Hackers Shop Online, Too...For Your Personal Data
E-Skimming is the Latest Way to Steal Your Personal Info
You may not be aware of it, but it is very likely that you have been a victim of card skimming. Remember the 2013 Target data breach? Over 41 million Americans’ credit card information was hacked from the retailer giant’s point-of-sale systems. The good news: card skimming is on the wane. Companies have become a lot smarter about protecting their point-of-sale systems from hackers, and consumers are getting savvier about spotting card readers that have been tampered with. Here’s the bad news. (You knew it was coming, right?) Criminals have found a whole new way to steal your payment and other personal information. It’s called e-skimming, and it’s a lot harder to stop. But we’ll tell you how you can protect yourself.
Here’s how e-skimming works, according to the U.S. Department of Homeland Security. First, criminals gain access to the retailer’s system using stolen user credentials or taking advantage of security gaps. Then they insert small, yet difficult to detect, skimming code into the website’s credit card processing software. The skimming code sits there undetected and either sends the cardholder’s information to the hacker in conjunction with the transaction, or the code temporarily redirects the customer to a fake site that captures their information from the checkout page. Once the hacker collects the victims’ information, they can use it themselves, sell it on the dark web, or both.
E-skimming is a serious and growing problem. Retailer Macy’s reported a large e-skimming breach in November 2019. In October, security company Check Point discovered that hackers had made $1.6 million on the dark web from a single sale containing more than 239,000 payment card records skimmed from thousands of websites. In late 2019, the cyber-security firm RiskIQ reported finding this type of malicious code on more than 18,000 web domains.
Unfortunately, it’s hard for you, as a card holder, to prevent e-skimming, but here are a few things you can do to minimize your risk:
- Use credit cards, not debit cards, to pay online. Here’s why: You can challenge transactions on a stolen credit card. It’s much harder and slower to get your money back if a hacker steals your PIN and uses a debit card to empty a bank account.
- Set up alerts on your cards, so you can detect unauthorized transactions right away and report that the card number has been stolen.
- Set up multi-factor authentication for as many kinds of transactions as you can.
- Consider getting a low-limit credit card that you use only for online purchases. That limits what a thief can spend, and it’s just one card to watch or cancel vs. several. You can also create virtual credit cards for one-time use at Privacy.com.
- Use a third-party payment processor such as PayPal or Venmo, so you don’t have to directly supply your personal information.
- Install security software on your devices and then keep it updated. If an e-skimmer directs you to a fake website, the security software may be able to detect that and alert you. If this does happen, contact the retailer and report the problem.
As with so many kinds of privacy fraud, the final line of defense against e-skimming is to be watchful. Check your credit card statements and payment accounts for unauthorized activity. You also have the ability to scan the dark web to know if your personal information has been stolen. If you haven’t signed up for MyIDCare’s CyberScan™technology, you can try it for free here. If you find that your information has been stolen, you can take action before the identity theft causes serious problems.
Online shopping is so convenient, we’re not going to stop. (And in case of emergencies such as the social distancing during the coronavirus outbreak, being able to buy online can be literally a lifesaver!) Ultimately, the makers of online payment software need to build stronger security into their products. But until then, we need to be prepared to defend ourselves.
About IDX
We're your proven partner in digital privacy protection with our evolving suite of privacy and identity products.