Card Skimming
What is Card Skimming?
Card SkimmingTheft of payment-card data by capturing it at the point of entry, either via a hidden physical device or malicious script on a website checkout.
Card skimming covers two related attack families. Physical skimming uses tampered ATMs, fuel pumps, or point-of-sale terminals fitted with a thin overlay or shimmer that copies magnetic-stripe or chip data, often paired with a pinhole camera or keypad overlay to capture PINs. E-skimming (also called Magecart) injects malicious JavaScript into a vulnerable e-commerce checkout page to siphon card numbers, CVVs, and addresses to an attacker-controlled server. Defences include EMV chip and tokenised wallets, tamper-evident hardware checks, anti-skimming sensors, web-application firewalls, Subresource Integrity, Content Security Policy, third-party script monitoring, and PCI DSS-compliant code reviews of payment flows.
● Examples
- 01
An overlay device on a gas-station pump capturing magstripe data and a pinhole camera filming PIN entry.
- 02
Magecart-style script injected into a Magento store to exfiltrate checkout form fields.
● Frequently asked questions
What is Card Skimming?
Theft of payment-card data by capturing it at the point of entry, either via a hidden physical device or malicious script on a website checkout. It belongs to the Attacks & Threats category of cybersecurity.
What does Card Skimming mean?
Theft of payment-card data by capturing it at the point of entry, either via a hidden physical device or malicious script on a website checkout.
How does Card Skimming work?
Card skimming covers two related attack families. Physical skimming uses tampered ATMs, fuel pumps, or point-of-sale terminals fitted with a thin overlay or shimmer that copies magnetic-stripe or chip data, often paired with a pinhole camera or keypad overlay to capture PINs. E-skimming (also called Magecart) injects malicious JavaScript into a vulnerable e-commerce checkout page to siphon card numbers, CVVs, and addresses to an attacker-controlled server. Defences include EMV chip and tokenised wallets, tamper-evident hardware checks, anti-skimming sensors, web-application firewalls, Subresource Integrity, Content Security Policy, third-party script monitoring, and PCI DSS-compliant code reviews of payment flows.
How do you defend against Card Skimming?
Defences for Card Skimming typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Card Skimming?
Common alternative names include: Skimming, Magecart, E-skimming.
● Related terms
- attacks№ 240
Cross-Site Scripting (XSS)
A web vulnerability that allows attackers to inject malicious scripts into pages viewed by other users, executing in the victim's browser under the site's origin.
- attacks№ 1116
Supply Chain Attack
An attack that compromises a trusted third-party software, hardware, or service provider in order to reach its downstream customers.
- compliance№ 807
PCI DSS
A global information-security standard for organizations that store, process, or transmit payment card data, maintained by the PCI Security Standards Council.
- attacks№ 275
Data Breach
A confirmed security incident in which an unauthorised party accesses, exfiltrates, or discloses sensitive, protected, or confidential information.
- appsec№ 1114
Subresource Integrity (SRI)
A browser mechanism that verifies a cryptographic hash of a script or stylesheet loaded from a third party before executing it, preventing tampered files from running.
- appsec№ 214
Content Security Policy (CSP)
An HTTP response header that tells the browser which sources of scripts, styles, frames and other content are allowed, limiting the impact of XSS and data-injection attacks.