Starting your holiday shopping online? Watch out for this hack that copies your card details in real time

There’s no real way for consumers to know they are being hacked — and even the most recognizable brands aren’t immune from attack.
Image: Amazon packages are seen at the new Amazon warehouse during its opening announcement on the outskirts of Mexico City
Security analysts recommend not storing credit card information on a site, and enabling purchase alerts on all credit cards.Carlos Jasso / Reuters file

Breaking News Emails

Get breaking news alerts and special reports. The news and stories that matter, delivered weekday mornings.
SUBSCRIBE
By Alyssa Newcomb

The holiday season has already kicked off, with Walmart launching online deals on toys, tech, and other gifts starting Friday — and if that isn't horrifying enough, the Federal Bureau of Investigation issued a warning this week that hackers are skimming credit and debit card information in real time from online shoppers.

Skimming credit cards is an old trick that requires an extra piece of hardware, which crooks have been known to install at gas stations or on ATMs. However, its digital counterpart, e-skimming, doesn’t have any telltale signs.

"This warning is specifically targeted to small and medium-sized businesses and government agencies that take credit card payments online. E-skimming occurs when cyber criminals inject malicious code onto a website. The bad actor may have gained access via a phishing attack targeting your employees — or through a vulnerable third-party vendor attached to your company’s server," the Federal Bureau of Investigation said in a warning, since October is National Cyber Security Awareness Month.

Online shopping is big business, especially during the holiday season. Last year, 41.4 million Americans shopped online during the period between Thanksgiving and Cyber Monday, while 89.7 million more did at least some of their shopping through online retailers, according to the National Retail Federation.

“I shop online a lot, maybe two to three times a week, and I’m always worried about whether my credit card details are safe,” Rachel Jones, a publicist living in New York City, told NBC News. “You hear about hacking so often and I am always thinking how it is only a matter of time until I am directly affected.”

Let our news meet your inbox. The news and stories that matters, delivered weekday mornings.

Hackers first compromise a site through third-party vendors attached to a company’s server, or through phishing attacks, such as sending an email that appears legitimate but tricks an employee into entering their credentials. After that, hackers can place malicious code on the site and then sit back and collect credit card information.

This includes “basically any piece of information a company has ever gathered on you,” said Shane Curran, founder and CEO of cybersecurity company Evervault. “This can range from something as seemingly insignificant as a name or email address, but can include extremely sensitive data, like a credit card number, social security number, or even your passwords."

Hackers place malicious code on the website and then sit back and collect credit card information.

Perhaps the most frightening part of the hack is that there’s no real way for consumers to know it’s happening. While people can outsmart crooks by noticing hardware attached to a credit card reader at a gas pump, e-skimming is a hack that works behind the scenes.

“Before attacks like these became popular, the advice was typically to make sure the address bar had a lock on it to show it was secure, or to make sure the website name is legitimate,” said Brian Warehime, principal threat researcher at ZeroFOX. “Nowadays, the site will have a lock next to it, and be the actual retail site, but there will be no indication that anything is wrong to almost all users.”

After stealing the credit card information, hackers can sell the stolen information on the dark web to make money, or they can use the cards to make fraudulent purchases for themselves, according to the FBI warning.

Tim Mackey, principal security strategist at Synopsys, said “even recognizable brands aren’t immune from attack.”

“The only potential tell-tale sign might be that the website itself doesn’t quite look ‘right,’ though more sophisticated attacks can make even differentiating between a fake site and a legitimate one challenging. So absent tell-tale signs of compromise, consumers should invest in protections for how they manage their credit cards rather than looking at the websites themselves,” Mackey said.

Among the protections he recommends are not storing credit card information on a site, and enabling purchase alerts on all credit cards. He also recommends using a third-party payment method such as Apple Pay, Google Wallet, or Pay Pal, whenever possible.

While Jones said this threat only adds to the anxiety of being hacked, it’s not enough to make her change her frequent online shopping habits. She said she will, however, start paying with a third-party wallet, whenever possible.

“You can’t beat the convenience of buying everything you might possibly need and having it delivered,” she said. “At the end of the day, it saves me so much time.”