Font Size: A A A


Rise in formjacking

Online has seen big rises in formjacking and payments fraud, according to the 2019 Internet Security Threat Report, by the cyber product company Symantec. According to the report, an average of 4,800 websites are compromised each month. Ransomware targets for cyber-criminals have shifted from consumers to enterprises; and supply chains remain a soft target.

To request the report in full visit the Symantec website. See also Symantec’s blog on threat intelligence.


Sundeep Tengur, senior business solutions manager at software firm SAS said it demonstrated how easily payments fraud can slip through the cracks. “Fraud-related attacks can be very small-scale at the front end, but then lead to huge losses and affect thousands of customers.

“Companies must ensure that they have powerful anti-fraud measures in place capable of detecting aberrations before they cause serious damage. For example, AI and advanced analytics can give companies the ability to process vast amounts of payment data quickly and detect potentially fraudulent activity. And by implementing machine learning, companies can ensure their systems become more accurate over time.

“As the amount of relevant data increases, humans simply can’t keep up – AI-powered fraud prevention can help relieve the burden and increase the accuracy of spotting fraud. And as fraudsters become more well-equipped and use more advanced techniques, business needs to make sure it stays ahead of the curve. AI provides the tools to keep businesses and their customers safer from fraud.”

Francesco Simoneschi, CEO and co-Founder of a provider of financial APIs TrueLayer, described the continued rise of online fraud as a major cause of concern for both retailers and consumers. “Criminals are deploying a range of sophisticated techniques to circumvent security measures. However, from Symantec’s report, it appears that the relatively simple tactic of formjacking is causing a huge amount of damage. Thankfully, Open Banking offers a solution to this problem. Payment Initiation, which is enabled by Open Banking, does not require a card identifier – people make payments by going directly through their online banking. As a result, both the consumer and the business are immune to formjacking and pretty much every other fraudulent tactic currently in use.

“Open Banking is about much more than liberalising the finance industry to increase competition and reduce costs. It is also about raising security standards and protecting consumers and businesses. Online fraud doesn’t just hit the consumer or business directly involved, it ripples out and raises costs for everyone making card payments. If there is widespread adoption of Payment Initiation we should see a staggering reduction in fraud and a corresponding drop in costs.”

And Matt Aldridge Solutions Architect at Webroot, said: “New tactics emerge every day and what’s interesting about ‘form-jacking’ is the stealth approach. Similar to cryptojacking, cyber-attackers just insert the code then sit back and wait for the pay-off. From a user perspective, it is not always possible to detect this attack, so it may elude even the most vigilant. The onus is on web site owners to carefully validate all of their site’s dependencies and to monitor for changes and new version updates. Evidence of penetration testing of third party components should also be checked and retailers should only work with third parties that follow security best practices and compliance.

The real problem here is that consumers are forced to reuse credit card numbers for online purchases. Instead, they should be issued with single use card numbers by their credit card companies. Eventually this should be replaced by a new secure system similar in operation to Apple Pay, where the payment token can’t be used more than once or by more than one merchant.

A collaborative approach between retailers and financial institution is critical to effectively protect payment data as card providers are able to spot unusual spending activity on compromised cards and link this accurately back to a common breached source. However, until the payment mechanisms themselves are properly secured there will always be threat actors trying to steal the multi-use payment data.”


Related News