What is skimming in cybersecurity?

What is skimming in cybersecurity? Skimming in cybersecurity refers to cybercriminals’ strategies for capturing and stealing cardholders’ personal payment information. Identity thieves use various approaches to obtain card data. One of the most advanced methods is using a small skimming device designed to read a credit card’s microchip or magnetic strip information. Criminals can execute skimming attacks whenever a cardholder opts for electronic payment methods in a physical location.

Digital skimming methods are also widespread. Often referred to as e-skimming, digital skimming is similar to card skimming. The main difference is that hackers can execute e-skimming remotely and collect card information in real-time.

Why you should be worried

According to the Kaspersky Security Bulletin Statistics of the Year Report, unique malicious objects increased by 13.7% in 2019. Web skimmer files largely contributed to the growth since they registered a 187% rise, reaching a total of 510,000. The web skimmers were also among the top 20 online malicious objects, sitting at position ten.

With the outbreak of COVID-19, most countries enforced lockdowns to contain the virus from spreading. Subsequently, online shopping increased tremendously, and so did credit card skimming. Malwarebytes reported a 26% increase in credit card skimming in March 2020 compared to the previous month. Although there was a small rise of 2.5% in web skimming blocks from January to February before the 26% increase in March, Malwarebytes holds that the trend will continue rising in the coming years.

Credit card skimming accounts for 30% of all data breaches targeting retailers. Attributing nearly a third of retail data breaches to credit card skimming signifies how widespread the vice is. The situation worsens since at least 60% of websites lack HTTPS security, leaving credit card information exposed to e-skimmers. It is also vital to note that of the reported credit card skimming attacks, 87% target self-service stations like petrol stations.

What is skimming in cybersecurity? – The 4 types

Credit card skimming

Debit and credit card skimming occurs in different forms. These include:

1.  Hand-held point of sale skimming

Similar to other types of attacks, insider threats are the most common in skimming schemes. A hand-held skimming method is where an insider, such as a waiter or store clerk, uses a skimming device to copy credit card details. Cybercriminals mostly employ the tactic in retail establishments. An adversary only requires to swipe the credit card in a skimming device to capture the information stored in the magnetic stripe. The information can be downloaded later for use in malicious activities. With skimming devices being small, adversaries can conceal them easily, making hand-held POS skimming common.

2.  POS swaps

POS swaps are prevalent skimming methods in cybersecurity. The process entails fraudsters replacing a secure POS device with one whose protection features have been compromised. Also known as POS device tampering, a POS swap attack occurs once adversaries tamper with a POS and PIN entry device. Cybercriminals usually steal the devices from specific retailers and manipulate them by infecting them with malware or placing a small skimming device in the terminal software. A fraudster then returns the compromised devices and waits for the skimming devices to copy and collect card data from all customer transactions. The cybercriminals wait for an opportune time and come back to replace the skimming devices and steal the copied card data.

3.  Self-service skimming

Criminals execute self-service skimming attacks on self-service terminals, such as ATMs, gasoline pumps, and other similar terminals. Cyber adversaries usually pose as technicians to gain easy access to the service terminals and install a skimming device. The fraudsters install the devices inside the terminals’ enclosures such that they cannot be detected from the outside.

Attackers then connect the devices directly to the service terminals’ card readers and keypads such that they copy all card PINs and data once a user swipes them. Some criminals use advanced skimming devices to relay the copied information through wireless technologies, such as Bluetooth, to a computer hidden in a close location. Other fraudsters enhance their methods by installing pinhole-sized cameras in strategic locations to collect PIN information as soon as a customer enters it. Card data and PIN details provide criminals with enough information to compromise credit cards and use them nefariously.

4.  Dummy ATMs

Despite not being common today compared to yesteryears, dummy ATMs pose significant threats to the cybersecurity industry. Dummy ATMs resemble actual entry-level and smaller ATMs, usually purchased online, but do not dispense any cash. Criminals use dummy ATMs for the sole purpose of collecting card PIN details and data. Cyber adversaries set up the dummy ATMs in high-traffic areas to trick more people into inserting their cards.


Security researchers recently discovered e-skimming, which is a new skimming threat in cybersecurity. Compared to the pervasive skimming schemes, where attackers usually place skimming devices in physical POS systems and later collect the copied data, e-skimming can be done remotely. The difference permits e-skimmers the ability to pull off the attack from any part of the world.

E-skimming occurs when a cybercriminal inserts malicious software into a retailer’s website and uses it to steal credentials. It is harder to detect since it does not involve the tampering of a physical facility. Customers may perceive that they are checking out using their debit or credit cards, whereas hackers use malicious software to steal payment information in real-time. Attackers use the stolen information for harmful reasons or sell it to multiple criminals on the dark web. The website owner can only discover an e-skimming scheme through an investigation.

An e-skimming campaign usually involves several hacking groups that collaborate in developing strategies for targeting vulnerable websites. Hackers compromise website security by hacking into the site’s web server or breaking into a web server used to support multiple websites. The attackers then introduce a malicious skimming code in websites with exploitable vulnerabilities.

