Virtual Card Skimming Poses a New Security Threat for Ecommerce Sites
After just 2.5 hours of research, Arxan Technologies found security holes on more than 80 global ecommerce sites. These retailers were unknowingly sending payment information to off-site servers through a process known as formjacking.
What Is Formjacking?
Formjacking is a form of virtual card skimming. Hackers insert malicious coding into the checkout area of an ecommerce site, directing a copy of the payment information to their servers. The codes are usually tied to a “submit” button, or some other step at the end of the transaction.
Much like traditional credit card skimmers, these codes can be difficult to detect. They may remain on a website for months or even years before someone notices them. By that time, the hackers could have collected countless credit card numbers, names, addresses, etc.
What Do Hackers Do with Collected Data?
Typically, a hacker will not sell or use the payment information right away. This would make the formjacking easier to detect and shut down. Rather, the hacker will sell the information on the dark web or wait a while to use the card details.
Data stolen through formjacking is often used for card-not-present fraud, an issue that has become increasingly popular since America transitioned to chip cards. Smartchips make card data difficult to duplicate, so criminals are unable to create physical card duplicates. With card-not-present fraud, a physical card is not required. The criminal can simply input the card details online and complete a transaction.
How Can Ecommerce Sites Prevent Formjacking?
Cybersecurity companies are constantly adapting their systems to combat new threats. In order to avoid formjacking, ecommerce sites must implement multiple layers of security and run frequent security checks on their websites and apps. If a virtual card skimmer is detected, the coding should be removed immediately, and customers should be notified of the incident.