Countermeasures are behind “Online skimming” to steal card information without a trace

There is harm incurred one after another by modern ways of stealing card details from EC (electronic commerce) pages. It is a technique called “online skimming” and “web skimming” and not only the card number, name, and expiration date, but also the authentication code is defined by leakage.

British Airways (British Airways) reported and became aware of the damage in September 2018. It unlawfully obtained card details for around 400,000 people who made reservations on websites and smartphone applications. In December 2020, damage that appears to be caused by online skimming was confirmed in USA,Chinia,Australia,Japan and is likely to spread in the future.

It is doubtful that online skimming would leave a footprint on the running business side of the EC website. In certain cases, by complaints from the card issuer or the customer who used the card improperly, the operating firm knows of the abuse that has continued for the first time for a long time. Acts ought to be hastened.

Beads abuse

Due to online skimming, the harm that is expected to spread in the future is a process by which an attacker modifies an external JavaScript library called an EC site’s card payment tab. JavaScript in the website input form is also used to verify if the email address and card details entered by the user in the payment page input form are acceptable. JavaScript will, thus, basically manage all input material.

The issue is that in their billing pages for ads and analytics, many e-commerce sites embed separate JavaScript tags. According to these tags, an EC site user’s web browser calls the JavaScript library from a server such as an Internet advertising company. In some instances, in a chain, one tag calls a library on another external server and displays ads.

A new technique which exploits these beads has emerged. An attacker, such as an online advertisement agency, hacks into a computer. The JavaScript library code is manipulated such that the user of the EC site reads the card information written in the input form and sends it to the server of a third party. As JavaScript runs and delivers to the user’s web browser, there is no trace left on the EC website or on the payment agency processing company’s server.

If an e-commerce platform user uses a huge number of tags carelessly, the risk of online skimming rises. Kazuhito Sakamoto, DataSign’s Product Manager, who is familiar with Web technologies, points out that it is often difficult to check which external server has inserted the malicious code. Overseas, the code was tampered with in an external service’s JavaScript library, and card information was stolen from over 800 EC pages that had the tag mounted.

Livecoin is listed as the 173rd cryptocurrency exchange on the Internet, with a regular trading amount of around US$16 million, according to data from CoinMarketCap. Since March 2014, the website has been successful.

Harm incurred by modern methods of attack that capture card data from EC pages happens one after another. The concern is that the payment page’s JavaScript tag is a hint and no trace is left. Protection protocols have not been caught up on EC pages.