What is Credit Card Skimming and How Does it Work?
Table of Contents
- By David Lukic
- Nov 09, 2020
You may or may not know what credit card skimming is and how it works, but you should. Credit card skimming is when thieves install skimming devices on ATMs or gas pumps that grab your credit or debit card information as you swipe. More than $1 billion is lost to credit card skimmers each year.
How Does Card Skimming Work?
Card skimming devices can be very sophisticated, so you don’t even notice, but they can grab your full debit/credit card number along with PINs and take over your bank account before you know what hit you.
First, thieves install card skimmer over the real ones that harvest and save your information. Then they use 3-D printed keyboards (overlaying the real keyboard) to record your PINs, and that’s all they need to start spending.
Most U.S. credit card skimming devices target the magnetic strip on the back of the card. Even cards with a chip also have the magnetic strip as a backup. In Europe, however, they have made the full transition, but criminals have kept up and focused on EMV cards and chips.
In some cases, malware or other software is installed onto the card reader or gas pump. Malware on card readers is how the Target and Home Depot data breaches occurred, capturing millions of users’ credit cards.
It’s not just the number pads and scanners you need to be wary of. Some skimming devices record your PIN codes with cameras and others save your touchpad inputs. Skimming can happen anywhere, but these strategies are oft used at gas stations. The separation between the gas pump and checkout desk lets criminals install their devices more easily.
What is Credit Card “Shimming?”
Thankfully, most American criminals haven’t stepped up their technology game just yet. However, another version of card skimmers is called shimmers, and they can bypass the extra security of chip-enabled cards.
Shimming attacks chip readers in addition to the magnetic stripes. These are far less common than traditional skimmers, though.
It works by putting a small device known as a “shim” into a checkout chip reader. The shim uses a microchip to collect chip information before feeding it into the legitimate payment device. This allows the payment process to happen as usual and doesn’t tip anyone off that their data was stolen.
Additionally, because shims must be thin enough to fit into chip readers, they are far more challenging to detect than traditional skimming attacks. To make matters worse, installing a shim is as easy as inserting a special card into the chip reader and making a payment.
Discovering a shim is nearly impossible unless someone routinely takes apart point-of-sale (POS) machines. One of the only ways for individuals to protect themselves from a well-placed shim is to wiggle their card as it slides in. This allows them to roughly feel if there are any obstructions in the slot.
Bluetooth Credit Card Skimming
Some more sophisticated skimming gadgets allow the bad guys to sit in their car (up to 100 feet away) and hack your credit card number from there. This crime is called bluesnarfing because it uses Bluetooth technology.
It’s common for Bluetooth skimming strategies to disable a payment terminal’s compatibility with chip-based cards. The criminal may physically obstruct the chip reader or tamper with it, so it always returns an error.
This forces customers to swipe the less secure magnetic stripe, which is still widely used for backward compatibility purposes.
Aside from the automatic transfer, bluesnarfing is the same as traditional skimming. The compromised machine captures the card information and sends it to a nearby connected phone or laptop. If you keep a careful eye out, then you’ll probably notice signs of tampering or other suspicious details.
Gift Card Skimming
Skimming attacks aren’t restricted to debit and credit cards. Any card with a magnetic strip or chip is in danger. This includes reloadable cards, gift cards, and prepaid cards, which aren’t tied directly to a bank or lender and have untraceable purchase histories.
Non-traditional cards often have more lax security features, making them even easier for criminals to break into. Their short-term use incentivizes businesses to cut corners on safety, especially on gift cards. Embedding more secure EMV chips onto gift cards increases production costs and would force retailers to charge more than they’re worth.
For example, a $20 gift card would retail for $22. Who would buy that?
These factors make gift cards a prime target for skimming schemes. It also helps that people tend to go long stints of time without using their gift cards and won’t notice their money was stolen.
The process is ultimately unchanged. Criminals install an overlay that captures a card’s magnetic stripe information. They then create a duplicate card to use until the balance runs out. According to the FTC, about $75 million was lost in 2019 from gift card scams.
This type of skimming is a big problem since cardholders have so few options for chargebacks after fraud. The Fair Credit Billing Act doesn’t protect cards that can’t harm the holder’s credit. Victims may only dispute fraudulent charges if they registered the card with their personal information and there’s an overseeing agency.
Luckily, card institutions like Mastercard, Discover, and Visa offer customer service and protections on their prepaid offerings. These cards often charge extra fees per use based on “how and when funds are loaded,” so businesses have a stake in upholding customer satisfaction.
