The holiday season is a lucrative time for cybercriminals to target vulnerable shoppers. All payment platforms are potential targets for e-skimming, a rapidly evolving and increasing cyber threat. In October 2019 Forbes reported that over 18,000 websites are infested with Magecart card skimming malware. Magecart is an umbrella term given to dozens of cybercrime groups who steal payment card information and PII (personally identifiable information) by targeting online shopping cart systems, such as Magento or OpenCart. Macy’s recently disclosed that they suffered a Magecart breach in October 2019. Other notable Magecart victims include British Airways, Ticketmaster, New Egg, and the National Baseball Hall of Fame.
Typically, Magecart hackers obtain access to a website via third-party services in a supply chain attack. In an effort to avoid detection malware is embedded inside other code that appears harmless. Unbeknownst to merchants and consumers, payment credentials are captured as they are entered. Consumers receive their purchases; meanwhile, the hackers sell the viable credentials or use them for fraudulent purchases.
To avoid being a victim of cybercrime, follow these security best practices
- Shop at websites you trust. Review a website’s contact and about pages.If a store is less than a year old or located in a high threat area like China or Russia, reconsider. In addition, a Website Reputation Checker is available at https://www.urlvoid.com/ and provides website safety status based on reports from multiple vendors along with the server location.
If sales are the secondary purpose of a website, it may not be as safe as a website primarily focused on e-commerce. For example, a cooking website mainly providing recipes may also offer products for sale as a secondary option but may not have strong security in place.
- Avoid smaller, lesser known websites that may be lacking the same level of security as larger, established companies who have typically committed substantial resources to cyber security.
- Avoid entering credit card details. Large websites like Amazon store payment information in the account so it does not have to be fully entered every time you make a purchase. In addition, some smaller shops now offer Amazon Pay.
Use Apple Pay, PayPal, or similar payment systems that generate a one-time token for each transaction that cannot be re-used and enable you to avoid entering payment information directly into an e-commerce site.
- Use a credit card instead of a debit card. Most credit cards have built-in fraud protection; however, any suspicious activity should be reported immediately.
- Review activity and monthly statements. Small test charges are sometimes made to determine if a card is active – no matter how small suspect charges are, they should be reported immediately since they may be indicative of fraud.
- Activate transaction alerts on credit cards and bank accounts.
- Use a virtual or disposable credit card. Though not widely available, some credit card issuers offer a unique, virtual credit card number for online use that links to your main credit card account and allows you to set parameters, such as a designated merchant, one-time purchase, spending limit, or expiration date. For example, a virtual credit card with a set monetary limit and expiration date could be established for a child to do online holiday shopping. If the merchant is breached, the hacker will only have access to the virtual account number not the customer’s credit card account. Contact your credit card issuer to determine availability and specifics.
- Consider credit monitoring, which is available from many companies including Privacy Guard, Credit Karma, Equifax, TransUnion, and Experian. There are many Internet articles available that can assist in selecting a plan for your needs.
- Use strong, unique passwords. Do not use the same password on multiple accounts because if a company is compromised, hackers will typically try the password on other websites. Use multi-factor authentication whenever available.
- Do your online shopping at home and make sure your wireless network is protected.
- Make sure your connection is secure when making a purchase. To verify your connection is secure, always confirm the address bar of your browser starts with https:// (not http://). The s stands for secure and indicates the data being transmitted is encrypted. Beware that the small lock icon on your browser does not necessarily mean the site is secure. Cyber criminals are increasingly adding it to scam websites in their efforts to deceive people.
- Do not click on links in emails, and never log in to a website via an email link. Instead, open a browser and hand type the website address.
- Be cautious of phishing and SMiShing scams with fake shipping notifications and tracking alerts. Go to the online retailer and follow the tracking link, or search the tracking number provided to determine if it is legitimate instead of clicking on the included link.
If you are a victim of e-skimming or other cyber fraud, file a complaint with the Internet Crime Complaint Center www.ic3.gov.