Virtual Card Skimming Poses a New Security Threat for Ecommerce Sites

Virtual Card Skimming Poses a New Security Threat for Ecommerce Sites

August 29, 2019         Written By Bill Hardekopf

After just 2.5 hours of research, Arxan Technologies found security holes on more than 80 global ecommerce sites. These retailers were unknowingly sending payment information to off-site servers through a process known as formjacking.

What Is Formjacking?

Formjacking is a form of virtual card skimming. Hackers insert malicious coding into the checkout area of an ecommerce site, directing a copy of the payment information to their servers. The codes are usually tied to a “submit” button, or some other step at the end of the transaction.

Featured Fair Credit Card
Top Features :All credit types welcome to apply!

Much like traditional credit card skimmers, these codes can be difficult to detect. They may remain on a website for months or even years before someone notices them. By that time, the hackers could have collected countless credit card numbers, names, addresses, etc.

What Do Hackers Do with Collected Data?

Typically, a hacker will not sell or use the payment information right away. This would make the formjacking easier to detect and shut down. Rather, the hacker will sell the information on the dark web or wait a while to use the card details.

Data stolen through formjacking is often used for card-not-present fraud, an issue that has become increasingly popular since America transitioned to chip cards. Smartchips make card data difficult to duplicate, so criminals are unable to create physical card duplicates. With card-not-present fraud, a physical card is not required. The criminal can simply input the card details online and complete a transaction.

How Can Ecommerce Sites Prevent Formjacking?

Cybersecurity companies are constantly adapting their systems to combat new threats. In order to avoid formjacking, ecommerce sites must implement multiple layers of security and run frequent security checks on their websites and apps. If a virtual card skimmer is detected, the coding should be removed immediately, and customers should be notified of the incident.

The information contained within this article was accurate as of August 29, 2019. For up-to-date
information on any of the terms, cards or offers mentioned above, visit the issuer's website.


About Bill Hardekopf

Bill Hardekopf is the CEO of and covers the credit card industry from all perspectives. Bill has been involved with personal finance for over 15 years. He is a frequent contributor to Forbes, The Street and The Christian Science Monitor.
View all posts by Bill Hardekopf