Canada Computers: Digital Card Skimming

Several customers of Canada Computers have reported suspected payment card data theft following purchases made on the company’s website. While details are still emerging, public reports highlight a growing risk facing all ecommerce businesses: online card skimming.

In a post titled “Canada Computers online card skimmer” on the Build a PC Canada subreddit, a user described discovering a malicious client-side script embedded in the website’s checkout flow. The script was reportedly identified while inspecting the page using browser developer tools. At the time of writing, it remains unclear whether the same behavior affects the retailer’s mobile application.

According to the report, the script behaved consistently with a Magecart-style digital skimmer: a class of attacks designed to silently capture payment data during online transactions.

The Threat: Digital Card Skimming in Action

Unlike physical card skimming, which relies on tampered hardware at ATMs or point-of-sale terminals, digital card skimming operates invisibly inside ecommerce websites.

In this case, the reported malicious JavaScript allegedly:

• Hooked into checkout form fields

• Monitored keystrokes and form submissions

• Performed basic validation on entered data

• Exfiltrated the information to an attacker-controlled endpoint

The data reportedly captured included full payment card details and associated personally identifiable information (PII), such as:

• Card number (PAN), CVV, and expiration date

• Cardholder name

• Billing address, city, province, and postal code

• Phone number and email address

• The authenticated customer account identifier

The individual reporting the issue stated that two support tickets were submitted to the retailer and later closed without resolution, prompting public disclosure to warn other customers. The activity was first observed on January 18th, 2026 during a live purchase with developer tools enabled.

The Dangers of Digital Skimming

Digital card skimming is difficult to detect and highly scalable. Once malicious code is injected, often through compromised third-party scripts or integrations, it can silently harvest data from every customer who checks out.

Because the skimmer operates client-side and blends into legitimate site functionality, some infections persist for months or even years before being discovered. By then, the impact can include:

• Widespread payment card fraud

• Loss of customer trust

• Regulatory exposure and compliance fallout

• Brand damage that extends far beyond the initial incident

How Digital Card Skimming Works

At a high level, digital skimming attacks follow a predictable pattern:

• Malicious code is injected into an ecommerce site or third-party dependency

• Customers enter payment information during checkout

• The skimmer silently copies that data in real time

• Stolen data is transmitted to the attacker

Because many ecommerce platforms rely heavily on third-party services (such as payment widgets, analytics tools, and shopping cart software) attackers often compromise suppliers first, then let the infection spread downstream.

What Consumers Can Do to Reduce Risk

While consumers can’t control how merchant sites are secured, they can reduce exposure by practicing good digital hygiene:

• Pay attention to browser security warnings

• Be cautious of unexpected pop-ups or abnormal checkout behavior

• Use strong, unique passwords across accounts

• Enable transaction alerts for payment cards

• Limit online purchases to a dedicated card where possible

These steps won’t prevent breaches; however, they can limit the blast radius if one occurs.

What Businesses Can Do to Protect Customers and Revenue

For organizations, defending against digital card skimming requires continuous vigilance, not one-time fixes.

Effective protection includes:

• Keeping ecommerce platforms and dependencies fully up to date

• Encrypting all data in transit

• Minimizing the collection and storage of sensitive customer data

• Thoroughly vetting and monitoring third-party scripts and vendors

• Regularly reviewing source code and production changes

Because these attacks often exploit subtle, unauthorized changes, many organizations now rely on automated detection and monitoring to identify anomalies across their sites and supply chains before attackers can scale their impact.

Conclusion

The Canada Computers reports are a reminder that digital card skimming is not a niche threat. It’s a persistent risk for any organization that processes online payments.

For businesses, the goal is protecting customers, preserving trust, and ensuring that checkout remains a point of confidence, not compromise.

Understanding how these attacks work is the first step toward stopping them.