Glossary / Skimming


A form of payment card fraud whereby a payment page on a website is compromised using a malicious script.

What is Skimming?

Skimming is a form of payment card fraud where a website or point-of-sale system is compromised using either software or hardware to steal card information.

Skimming can be done by sending an email that appears to come from a legitimate source but actually contains malicious code designed to steal data. Additionally, criminals can hijack hardware that reads payment cards and sends that information to a repository where it can be accessed by other criminals. Skimming attacks can also be used in conjunction with other types of cyberattacks such as malware infections.

The key to avoiding skimming attacks is to never disclose personal information to anyone unless it has been verified and confirmed by a trusted source. This means checking any links in emails before clicking them, using two-factor authentication if available, and verifying phone numbers before giving out sensitive information.

How do hardware skimmers work?

Credit card skimmers are a real threat to your financial security. They can be found at gas stations, convenience stores, and even restaurants. Criminals often attach a small computer to a legitimate point-of-sale system, which siphons card information without people being aware the device is malicious. They're becoming increasingly popular because they're easy to install and hard for consumers to detect.

The latest identity theft and credit card fraud statistics paint a bleak picture. They're two of the most common financial crimes, and each of them saw significant growth in 2020 and 2021.

What is used to skim people’s cards?

The most common types of skimmers used today include USB sticks, SIM cards, SD cards, and other removable storage devices. These devices can be placed inside a laptop bag, backpack, briefcase, etc.

What can be done to defend against skimming?

Avoid using ATMs that aren’t attached to banks or near well-lit places. Criminals often use skimmers to steal card numbers and PINs from ATMs that are not heavily monitored by security cameras.

Your bank may offer you an option to receive notification of any suspicious activity on your accounts. This helps you catch fraud much faster than if you were to wait until you received a statement.

Consumers can't do anything about the security problems affecting point-of-sale systems and online transactions. Merchants should ensure that their payment systems are secure, but consumers can protect themselves by using strong passwords, avoiding phishing scams, and following other common sense measures.

Banks must now challenge online credit card purchases with two-factor authentication through an app or other methods. The deadline for compliance has been extended, but most European banks have already implemented this security measure. It is likely that American financial institutions and others will follow suit.

How Else Can Businesses Fight Credit Card Skimming?

In some cases, a new website requires more than a typical browser plugin or sandbox solution. For example, when building a high-security application, you may need to use a different language. Sandboxing solutions often require changes to your development workflow and lead to complications during code reviews.

A modern client-side application security solution can continuously monitor all the script tags on your site for anomalous behavior, flag suspicious activity, and automatically generate new content security policies to prevent cross-site scripting (XSS) attacks.

What else can I do to avoid losing money from a skimming scheme?

As a consumer, monitor all of your account statements and turn on transaction notifications. The sooner you discover fraudulent transactions and can replace your card, the better. Also, a key element is that if a criminal has your social security number, and other information such as address and date of birth, they can use that information to make charges to other websites and create havoc in your personal life. As a business owner, your reputation is at stake if consumers can prove that they were hacked on your website due to your websites' lack of safeguards.

Who is at most risk from Skimming?

All e-commerce websites that take payment are at risk. A report shows that 15 percent of infected Magento stores are re-infected within days of the initial infection, and the majority of these re-infections occur in less than 24 hours. In addition, open-source applications are vulnerable to attacks that skim credit card information if not patched regularly.

What Should You Do if you Spot a Skimming Device?

If you notice something unusual, don't use your card on that reader or anywhere else in the same vicinity. There's a good chance that other devices in the area are also infected. You can also contact your local authority about the device.

In Conclusion

Cybercriminals never sleep. Cybersecurity teams need round-the-clock threat intelligence to anticipate and track bad actors’ every move, and how they might attack you personally, or your business.

Intel 471 customers rely on TITAN, an intuitive intelligence SaaS platform built by intelligence and security professionals for intelligence and security professionals. It enables them to access structured information, dashboards, timely alerts, and intelligence reporting via the web portal or API integration.

But TITAN doesn’t stop there. Use TITAN’s programmable RESTful API to power numerous connectors and integrations, integrating and operationalizing customized intelligence into your security operations.

Intel 471 cybercrime intelligence empowers digital forensic experts and analysts to monitor and respond to threats in near real-time — enabling them to support the cyber defense mission with timely and actionable intelligence. These analysts can also explore the alert context in our intelligence reports and data collection giving them a richer understanding of your organizational risk to better mitigate threats.