Digital Skimming: the Definitive Guide for 2024

“Vague but exciting”. That was the hand-written comment a CERN employee received from his boss on the corner of a proposal, allowing him to continue. That was 35 years ago. The CERN employee was Tim Berners-Lee. And his proposal became the World Wide Web. Now, out of the nearly 8 billion people in the world, 5.35 billion of them, or around 66% of the world’s population, have access to the internet, the infrastructure that carries the World Wide Web.

This has changed how we shop, bank, and game. But also, how we deal with customers, suppliers, and each other. However, technology is morally neutral; it can be used for good and ill. So, it has also changed how we swipe, skim, and steal data. Card skimming when criminals install devices on physical card terminals or ATMs to steal card data has gone digital. With the global e-commerce market set to exceed $4 trillion in 2024, digital skimming has considerable headroom for growth. 

In this guide, we examine:

• What is Digital Skimming?

• How Much of a Problem is Digital Skimming?

• What is the Business Impact of Digital Skimming?

• How Does Digital Skimming Work?

• Which Businesses Are the Main Targets For Digital Skimming

• How Do Magecart Attacks Relate to Digital Skimming?

• How Did Digital Skimming Get So Big?

• How Do Businesses Protect Against Digital Skimming Attacks?

• What Are the Digital Skimming Requirements in PCI DSS v4

• How Does Jscrambler Identify the Presence of Digital Skimming?

What is Digital Skimming?

Digital skimming attacks involve stealing sensitive data inputted by users into web forms. Frequently this is payment data from online checkout pages, although it also includes personally identifiable information, or PII for short, from other web forms.

Digital skimming goes by many names, including e-skimming, data skimming, and formjacking. Then there are the more specific terms of JavaScript attacks or Magecart attacks, which hint at how digital skimmers work.

In summary, the modus operandi of a digital skimming attack is similar. Criminals exploit vulnerabilities in a website’s code or infrastructure to harvest data. Digital skimming attacks are hard to detect as the payment process is unaffected. The customer gets their goods or services and the merchant gets paid. Both parties are unaware that a compromise may have occurred. 

How Much of a Problem is Digital Skimming?

Digital skimming is a big, bad problem. Both quantitatively in terms of the size of the problem, and qualitatively in terms of the impact to organizations and end-customers or users.

Reported data breaches rose around one-third in 2023, with more than 17 billion personal records compromised. Some of the largest cyberattacks in 2023 involved data security breaches. 

For example, international telecoms giant T-Mobile admitted in January 2023 that 37 million customers had their personal and account information accessed. Meanwhile, in August 2023, the UK’s Electoral Commission said that the personal data of 40 million UK voters had been exposed. The theft of sensitive personal data puts individuals at risk of follow-on attacks.

What is the Business Impact of Digital Skimming?

The fully loaded costs of a data breach to a business could be massive. These include the direct costs of lost revenue, incident response, fines, and breach notification.

For example, casinos operated by MGM Resorts International were taken down by a cyberattack last year, costing $100 million. And one of the UK's largest privately owned logistics firms was forced to close in 2023, following a ransomware attack.

There are indirect costs associated with a digital skimming attack, namely the loss of brand value, reputation, and trust. DNA testing firm 23andMe learned this last year when more than 6 million users had their profile information accessed by attackers.

 

How Does Digital Skimming Work?

In general, there are four stages in a digital skimming attack:

1. Initial breach

Criminals gain access to the source code of the server of an online store either as a first-party attack or by compromising a third party. Often this is by exploiting software vulnerabilities, deploying malware, or using stolen (or phished) credentials.

2. Code injection

Criminals inject malicious code to compromise payment pages. They evolve their methods. And tailor them depending on whether payment forms appear directly on pages or are embedded using an iFrame.

JavaScript attacks, as the name suggests, target the programming language used by more than 98% of websites to create interactive pages. 

3. Data exfiltration

The harvesting of data occurs when consumers enter their payment details to complete their purchases on compromised payment pages. Or enter personal data on online forms. The malicious code covertly skims and collects the information, often encrypting it, before sending it to the attacker’s remote server.

4. Monetization

Criminals monetize stolen data by using it to make unauthorized, fraudulent purchases for goods to re-sell for cash. Or by selling the data to other criminals.

Which Businesses Are the Main Targets for Digital Skimming

In the modern economy, data equals money. That makes almost every business, regardless of size, turnover, or industry sector a target for digital skimming:

• E-commerce 

• eSports

• Financial services

• Gaming

• Healthcare

After all, every business holds data about customers, staff, or partners: customer lists, payroll data, and supplier bank details. Sensitive card data, such as card numbers, expiry dates, and 3-digit security codes, is a case of where data equals money. 

Criminals can sell data stolen from card skimmer attacks on underground forums. They can use it themselves to create fake cards to withdraw cash from ATMs. Or buy things to sell for profit. They’ve become adept at digital hold-ups. They rob banks but also payment service providers, retailers, and other businesses that store, process, or transmit data.

How Do Magecart Attacks Relate to Digital Skimming?

