers to the technologies and policies used to protect an end user from malicious activity that is occurring on dynamic web pages accessed from the end user’s own device.  It is also sometimes referred to as the “front end” in the context of code development for web applications. Client-side attacks have been increasing in both scale and cost since the beginning of 2020 as companies expand their investment in the end-user digital experience. This has created an unprecedented opportunity for threat actors to exploit end-user activities.
What is client-side security and why is it important to protect against a card skimming attack?

Businesses Have Ignored Client-Side Security, While Focusing on the Server Side

Ransomware, zero-days, advanced persistent threats (APTs), and software supply chain attacks dominate news headlines.

But this is only one half of the cybercrime story. The other half is client-side threats, i.e, attacks that focus on dynamic web pages accessed from the end user’s own device. E-skimming attacks just don’t happen at gas stations or on magnetic stripe readers with skimming devices embedded on them. Credit card numbers, card details, and PII are most often stolen via malicious scripts embedded in JavaScript code on dynamic web pages. As businesses become better at stopping server-side attacks, like zero days and APTs, the return on investment (ROI) decreases. Instead, threat actors are turning increasingly to client-side vectors like: Magecart attacks, E-skimming, Formjacking, JavaScript Injection Attacks, SQL Injections, and Cross-Site Scripting (XSS).

A card skimming attack happens when credit card numbers, card details, and PII are stolen via malicious scripts embedded in JavaScript code on dynamic web pages.
A card skimming attack happens when credit card numbers, card details, and PII are stolen via malicious scripts embedded in JavaScript code on dynamic web pages.

In the End It’s About Your Customers. Period.

I could spend the next few paragraphs waxing poetically about the various threats and the increase in attacks. I won’t do that. Instead I am going to say one thing. 

If you’re not paying attention to your client side security and the safety of your customers, then there is a serious problem with your security model. 

Harsh. Perhaps. But with inflation running rampant, gas prices sky high, and the threat of a major recession looming, no one should have to worry about whether they have a credit or payment card to make purchases to ensure they can drive to work or buy groceries for their kids’ lunches. In this economy—or any economy for that matter—people shouldn’t be concerned about their identities being stolen, or having their credentials compromised, or worrying that some scumbag, soul-sucking, #$%!!! loser is racking up the credit balance buying prom dresses and burner phones.

If you're not paying attention to your client-side security and the safety of your customers, then there is a serious problem with your security model.
Businesses need to pay attention to their client-side security to protect from card skimming attacks.

If You Agree, Do Something Now!

If you agree with me and you don’t want your customers to be a card skimming attack victim, then there are multiple steps you can take on the path to better client-side security.

Or better yet, just schedule a damn demo! It’s quick, easy, and can be done for your website. There’s no obligation and we won’t bug you if you decide Feroot’s not for you. On the other hand, we’re pretty sure that when you see what we can find on your website and learn how quickly we can help you fix it, you’ll want to know more.

If you care about your customers—if you hate skimming attacks as much as we do—then do something to improve your client-side security.

Free Assessment

Security for Everyone that Visits Your Website

Find out if your web application is hiding vulnerable, malicious, or dangerous code that could damage your customers and your business. No payment information required.