Businessman using laptop computer with ecommerce technology showing web skimming

Web Skimming: The Headache Organizations Aren’t Trying to Cure

What is the weakest link in your security infrastructure? For e-commerce businesses or companies leveraging online payments, it’s most likely to be their consumer-facing web applications.

Organizations have been focused almost entirely on securing their networks and servers, which is a good thing. However, not much attention has been paid to the client-side of security. This refers to what happens in the user’s browser when they interact with a web application. Because it happens in the browser, it can be easily overlooked by security teams because they lack the level of visiblity and control in this environment versus their servers and network.

The problem is the lack of attention to security presents a huge attack surface. Think about how many people interact with an e-commerce site across all types of devices – or screens. They are constantly offering up their data in payment forms where the underlying code is exposed. Threat actors can exploit the code to steal the data. This is what we call web skimming, a phenomenon that many businesses are still turning a blind eye to.

Since the only means of stopping this trend of financial data theft is by starting proactive security at the screen, additional security layers must be added to your client-side application codes.

Understanding web skimming

As nearly 99% of all websites today use JavaScript in some form, most web skimming attacks tend to exploit vulnerabilities in JavaScript libraries and plugins. One common method of web skimming involves using “formjacking” scripts. These malicious scripts are inserted into the JavaScript code that processes user input on web forms, such as those used for online shopping or account registration. The script captures the user’s input, including any credit card details, and sends it to a remote server controlled by the attacker.

Recent research at JScrambler found that, on average, 132 scripts were being loaded on the payment pages of popular EU e-commerce websites. Among these, 97% of the scripts are from the APIs of third-party payment solutions such as Visa, Mastercard, or Paypal. If even one of these scripts were to be compromised, the damage could be crippling for not only the organization but their thousands, sometimes millions, of customers. In addition to the loss of trust and reputational damage, companies can also face severe legal and financial repercussions.

Why businesses can’t cope with web-skimming

Despite its devastating consequences, web skimming is still low on the risk register for many organizations and impossible to solve for the rest. This is partly due to the responsibility of protecting consumers’ financial data often times being scattered across multiple parties.

Due to most e-commerce businesses facilitating consumer payment through third parties and payment gateways, they tend to believe that the liability will fall on those who facilitate the payment. Whether it be a financial institution or a digital wallet, these types of businesses often face major regulatory standards that companies assume umbrella over the payments they facilitate.

However, this perspective is not only negligent but does not follow the mindset of putting the customer first. As we saw with British Airways in 2018, the business is always responsible for securing and safely processing its consumer’s data. No matter what third parties are involved, it is, in fact, their web domain that is targeted. When consumers input their financial details, they are putting their trust in that particular brand. So, third parties might share some liability, but the critical responsibility always falls on the business starting the transaction.

Even when businesses recognize web skimming threats, they often face critical challenges which limit their security efforts. One of the biggest challenges is that JavaScript is very dynamic, making the user-end codes extremely complex to secure. Client-side JavaScript code can continuously change depending on the user’s location, device, operating system, and browsing behavior.

For instance, two users can access the same web page simultaneously from different locations, yet the JavaScript code being run on their devices would be completely different. Businesses cannot implement their usual proactive security process, such as auditing codes and screening third-party vendors, because there are too many constantly changing variables. To secure such a dynamic program, businesses have to audit every script for every user daily, which is impossible on a manual level. This, of course, leads to an endless cycle of an unsolvable problem which inevitably takes a lower tier on the list of priorities.

Bottom line is: web skimming is an integrity problem

The proliferation of digital payments is not slowing down, meaning that web skimming threats will only increase. As businesses continue to enhance their user experience through seamless digital payment processes, they must emphasize delivering innovation securely. This means prioritizing proactive security on the screen.

The best means of achieving this is by adopting processes which can obfuscate you webpage code to prevent tampering. By using polymorphic code obfuscation to combat revere engineering attempts, organizations can automatically render JavaScript code unreadable so they cannot be copied, tampered with or re-used. Ultimately, web skimming can only be a possibility when code can be accessed and understood.

Automated Webpage Integrity (WPI) solutions can also monitor all user activity across every session in real-time. Such solutions can sandbox each third party on a web page to ensure their access is limited to the information they require. WPI solution also monitors third-party APIs for any potential anomalies. For instance, a conventional payment gateway will only send user data to a particular server when processing payment. However, if malicious actors compromise the JavaScript, they will try to send the user input to a different server. WPI solutions can detect these anomalies in real-time, preventing web skimming and preventing data theft.

Prioritizing client-side security is a commitment that can’t be overlooked or delayed. By integrating such automated solutions, businesses can achieve complete visibility and control over all JavaScripts running on their client-side web pages, making their web applications resilient to web skimming or data theft efforts. Ultimately, this will make businesses more credible to their consumers and protect them from any compliance issues or financially damaging data breaches.