Skimming and online credit card theft: the story of Tommaso

25 May 2021 | Online risks, Online risks

I would never have imagined that I would be the victim of online skimming when my credit card was stolen.
A couple of months ago I made a purchase on an e-commerce website that I knew well and had been using for years.

It was a company I trusted and a website protected by https, so I felt completely safe entering my credit card number to complete the purchase.

I bought my item, received a confirmation email and then my product at home. Everything went as expected.


My relationship with online shopping

My passion for the gym

The discovery of the scam

I had no idea what e-skimming was.

How I solved the problem

What I learned from the skimming attack

My relationship with online shopping

I often used to shop online on secure websites, in some cases even recommended by acquaintances or colleagues who had enjoyed themselves and received their orders without any problems. Nobody would ever have thought of a data theft. Among my friends and relatives, online shopping was not a risk, but rather a way to more easily buy goods and services that are often not found in physical shops, or are only available on e-commerce.  

I had never met anyone who had been the victim of skimming, or who had experienced credit card thefton the web. I had heard, often on the news, about people having their credit cards cloned through ATM machines. I had heard that the criminals were able to attach a device to the card reader, which copies the data on the magnetic strip. Instead, they would acquire the PIN by means of a fake keypad or a hidden micro-camera.

However, I had never been afraid of online data theft or skimming. Above all, I feared an attack on my credit card through a site I knew very well and trusted, on which I had already made several purchases and each order had always been successful.  

My passion for the gym

I have been working out consistently for 10 years now – before the pandemic I used to go to the gym regularly 3 or 4 times a week. I’ve always been a very sporty person, I love to exercise and dedicate myself to my well-being, both physical and mental.

When the gyms were closed and we were forced to stay home because of the lockdown, I didn’t give up and decided to build my own home gym. I started looking for various equipment on the websites of the physical shops I used to frequent, but nothing: everything was sold out. Apparently I wasn’t the only one who had this idea.

During several lunchtime and bar chats, I discovered that some of my acquaintances and colleagues had sports equipment at home, so I asked them for advice on my purchases. They gave me a list of reliable sites that they had already bought from and were very happy with. No one had ever been the victim of skimming or online scams, so after a long search for the right one for me, I placed my order.

The discovery of the scam

A couple of weeks later, in the middle of the night while I was sleeping, I was woken up by a notification coming from my phone. I had set up two-factor authentication on my bank account and received several emails asking me to confirm my login attempts. Obviously I was asleep and had not attempted to access my account app. Someone was entering my correct password and email and activating two-factor authentication.

I ran to my computer and checked my credit card account. There were unauthorised charges there too. I had to contact the credit card company and convince them to block it immediately. This left me without a single euro until my salary arrived the following week. I even had to ask my family for a cash loan.

The next day I immediately contacted the postal police, who confirmed that my credit card and personal data had been stolen. I felt bad: I had fallen victim to an online scam. I had just given the criminals my credit card number, my passwords, my bank account information… Probably every piece of information about me.

I had no idea what e-skimming was

After blocking my credit card, I contacted the postal police to ask for help and to find out how to solve my problem. In essence, the officers explained to me the meaning of e-skimming: it is a credit card fraud in which attackers exploit a security breach and install malicious software on the payment processing page.

The postal police officers explained to me in detail what an e-skimming attack on legitimate sites consists of:

  • They attacked the legitimate e-commerce site and, exploiting a vulnerability they found on the portal, inserted a malicious script;
  • I entered my credit card details to make the purchase;
  • The credit card data was intercepted by the malicious script previously implanted by the fraudsters, which transmitted to the hackers a copy of the card number, the holder, the security code etc;
  • The purchase was nevertheless successful, as the website on which I had placed my order also received the payment details correctly, so I didn’t notice anything immediately. At the same time, however, the thieves had my card data at their disposal: in fact, I was also charged for the amounts resulting from the purchases made by the criminals.

How I solved the problem

As soon as I found out about the problem, in addition to contacting the agents, I contacted my bank and blocked the credit card immediately. The postal police made me file a report and the bank compensated me a few weeks later.

What I learned from the skimming attack

For sure, it doesn’t matter how careful one is on the internet: hackers are always one step ahead and invent a new way every day to rip off users. What I recommend to all those less experienced in shopping online is: 

  • Ensure that the site is trustworthy, although this is not always necessary to defend against attacks; 
  • Check that the site we are shopping on has https in the url, i.e. that the site also has the SSL certificate installed (visible with the padlock); 
  • Enable SMS notifications every time a transaction is made, a tip given to me by the bank and which I immediately put into practice; 
  • For extra security, since I have fallen victim to skimming, I no longer use my credit card for online purchases, but a prepaid card that I charge as needed. 

The most important thing I have learned is that without trainingit is easier to fall into the trap of any online attack. Reading, studying and delving as much as possible into the subject of computer security, even if it is only by consulting blogs online, is essential to be informed and always prepared to fight hackers. 

If you think this article could be useful to your colleagues and acquaintances, don’t hesitate to share it, it will take less than a minute and make the web a little safer.

CybeRefund Srl – Benefit Society, Piazza Luigi Vittorio Bertarelli, 1 – 20122 Milano (MI)
P.I. and Fiscal Code 11076520961