Card-skimming devices hidden on gas station card readers or carefully integrated into ATMs used to be especially troubling for merchants and consumers, but retailers and financial institutions (FIs) have stepped up their measures to protect physical card readers in recent years. Those efforts have reduced the threat of fraud at physical payment terminals, but many consumers are now shifting to shopping digitally.
Consumers are catching on to eCommerce’s convenience and seamlessness, especially as visiting brick-and-mortar stores now carries potential health risks. This trend has prompted many fraudsters to follow in consumers’ digital footsteps, however. Many cybercriminals are now conducting eSkimming attacks designed to steal card data online instead of putting in the time and effort to launch schemes that involve tampering with physical card terminals, said Lindsay Land, vice president of operations at Consumers Credit Union.
“I would imagine that, if I were in the fraudster’s shoes and had to go put a physical skimmer at a grocery store that has 20 terminals, that might be more challenging or [require] more effort than to try to put software and malware on the payments space,” she explained. “You look at the scope of what they would need to do, and it may be easier and more attractive on the digital side.”
Land recently spoke with PYMNTS about the growing threat eSkimming presents, and detailed how payments tokenization and phishing awareness campaigns can keep consumers safe from these and other fraud tactics targeting eCommerce.
Safeguarding Card Details
eSkimming involves cybercriminals inserting malicious scripts into merchants’ websites to steal debit and credit card data, but Land noted that ensuring there is no data to be captured is a powerful way to thwart this type of fraud. Shoppers who make payments using digital wallets are protected by tokenization, which gives merchants one-time identifier codes to verify transactions rather than card details. This prevents fraudsters from obtaining and using customers’ debit or credit credentials for illegitimate transactions.
Consumers could similarly protect themselves by using third-party payment services at checkout. Customers save debit and credit card information to their third-party payment accounts, enabling them to log into those accounts and have those payments charged to their cards without providing card numbers, card verification value (CVV) codes or other details to merchants. These options may not use tokenization, but still avoid revealing customers’ sensitive card details. Land said such efforts are important because shoppers’ chances of falling victim to data theft increase each time they are required to enter their card details to shop with new merchants or enable digital transactions.
“It’s great to educate members and consumers that if there is an option to pay via tokenized transaction on a merchant’s website, [they should] take that opportunity,” Land said. “Even paying through a third party such as PayPal [helps, because in both situations] you’re not putting your card information directly into the website where malware might exist to skim that information. Anytime you limit the number of times your card information is out there, it helps to reduce your risk.”
Consumers must also ensure that they are not sharing their details on illegitimate sites. Bad actors sometimes create phony sites that resemble those of well-known sellers, but steal consumers’ card data when it is entered at checkout.
Shoppers can protect themselves from this illicit activity by carefully monitoring and confirming site details, establishing that the website address displays a lock icon (which indicates a secure connection) and visiting platforms directly rather than arriving at them via ads, Land said. Fraudsters often plant advertisements on social media platforms that link to fake retail sites, enabling them to prey on distracted consumers or those whose vigilance slips. FIs can also offer customer outreach that raises awareness of these kinds of ploys.
Even the best attempts to block fraudsters will only go so far, and FIs must be prepared to control the damage when cybercriminals’ attacks are successful. The ability to quickly detect when something has gone awry is key in this regard, and Land said that FIs may find it helpful to leverage tools that monitor the dark web for mentions of customers’ personal details. Doing so could help FIs quickly spot merchant data breaches affecting their customers, allowing them to swiftly reissue payment cards and advise consumers to change their retail account passwords.
Fraudsters continue to innovate their attacks, and FIs’ defenses are growing more sophisticated to keep pace. Retailers and FIs have become more adept at combating skimming attacks leveraged against physical POS terminals, but the rise of eCommerce has prompted cybercriminals to turn to eSkimming schemes instead. It will be up to FIs to deploy tokenization and other strategies to keep bad actors in check as more consumers go digital.