How to Strengthen E-commerce Security Against E-skimming Threats

E-commerce security: being an e-commerce merchant is not a point of difference in today’s digital world; it’s the default market entry point for businesses that recognize the modern consumers’ demand for convenience.

E-commerce sales – which were an estimated $4.9 trillion worldwide in 2021 – are projected to reach $8.1 trillion by 2026. Amid this exponential growth, however, an insidious threat lurks that underscores the importance of e-commerce security: e-skimming, a client-side attack targeting the prodigious amount of financial data inputted online.

Cybercriminals' unwavering determination to exploit online trends to fraudulently harvest online payment data and personal information has prompted a surge in these nefarious attacks – also known as digital skimming, web skimming, data skimming, or Magecart attacks.

What is e-skimming? 

E-skimming attacks are client-side attacks that occur when cybercriminals inject malicious code onto an e-commerce website to compromise sensitive data – typically payment card data – inputted by users into checkout pages and other online forms.

These malicious actors often gain access to an e-commerce site by compromising assets originating from outside their security perimeter, including all client-side web assets – the files and resources that are downloaded and executed by a user's web browser when they visit a website. 

During this process, cybercriminals typically target JavaScript – the fundamental programming language that’s used client-side by over 98% of all websites to create interactive web pages.

JavaScript’s ubiquity – and its innate security vulnerabilities – make it a prime target for cybercriminals who attempt to weaponize it against organizations using this malicious skimming code.

Once injected – either through a supply chain attack or a direct hack of a website – the code infiltrates the point of sale of the e-commerce website, allowing cybercriminals to intercept customer credit card details and personal data.

Crucially, these JavaScript skimming attacks occur beyond the realm of the corporate network and, therefore, outside the parameters of traditional security controls, creating a blind spot for e-commerce businesses. 

The malicious code’s ability to hide in plain sight for weeks, or even months, means once it’s infiltrated an online checkout or cart, customers will continue to submit their payment information unaware that their data is being compromised. 

Once detected, the severe impact of these client-side attacks on businesses becomes apparent – from disruption to operations and the cost of technical remediation to reputational damage and regulatory penalties. 

Digital supply chain: the risks  

The digital supply chain – an intricate web of interconnected technologies, data flows, and collaborations – is the fulcrum of modern digital business operations.
 

This virtual ecosystem of software, networks, vendors, partners, and data streams has the power to enhance efficiency; however, it also exposes e-commerce businesses to risks – such as third-party vulnerabilities and data breaches – that, if exploited, can disrupt operations, compromise data, and tarnish their reputation.

This threat is underscored by Gartner, which identified digital supply chain risk as one of its top seven security and risk management trends for 2022. Take JavaScript, for example. This programming language runs on all major browsers, making it one of the core technologies used to build web applications and websites. However, this pervasive use exposes e-commerce businesses and their users to an inherent security flaw: it allows cybercriminals to deliver malicious scripts to run on the front end of a system.

In e-skimming, this third-party code represents a chink in the digital supply chain’s armor that proponents of this fraudulent technique attempt to exploit. 

A typical e-commerce website’s client-side code mostly originates from outside the organization. These are the open-source script libraries and third-party add-ons that web developers leverage to build user-friendly functionalities like customer login pages and payment processing.

Despite saving time and resources, the opaque nature of this third-party code prevents e-commerce businesses from having complete visibility of the third-party scripts on their sites – leaving them blind to client-side supply chain attacks like e-skimming. 

E-commerce merchants must, therefore, balance leveraging this third-party code to stay relevant in a dynamic and expanding digital world with managing its inherent risks in the digital supply chain. To shield themselves from client-side supply chain attacks, and demonstrate best practices, they must comply with the PCI DSS.

The fourth – and most recent – iteration of the PCI DSS aims to meet the evolving security needs of the payment industry, promote security as a continuous process, increase flexibility, and improve procedures for organizations to achieve their security goals.

Securing customer data entered into e-commerce payment forms 

Cybercriminals' use of malicious code injections to skim payment data from input fields on existing web forms has amplified the need for e-commerce businesses to secure this collection of user interface components on a website.

On the one hand, the payment forms allow users to submit personal information to make a purchase within minutes easily; on the other, they create an additional attack vector for cybercriminals to exploit.  

Consequently, web form security – the set of tools and practices businesses use to protect web forms from e-skimming attacks – is a vital component of overall website security, and the benefits are compelling:

• Trust Building: Trust is the cornerstone of customer relations in the e-commerce market. When customers provide their credit card information or other sensitive data, they expect it to be handled securely. By preventing breaches of this trust, e-commerce businesses will enhance their reputation in this uber-competitive market. 
  
  

• Standards and regulatory compliance: Robust standards and regulations exist to reinforce web form security, such as GDPR and the Payment Card Industry Data Security Standard (PCI DSS). This security standard ensures that businesses that accept, process, store, or transmit credit card information maintain a secure environment.
  
  

• Revenue Protection: Well-designed web forms help e-commerce businesses convert website visitors into account holders, subscribers, or customers. By proactively securing customer data that’s entered into them, they can protect the revenue that these forms facilitate. 
  
  

• Third-party risk reduction: Web form security empowers e-commerce businesses that use a third-party service or plugin to create and manage web forms to assess their security and data handling practices – ensuring they follow best practices for data protection.

Client-side security best practice for secure forms

To securely collect data from users via web forms, they must be designed to incorporate a battery of proactive security measures, including: 

Data encryption

Data encryption protects information submitted by users both during transmission and when stored on the server. To maintain the confidentiality and integrity of user data, it harnesses robust encryption algorithms, public and private keys, and a trusted certificate infrastructure.

This is a fundamental aspect of web security and helps build trust with users by demonstrating a commitment to protecting their sensitive information.

Multi-factor authentication (MFA)/ Two-Factor Authentication (2FA)

MFA secures web forms by augmenting the traditional username and password authentication with the following verification factors:

• Something you have: Users must provide something physical that only they possess, such as a smartphone, security token, or smart card. This second factor can be used to generate a one-time code or respond to a push notification.
  
  

• Something you are: This refers to biometric data that are unique to the user, such as fingerprint, facial recognition, or iris scan.
  
  

Spam protection

Spam protection mechanisms – such as CAPTCHA (Completely Automated Public Turing Test to Tell Computers and Humans Apart) – enhance the security, reliability, and functionality of online forms by preventing unwanted or malicious submissions like automated bots, automated scripts, and spam submissions that overload the server. It helps to ensure that the data collected is legitimate and trustworthy.

Secure communication protocols

Secure communication protocols like HTTPS and SSL/TLS encrypt web form data, ensuring its integrity, authenticating the server, and providing a trust framework through certificate authorities.

For example, encryption algorithms scramble the data transmitted between the user's browser and the web server, making it extremely difficult for cybercriminals to intercept and decipher the data being transmitted.

Client-side security

JavaScript security protects the web application from attack and ensures end users can safely engage with dynamic web pages accessed from their devices.

For example, client-side validation using JavaScript to validate user inputs for correctness – such as email format, password strength, and required fields – helps improve user experience and prevents basic errors before data is submitted to the server.

Also regarding the control of third-party scripts and not necessarily the content it’s put in forms, but who can access them?

Conclusion

The proliferation of e-skimming attacks against e-commerce businesses is a symptom of the exponential growth of online retail sales – and cybercriminals’ determination to exploit this online activity. 

This new reality has brought the need to strengthen e-commerce security against these client-side attacks into sharp focus for these online entrepreneurs – from implementing proactive security measures that secure web forms and reinforce third-party code to complying with PCI DSS v4.0.