As a non-infosec person, I'm very curious why the term "skimmer" is used for this kind of exploit? Seems like a skimmer should be used for a physical device only. It seems odd to use it for exploits that take advantage of web-based vulnerabilities - they're entirely unrelated unless you make heavy use of analogies.
I was not familiar with this usage, and was initially confused.
For this kind of exploit, it seems like we already have the terms like formjacking and script injection.
Edit: I (half-jokingly) propose the term "skimware".
It's skimming credit card data at the point of use. Physical terminal or webpage doesn't seem a big distinction. The end result is the same, and it is a term that the general public is more likely to have heard. "Script injection" doesn't mean anything to to the average consumer.
Script injection is bad and all but doesn’t convey the fact that sensitive data is being sent to 3rd parties. Skimming, or card skimmer, immediately triggers thoughts of exfiltration.
Computers adopt terms for physical analogues all the time. They're not always 1:1. Like "Desktop" for your background/icons in an OS. Or "window" for a portion of your screen than an application uses. Or "mouse" because it looks like a mouse. These terms get rolled into use and kinda take on a meaning of their own in the context of computers. I'm sure there's better examples of words that you'd never relate to their original meaning, but skimmer seems fine to me for this application.
Yes, agreed, it's "skimmed" in quotes, because it's an analogy. I'm still not sure if it's wise to use the same term for both a physical and virtual skimmer, from the point of view of a regular consumer.
Something like "skimware" seems better, if you must use a specific term related to "skimmer".
Looking at the definitions from the free dictionary, they seem like different aspects of a common concept cluster. Light, superficial, quick motion, taking a small part away.
Skimming a card when it's swiped fits in perfectly with this.
When I think of a credit card skimmer, a pay at the pump card reader attack is what first comes to mind. Such as where the customer inserts their card, completes their purchase and the entire transaction goes through without any apparent issue.
This attack seems to be more like a spoofer, the comparison would be a phoney ATM machine that victims insert their cards, the card is cloned and the victim is then prompted to enter their PIN. After which, the phoney ATM professes a network error or the like and the card is returned. No legitimate transaction occurs.
I am a little concerned with the morality of publishing this attack in such detail without first notifying and giving a period of time for the susceptible vendors to patch this vulnerability. Doing so it is very reminiscent of how sensitive information was published years ago enabling drones of script kiddies to engage in Ddos attacks back a few years (decades) ago.
It was my understanding that there is a general code of conduct, regarding publishing these attacts that was created to prevent the proliferation of vulnerabilities before developers had an opportunity to address the issue.
It relates the attack to something a lay person can easily absorb. As their security blog is written for a lay person (ie, IT manager type person who has some understanding of infosec but probably not their day job), who will not care too much about the nuances of how the attack is perpetrated, the term serves them well.
I'm not questioning the usage, just wondering why.
> lay person...who will not care too much about the nuances of how the attack is perpetrated
But the mechanism of the attack, and the way to protect against it is entirely different. That's my major issue, which I failed to fully explain above. These are completely different attacks, and completely different mitigations. And they only sometimes share the same target of the attack.
I had a customer once who wanted a security assessment of their payment terminal. Apparently one was stolen and they wanted to know how difficult it would be for an attacker to... well... "you know the name of the attack where they steal credit card info and such ?". So I replied "skimming".
The attack actually did happen where they reversed the terminal to find vulnerabilities and used that to steal a database with payment information. No physical device was used for the attack, but the name "skimming" seemed relevant.
Bottom line is, you use the word you and involved people know to describe the threat we face.
> Bottom line is, you use the word you and involved people know to describe the threat we face.
Fair enough, that sounds practical. It just seemed like those two attacks were very different in mechanismn and mitigation. The term confused me here. But hard to argue with experience.
I was not familiar with this usage, and was initially confused.
For this kind of exploit, it seems like we already have the terms like formjacking and script injection.
Edit: I (half-jokingly) propose the term "skimware".