What could happen if I don’t cover my hands properly when I type in my debit card PIN code? Under normal circumstances, not much. The odds of someone knowing your PIN and your bank card details from peeking over your shoulder are low. However, strategies are used every day to gather this data. For example, nefarious individuals or groups can use physical skimmers to collect card data for payment fraud, identity theft at places like gas stations, ATMs, vending machines, or ticket machines.
When used for debit transactions, think of your card number as a username and your PIN as a password. Without both, a debit transaction will be declined by your financial institution, and rightly so.
What happens when that same financial institution allows any third party to read, in plain text, your online username and password for your account, your downloaded app, or if you reuse those credentials, to other personal accounts elsewhere? Any company allowing third-parties to look directly at your username and password without encryption or encoding could leak your information–without much effort from malicious individuals or groups. That would be a worrisome occurrence.
Worrisome is just what we feel in the security industry when we read or watch reports on businesses allowing third parties to have access to their site, without security or permissions, to skim data from input fields. The most recent example of this is with Ally Bank.
Ally Bank notified customers that third-parties had accessed unencrypted usernames and passwords as customers were typing the information into their login fields. Legitimate third parties included, as services on the Ally Bank site were allowed to skim username and password fields without issue.
It’s one thing to understand that malicious code is being handled in some way on a daily basis. Knowing that companies with whom you do business with are taking malicious attempts to collect your data seriously is comforting. But when we find out that these same companies do not have any protections in place against known third-parties skimming and collecting your data, that is not comforting at all.
There is a solution to this feeling of discomfort: Source Defense. As we’ve mentioned many times before in our blogs, Source Defense prevents formjacking, eSkimming, and website defacement from malicious third-parties and known third-parties in real-time. If a business is collecting data from customers, a Source Defense solution is the only solution which can prevent an Ally Bank situation from happening.
If you’d like more information on Source Defense please request a demo or if you’d like to learn more about Magecart and earn some free CPE credits please register for one of our upcoming Cyber Academy classes.
PCI DSS 4.0 makes client-side security a priority.
Source Defense delivers a solution for 6.4.3 and 11.6.1 without adding a burden to your security teams.