A malicious script known as Magecart is involved in all e-skimming attacks; hence the attacks are referred to as Magecart Attacks. Hackers commonly introduce the Magecart script by hacking administrative control or using phishing methods and places the code using compromised accounts. Besides, cybercriminals can hide the malicious skimming code in a website’s JavaScript to compromise third-party suppliers. Compromising third-party suppliers provide hackers with instant access to thousands of victims. The Magecart skimming script captures user account and credit card information and sends it to a specified server.

Recent e-skimming cases

1.  Macy’s

Macy’s, a U.S. department store chain, was the victim of a Magecart script attack in October 2019. The store released an official statement that revealed that attackers had installed the malicious script on two pages of its official website; checkout page and macys.com. The malicious code collected customer card information, such as credit card numbers, expiration dates, addresses, customer names, phone numbers, and card verification codes.

2.  Puma

Puma’s Australian was a victim of the Magecart malicious script. According to Willem de Groot, a security researcher, the hidden code skimmed the credit card details of all customers who used the website for online shopping during the checkout process. The stolen information included credit card names, numbers, and customer addresses, transferred to a remote server in Ukraine.

3.  British Airways

British Airways was a victim of the same malware, and the incident saw the theft of more than 380,000 credit card details. Hackers had injected the malicious code on the company’s global website and scraped various credit card data. The stolen information included billing addresses, names, bank details, and names.

Skimming and identity theft

Identity theft often entails chipping away a victim’s digital identity as opposed to being a single incident. Skimming in cybersecurity permits criminals to access hard-to-get digital information, such as login credentials, emails, bank accounts, and social security numbers.

Card skimming breeds identity skimming since attackers typically execute independent incidents using different methods and malware. A successful skimming attack gives fraudsters enough time to maliciously use the credit card information before the owner or bank notices the fraudulent activities. Although cardholders may be lucky enough to get a refund of the misused funds, the damage is usually irreparable.

For instance, card skimming provides criminals with access to the encoded information, including the cardholder’s CVV number, country code, expiration date, card number, and full official names. Fraudsters can use the information to commit various crimes or sell them on the dark web. Besides committing nefarious actions, cybercriminals can use a skimmed card to get a timestamp of all the cardholders’ activities and locations. As such, skimming not only compromises the security of the victims’ identity, but it also threatens their privacy.

Card skimming leads to the theft of vital identity information. Cybercriminals often withdraw all funds before the owner discovers, others create clone cards and disperse them to be used for calculated fraudulent activities, while others play a waiting game. The waiting game is where fraudsters make small and infrequent cash withdrawals or purchases to avert detection among the cardholders or banks.

Recently implemented skimmer laws require victims to report skimmers within 24 hours of discovery, but law enforcement agencies will not share the skimmer locations. As such, card users seeking to prevent potential skimmer fraud are left vulnerable to instances of identity theft. Therefore, the most effective way of preventing identity theft through skimming is to closely monitor card statements to flag unaccountable or suspicious card activities.

Who is at risk the most?

All e-commerce websites that lack sufficient security systems are at risk of being a victim of skimming attacks. Hackers evolve and use new attacking methods frequently to realize a higher success rate. Websites that lack the latest security controls are vulnerable to skimming incidents.

A recent report showed that 1 out of 5 Magecart-infected stores is re-infected within several days of the initial infection. It is essential to clean infected systems and mitigate or patch underlying vulnerabilities to prevent a re-infection. Otherwise, evolving threats could easily lead to re-infection. Additionally, open-source applications like Magento are vulnerable to skimming attacks unless they are frequently patched.

Measures for curbing skimming in cybersecurity

Account monitoring

It is essential for cardholders to routinely monitor their card and bank accounts to identify suspicious transactions. Consumers typically have a window of time to dispute unaccountable charges if they become victims of an e-skimming campaign. Stolen card credentials can be used or sold to other criminals, and reporting abnormal card usage behavior shields cardholders from accepting the responsibility of illegal usage of the card information.

Prioritize low-limit cards

Cardholders should ensure they use low-limit credit cards when making online purchases and transactions. A low-limit card provides the option of restricting the maximum amount charged on the credit card. If a hacker pulls a successful e-skimming attack, a low-limit card can minimize the damage a criminal can do on a stolen card. As such, it is easy to establish if the credit card information has been compromised, depending on card usage.

Pre-plan online shopping

It is a recommended practice for a consumer to plan what to purchase and from which online retailers. While pre-planning assists consumers to stick to their shopping budgets, it plays an essential role in preventing users from being lured into accessing numerous online accounts. Purchasing items from multiple online stores spread the credit card information from one website to another, increasing the possibility of encountering an e-skimmer. Limiting online shopping locations reduces the risks of a consumer becoming a victim of an e-skimmer.

Shop from trusted websites

The more trusted an online retailer is, the higher the possibility that the retailer has implemented robust security protocols to protect card information. Also, consumers should only shop from secure websites. Secure websites implement SSL certificates, which encrypt the information exchanged between a client and a server. Websites with security encryption protect card information from e-skimming practices.