Magecart attacks are named after ‘Magento’, the primary open-source e-commerce platform, and shopping ‘cart’. Magecart also refers to the criminal group active since 2015 carrying out such attacks.

In a Magecart attack, criminals inject the digital skimmer through malicious JavaScript code. This actively monitors the payment page and steals sensitive card data whenever a user enters it into a form. This is then sent to servers controlled by the attackers.

Magecart attacks typically attack the payment pages of e-commerce websites either as a first-party attack or a third-party attack.

• First-party attack – criminals access the victim’s website and directly place the digital skimmer on the payment page. Examples include the 2018 attack on British Airways, which leaked over 400,000 card details, and the 2022 attack on the Segway online store.

• Third-party attack – criminals inject malicious code via a third-party provider that the victim organization is using. Also known as a supply chain attack, it is particularly pernicious as modern websites rely on 13 different pieces of third-party code on average, but up to 35, to run functionality on web pages. Each of these could present attackers with a way-in. 

For example, in 2020 ticketing company Ticketmaster UK Limited was fined £1.25 by the UK data protection regulator for failing to keep its customers’ personal data secure. This followed a 2018 breach when a third-party chatbot installed on the payment page was infected with malware, enabling criminals to steal sensitive card data.

How Did Digital Skimming Get So Big?

The Internet was designed for sharing and collaboration, not banking, shopping, and telemedicine. 

How web applications are built has also changed over time. The business intelligence has moved from web servers, owned and managed by companies, into the consumer web browser, powered by JavaScript, distributed APIs, and microservices.

As a result, any JavaScript running on a web page can access all data entered into form fields on that page. With no separation between different parts of the application, this makes data susceptible to attack.

How Do Businesses Protect Against Web  Skimming Attacks?

The first step in keeping your customers’ data and business safe is understanding the threats out there. Specifically, digital skimming and web app attacks, malware, and unauthorized access.

Next, put in place controls to prevent unauthorized access to sensitive data. Don’t underestimate the importance and effectiveness of business-as-usual security. That’s installing and maintaining firewalls, strong passwords, and unique logins for each person with computer access. But also technologies like encryption, tokenization, and anti-virus.

Also, conduct regular security assessments, monitoring, and third-party due diligence, plus deploy secure code and adhere to payment security standards (PCI DSS).

What Are the Digital Skimming Requirements in PCI DSS v4

Given the ubiquity and innate security vulnerabilities of JavaScript on payment pages, the PCI Security Standard Council (PCI SSC) published an updated version PCI Data Security Standard (PCI DSS) in March 2022. 

Version 4.0 of the PCI DSS contains two new requirements to protect against and detect digital skimming attacks on payment pages. These will be requirements from 01 April 2025.

• Requirement 6.4.3 - The first new PCI requirement is designed to minimize the attack surface and manage all JavaScript present on the payment page. 

• Requirement 11.6.1 -  The second new PCI requirement aims to detect tampering or unauthorized changes to the payment page and generate an alert when changes are detected.

Jscrambler's free PCI DSS Payment Page Analysis tool is a great starting point in helping businesses that accept card payments prepare for frictionless compliance with requirements 6.4.3 and 11.6.1 of PCD DSS v4.0, plus helps PCI Qualified Security Assessors (QSAs) to validate compliance.

How Does Jscrambler Identify the Presence of Digital Skimming?

Jscrambler addresses both new PCI requirements (prevention and detection) concerning attacks on payment pages. 

What’s more, as the payment page is likely to include other JavaScript libraries, Jscrambler provides a smoother and easier way to manage the integrity of third-party code, compared to Content Security Policy (CSP) and Subresource Integrity (SRI).

Features include:

1. First-party code hardening and obfuscation

Obfuscation and protection of the first-party code that the payment service providers supply to merchants, further enhance the defense against tampering with payment pages.

2. Webpage inventory 

Complete visibility of every script and network request on your website. Simplifies the identification of malicious client-side behavior and vetting of resources.

3. Third-party management

Simple onboarding and vetting of third-party scripts, with full observability of each script and a powerful rules engine that can be used to control its behavior.

4. User data management

Dashboard with details of how user data is being handled on the client side, with insights into possible data leakage.

5. Webpage threat mitigation

Powerful and granular rules engine that blocks any script in real-time, if it exhibits malicious or prohibited behavior (e.g. digital skimming, DOM tampering, and data leakage).

Prevent Digital Skimming with Jscrambler

The Jscrambler Client-Side Protection Platform safeguards first-party JavaScript through state-of-the-art obfuscation and exclusive runtime protection.

Its fine-grained JavaScript behavioral analysis also mitigates threats and risks posed by third-party tags all while ensuring compliance with the new PCI DSS v4.0 standard. With Jscrambler, businesses adopt a unified, future-proof client-side security policy all while achieving compliance with emerging security standards.

Trusted by digital leaders from several industries, including financial, healthcare, and entertainment, Jscrambler gives businesses the freedom to innovate securely.

Feel free to connect with our client-side security experts to try our solutions to prevent digital skimming attacks.