There's a New Way Hackers Are Targeting Online Holiday Shoppers—Here's How to Protect Yourself

Dan Nosowitz

We would never give up our modern shopping conveniences. It’s just too easy to shop online or use our phones to pay for things. But those conveniences come with risks, some of which are more obvious than others. You may have heard of a theft technique called “skimming,” which involves a malicious plastic card reader that snaps over the tops of card readers on ATMs—and reads all your information. A new threat is a digital form of skimming called, appropriately, "e-skimming," and it's becoming increasingly more prevalent. We asked experts how it works and how to protect yourself this holiday shopping season.

Eva-Katalin/Getty Images

What is e-Skimming?

E-skimming, as the name suggests, takes the same concept as skimming and moves it online. Instead of a fake credit card reader that pretends to be a real credit card reader, e-skimming operations infect legitimate shopping websites to steal payment information. Hackers insert “malicious code,” little unauthorized programs or operations, into these sites, designed for one thing. “When the user enters his or her payment information, the malicious code reads and captures that data in real time, which is then transmitted to the attacker,” says Clayton Calvert, an IT consultant working at netlogx, an IT security and risk management firm.

E-skimming, like skimming, doesn’t look like a trick or a hack; it affects the machinery that processes your payment, rather than trying to change your behavior to steal from you more easily. “Put simply, e-skimming gives cyber criminals an unauthorized portal into what you're doing online, much in the same way an unapproved card reader swipes information off a credit card,” says Zohar Pinhasi, a cyber threat specialist, counter cyberterrorism expert, and CEO of MonsterCloud, a cybersecurity firm.

There are different types of e-skimming, though they all aim to do the same thing. Perhaps the best known is a software called Magecart; sometimes “Magecart attack” and “e-skimming attack” are used interchangeably.

Related: Amazon Is Now Offering Free Grocery Delivery for Prime Members

Can You Detect an e-Skimming Operation?

There are ways to detect a physical credit card skimming attachment; according to PC Mag, one of the best is simply to grab the plastic card reader and give it a jiggle. A non-thieving attachment won’t move at all; a skimmer will move. But e-skimming operations are different. “Since these attacks happen behind-the-scenes on the webpage, it is virtually impossible for a normal consumer or end-user to protect themselves against e-skimming,” says Ken Zwiebel, general manager at PerimeterX, which provides services to protect websites from unauthorized access. “In fact, some of these attacks are so hidden and sophisticated that they frequently go undetected by the website and their security team for months.”

But there are certain websites that are at a greater risk than others. “Cyber criminals are more likely to target small ‘mom and pop’ e-commerce websites, as they lack the cybersecurity resources and IT infrastructure that large scale enterprises have,” says Pinhasi. E-skimming on larger websites has happened, but it’s a very big deal when it does, and it’s certainly less likely. One example: the electronics retailer Newegg fell victim to a Magecart attack last year.

Generally, though, big websites like Amazon not only have teams of people dedicated to sniffing out the presence of e-skimming code, they’re also by their very nature less vulnerable. Sites that have a lot of turnover—new products in, old products out, or maybe new website designs—are very likely to simply erase that bad code in the course of making changes.

Related: There's a Secret Code Thieves Use to Break Into Hotel Safes

How Can You Protect Yourself Against e-Skimming?

One precaution you should take would be to use very strong passwords, and different ones, on each site. That way, “if one website’s information is hacked, the hacker does not have access to all of the user’s accounts,” Zwiebel says. There are several great programs that will come up with new, secure passwords for you when you need them, and remember them for you. Dashlane and LastPass are both well-regarded, and the Google Chrome web browser has this functionality built in.

You should also closely monitor your credit card statements during the high-shopping holiday season. If anything looks wrong, you should immediately contact your credit card company, tell them what happened, and take the steps they recommend.

You can also check to make sure the website you’re buying stuff from follows basic security protocols. “Only transact with websites that have an SSL certificate (secure sockets layer),” says Pinhasi. SSL is a method to encrypt any communication between you and the website, adding another protective element. It might sound like this is some nerd stuff that must be hard to figure out, but in fact, it’s easy. Up in the address bar, where you type in website names? Look for a little padlock image. If it’s there, it tells you that website is using SSL.

But in general, shopping online isn’t like shopping downtown. If you’re worried about e-skimming, the larger sites are generally more trustworthy than the little guys, if only because they’re harder for thieves to hack. Another good method is to use a payment option like PayPal, Google Pay, or Apple Pay. These services have their own added security like one more lock bolted onto the door separating thieves from you.