Published on May 19th, 2019
Written by Aanand Krishnan, CEO and Founder of Tala Security

Quick Read

A number of technology shifts are pushing hackers to steal credit card data from websites instead of point-of-sale systems. According to industry studies, over 60% of retail data breaches in 2018 were due to website hacks. Enterprises, especially retailers, should be building self-defending websites that can protect their website against credit card and credential theft.

Use of Chip Technology

Until recently, hackers were focused on stealing credit card data stored in the magnetic stripes of our cards (this data is called a "dump" in fraudster lingo.) Hackers typically did this by getting malware to execute on point-of-sale systems. This malware would read the credit card data stored in the magnetic stripe and send it to the hacker's server. Hackers would then sell these dumps on the dark web to fraudsters, who would in turn clone physical copies of credit cards in order to perpetrate fraud in physical stores. The key point to remember is that clones made from dumps did not have your CVV2 data, and could only be used in physical stores, not online.


The advent of chip-based technology in cards forced fraudsters to change their methods. Today, over 60% of point-of-sale systems in the US support chip based cards and chip technology has also made it much harder to clone cards. In other words, "dumps" are no longer as useful.

Instead, fraudsters started demanding credit card data that can be used to make online purchasesThis data, in contrast to a dump, is called "CVV" in fraudster lingo. CVV includes cardholder name, address, credit card number, expiration and the CVV2 (3 digits on the back of the card). The increasing demand for CVVs from fraudsters led to a corresponding increase in the price for CVVs in the dark web.

As a result of all this, hackers have shifted their attention to stealing CVVs.

Hackers have adjusted their tactics

2018 was the first year in which we saw the impact of this shift. In 2018, we saw a significant push by hacker groups like Magecart to skim online credit card data from websites, and there are signs that the threat from groups like Magecart is only growing. Hackers attacked websites through multiple angles - sometimes hacking into a website directly, sometimes via "supply chain attacks" (e.g., Shopper Approved).

The 2019 Verizon Breach Report illustrates how this shift has accelerated in the last 2 years. Almost 50% of payment data breaches are now happening due to website hacks. In fact, according to the report, 63% of breaches in the retail sector (88 out of a total 139 reported) happened due to attacks on web applications. Worryingly, out of 92 incidents, 88 led to breaches.

What is the solution?

As Tala has blogged earlier, website architectures have changed significantly in the last few years - traditional approaches in protecting simply don't work.

Retailers must build self-protecting controls into their websites, including Content Security Policy (CSP), Subresource Integrity (SRI) and others that are widely supported by browsers. These security controls allow e-Commerce vendors to protect their sensitive customer data from Magecart and other supply chain attacks and also have a real-time alerting mechanism that lets them know when customer data is being skimmed from their websites.

Message me if you want to learn about how Tala can help you convert your existing website into a self-protecting one, in minutes.

Aanand Krishnan, CEO and Founder of Tala Security

Aanand Krishnan, CEO and Founder of Tala Security

Aanand Krishnan is the CEO and Founder of Tala Security. Prior to Tala, Aanand was most recently a senior director of product management at Symantec where he built Symantec’s first big data security analytics platform and led key strategy projects that helped establish the company’s vision and strategic focus. Aanand spent several years in investment banking at and mergers and acquisitions at Morgan Stanley and Dolby Labs and acted as an adviser to leading security software, semiconductor and clean tech companies. He started his career building high-speed optical networking products at Agilent Technologies. Aanand holds an MBA from Berkeley where he was a recipient of CJ White Fellowship, a Masters in Photonics and Optoelectronics from UC Santa Barbara where he was a QUEST Fellow and a Bachelors in Electrical Engineering with Honors from BITS, Pilani.

Find Aanand on LinkedIn


Sign up for our Newsletter

Hand-picked security content for security professionals.