I am a credit card skimming attack victim. It happened about eight weeks ago, and to this day, we’re still dealing with the repercussions.
This is a true story. (Although I did substitute a few facts to protect the innocent.) And yes, while I work for Feroot, and this is appearing in our blog, I think it is important that cybersecurity professionals hear first hand from a card skimming attack victim—someone who is like every other customer that their business supports.
I also think it is important to let you know upfront that—YES—reputation damage is real. I have stopped engaging in online commerce with the two organizations that I suspect of being the possible source of the skimming attack—one of which we have done business with for over seven years.
I’ll get off my soapbox now, (for a few paragraphs at least), because I want you to hear my story. And after you’ve read this (and I hope you will read the whole blog), it’s my hope that you understand a little better how important standards like PCI DSS 4.0 are to client-side security.
(If you really just want to skip the story and go back to the soapbox, click here.)
Yup. A payment card skimming attack sucks.
Then there is the issue of contacting your bank to alert them to the fraudulent activity. And, let’s be honest here, interactive voice response systems stink, particularly when you’re freaking out that there’s a whopping FIVE THOUSAND DOLLARS in fraudulent charges on your credit card, and you have to keep repeating to a robot:
I want to speak to an agent.
I. want. to. speak. to. an. agent.
I WANT TO SPEAK TO AN AGENT!!!
But I digress.
In Case You Missed It…Let Me Say It Again…A Credit Card Skimming Attack Sucks
With your hands still shaking in fear and anger, you finally get to speak to a customer service agent. But that’s not the end of it. You have to let the agent know which purchases are legit and which are fraudulent…and suddenly you find yourself struggling to remember if you did, in fact, purchase a $12.99 meat claw (that happens to look like part of an X-Men costume…because… why not start barbecuing pulled pork since you’re stuck at home during Covid?)
Once you’ve run through the dozens of legitimate and illegitimate purchases, you’re still faced with disputing the fraudulent charges. Because contrary to most assumptions, while your bank or credit card company may temporarily remove the charges from your card, there is no guarantee they WILL remove the charges. They still need to conduct their own investigation to confirm the charges are, in fact, fraudulent before the charges are removed for good. And that could take a month or two. After that, you have to cancel your card. (And in the case of our bank, then listen to a pitch from the customer service agent on upgrading to additional benefits on your credit card. Really??!!??!!? You want me to upgrade? Are you sure you just heard me say that I had FIVE THOUSAND DOLLARS in fraudulent burner phone charges that you allowed on the current credit card, that apparently didn’t create a red flag for you?!!?!?!??)
Once you’re off your phone with the bank or credit card company, the waiting begins for that new little piece of grief-filled plastic to arrive. While you’re waiting, if you’re lucky, you have another payment card to make necessary purchases like gas and food. If not, well, I am sure you already know that your bank or credit card company really doesn’t give a damn if you need to put gas in your car, pay utility bills, or buy groceries.
Don’t Forget Your Automatically Scheduled Payments!
If all that weren’t enough, you still have to deal with all of the emails that start arriving telling you that the automatic payments you set up on your credit card (you know, the ones to your mobile phone company, Netflix, and the cable company) have all failed because your credit card is now canceled. This is followed by several hours of trying to remember who exactly you set automatic payments up with, and the individual logins to those accounts, so you can pay these vendors directly. (Wait, didn’t I have some other automatically scheduled payments? Oh, yeah! Patreon!! Oh wait. I also have a monthly recurring cloud storage charge too! Damn, how many have I forgotten?!?!!?)
Guess what? No one likes getting skimmed (and they’ll blame you—the business—because that’s what I’m doing!)
This is all true. I am the victim of a card skimming attack that involved FIVE THOUSAND DOLLARS in burner phones and prom dresses. (And to the scumbag, soul-sucking, #$%!!! loser, all I can say is Feroot is going to stop you!)
Unfortunately, most folks may never know which business is responsible for the skimming attack, although a quick scan of the purchases you made on your credit card prior to the attack can provide some clues.
And If the digital skimming attack is big enough, and the regulators get wind of it, there are cases where the attack may make the news, as in the notorious British Airways skimming attack that resulted in a $20 million dollar fine and a data breach involving 380,000 credit cards.
Dear AppSec: If You Read Anything, Please Read On From Here.
Now I want to go back to my soapbox, because…
- Client-side threats are real—and your customers are the ultimate victims.
- Businesses just aren’t paying enough attention to client-side security.
- The client-side attack risk is growing as threat actors experience a decreasing ROI from server-side attack vectors.
- Back-end intellectual property is NOT your only valuable possession. Your customers are one of your most valuable assets too.
- Skimming attacks aren’t just about credit card data. Any kind of personally identifiable information (PII) available on dynamic web pages is fair game to a threat actor. This includes login credentials, names, addresses, phone numbers, social security numbers, and health care information.
- Attacks aren’t just targeting e-commerce sites. Any business that touches payment information, credit card numbers, or PII is at risk of a client-side attack. This includes financial institutions, SaaS software solutions, media and entertainment companies, healthcare providers, cryptocurrency exchanges, and travel and hospitality.
I am fortunate. I can financially weather the storm while I wait for a new credit card. A lot of people can’t. Especially not if they’ve just been laid off. Or if they use their credit card to help supplement their income to put gas in their car to get back and forth to work. Yeah, I’ll say it one more time. A card skimming attack sucks. And they impact people financially.
What Is Client-Side Security and Why Is It Important to Protect Against a Card Skimming Attack?
Skimming attacks like this are the result of inadequate client-side security.
The lack of knowledge and understanding about client-side security hit home recently for members of our team who attended the June Gartner SRM conference. Our team eventually got used to the quizzical expressions that appeared on attendees’ faces when we used the term “client-side security.” The response from attendees? Yes, we know what the “client-side” is, they countered. But, what is “client-side security?”
This kinda blew our minds. And it really worries us.
Businesses Have Ignored Client-Side Security, While Focusing on the Server Side
Ransomware, zero-days, advanced persistent threats (APTs), and software supply chain attacks dominate news headlines.
In the End It’s About Your Customers. Period.
I could spend the next few paragraphs waxing poetically about the various threats and the increase in attacks. I won’t do that. Instead I am going to say one thing.
If you’re not paying attention to your client side security and the safety of your customers, then there is a serious problem with your security model.
Harsh. Perhaps. But with inflation running rampant, gas prices sky high, and the threat of a major recession looming, no one should have to worry about whether they have a credit or payment card to make purchases to ensure they can drive to work or buy groceries for their kids’ lunches. In this economy—or any economy for that matter—people shouldn’t be concerned about their identities being stolen, or having their credentials compromised, or worrying that some scumbag, soul-sucking, #$%!!! loser is racking up the credit balance buying prom dresses and burner phones.
If You Agree, Do Something Now!
If you agree with me and you don’t want your customers to be a card skimming attack victim, then there are multiple steps you can take on the path to better client-side security.
- Check out solutions that provide automated monitoring and inspection to avoid the time and problems associated with manual code reviews.
- Or adopt an automated content security policy (CSP) tool to better manage policies and any vulnerabilities within the policies on your web applications.
Or better yet, just schedule a damn demo! It’s quick, easy, and can be done for your website. There’s no obligation and we won’t bug you if you decide Feroot’s not for you. On the other hand, we’re pretty sure that when you see what we can find on your website and learn how quickly we can help you fix it, you’ll want to know more.
If you care about your customers—if you hate skimming attacks as much as we do—then do something to improve your client-side security.