Payment cards like credit or debit cards are useful tools for transactions, but for such advanced cashless technology, criminals are still able to steal cash right out of people’s pockets. These criminals aptly referred as card skimmers, plant devices into ATMs or collaborate with actors who handle your cards (e.g. dishonest cashiers and waiters) in order to steal your card’s credentials.
Afterward, criminals can have their way with making fraudulent or unauthorized transactions, or sell, or in some cases hold ransom, your card’s credentials.
Payment card skimming can happen even without a physical card
Every day, billions of online shoppers enter their credit card details, trusting the e-commerce website that the data entered is transferred to the right machine. In the 2020 COVID-19 Pandemic, many more people shop online than ever, which presents a golden opportunity for online skimmers.
Unfortunately, hackers have figured out ways to skim payment card information even without requiring the presence of a physical card. This method uses scripting attack, which is to inject malicious code into a website’s JavaScript, effectively tricking the website to send the information to the hacker’s data collector.
Unlike phishing and trojan virus attacks, which rely on human error, the scripting attack is a lot more sophisticated and can be done without user intervention. There are three layers of security that hackers must breach:
- Javascript files access
- Backend access
- CMS security plugins
Many people do not build websites from scratch, however, those who do must learn a great deal about protecting input fields from cross-site scripting (XSS) attacks. A quick fix is to transform anything that is written in the input fields into normal text (string). So if someone were to type in a Javascript code into an input field, the website will not render it as a valid Javascript code. However, additional layers of protection are required to ensure that Javascript code is not injected in any other way.
Many businesses build their e-commerce using content management systems (CMS) like WordPress or Shopify. These are usually equipped with authentication systems to allow only admins to access the backend. However, it is possible to gain access to the backend by brute force — in which a software tries to guess the credential details. Once the backend is accessible, hackers can gain access to the source code and inject from there.
Another way is to infect third-party plugins (which are essentially Javascript libraries) so that hackers can indirectly inject their skimming code into not just one website, but every website that uses the plugin.
PCI DSS Compliance is more than just installing a security plugin
Cybersecurity cannot truly be enforced by only installing the best software or plugin for your system, website, or application. A system-wide evaluation, from the source code to data transfer maps, must be implemented.
Xynexis PCI DSS Certification will not only assess whether or not your digital business will handle data responsibly. We also assess possible ways in which external parties are able to hack into the source code and inject malicious code.
Learn more about Xynexis PCI DSS Certification.