Can Businesses and Banks Detect Cloned Cards?
Banks spend hundreds of millions a year on fraud detection and cybersecurity. So, surely, they must have ways to catch duplicate cards before criminals can do too much damage.
It might be possible for tellers to notice a fake card, but criminals don’t make a habit of handing fakes to trained employees. They use the clones at random ATMs and businesses with the least danger of getting caught.
Rather than physically inspecting each card, businesses need a way to detect fakes automatically. The most significant step toward this goal was the introduction of the EMV (Europay, Mastercard, and Visa) chips. Criminals can’t copy a chip’s encryption like they can for a magnetic stripe.
However, this security measure is also easily circumvented by only shopping at stores that allow both swipe and chip payments. So, card readers need a way to detect fakes using only the magnetic stripe data.
Researchers in Florida have noticed patterns in cloned cards that could allow even the most basic card readers to detect fakes. They saw that legitimate card data was always written in highly consistent patterns. This is a given since real cards are manufactured in official facilities.
On the other hand, cloned cards are cheap imitations made with less-than-steady machinery. So, the data bits are scattered much more haphazardly. These poorly made clones pass muster because modern card readers only read the data on the card rather than how neat the pattern of data bits is.
Making card readers check the uniformity of digital bit patterns in a magnetic stripe will go a long way in detecting counterfeits. The biggest obstacle in the way is America’s reluctant and sluggish uptake of new security measures.
A more tried method for detecting fraudulent activity is comparing recent card activity to a cardholder’s buyer profile. Companies create a database for every customer that predicts how that customer will spend their money. If their spending habits start to deviate too far from those predictions, then a flag is set off, alerting the cardholder of possible fraud and identity theft.
How to Avoid a Credit Card Skimmer
When approaching an ATM before using it, look for loose parts or signs of tampering. Pay close attention to the card reader area. Does it look too big, out-of-place, or discolored? Is the keyboard too thick? Look for tiny cameras or anything that seems odd near the ATM. If anything seems out of place or doesn’t match, don’t use the machine. Report it to the bank and walk away.
It’s hard to notice anything right away as a well-installed skimmer barely appears different from the original. Take a quick glance at your bank’s other ATMs or another terminal at the gas station. Doing so will give you an immediate frame of reference for what “normal” should look like.
When entering your PIN either at the gas pump or an ATM, assume someone is watching even if you don’t see anyone around. Always cover your hand when entering your code.
Be extra cautious of using ATMs that are in isolated areas that might be perfect spots for the criminals to set up shop. They are less likely to be able to install skimming device on ATMs and gas pumps in highly trafficked areas. Non-bank ATMs are the most vulnerable to card skimmers. Stay away from ATMs at grocery or convenience stores that are way back in a corner.
At the gas pump, make sure the dispenser door hasn’t been opened. Bandits need to insert the reader inside there. If it won’t close properly or looks like it has been opened, use another pump. Always wiggle the card reader, if it jiggles and isn’t secure, it may have been fooled with. Pay inside just to be safe.
Android introduced an app that turns your phone into a Skimmer Scanner. It tests using a Bluetooth connection before you insert your card to ensure there is not a skimmer within range.
Statistics show that credit card skimming occurs more often on the weekends, and criminals install the devices on Saturday and Sunday and then remove them full of credit card data on Monday. If possible, avoid using ATMs and gas pump payment stations on the weekends
If possible, try never to use your magnetic strip and always insert the card into the chip slot instead. Even better, if the merchant allows NSC transactions use Apple Pay, Samsung Pay, or Android Pay instead. These are much more secure payment methods that use virtual credit card numbers that cannot be reused.
What to Do if You Are Victim of Credit Card Skimming
If you used your credit card at an ATM or gas pump, and suddenly you notice fraudulent charges on your account, you may have been a victim of credit card skimming. Take the following steps as soon as possible.
- Cancel the credit or debit card and report the fraud to your bank.
- Contact the location you used (gas pump or bank where the ATM is located).
- Review your monthly statement carefully watching for any unauthorized charges.
- Sign up for credit fraud monitoring with a company like IDStrong.com
- Consider a credit freeze so no one can open up accounts in your name.
- Watch your inbox for any phishing or scam emails.
- Sign up for cards that mask your actual credit card number like Apple Card, or another phone-based payment method.
It is getting more difficult to spot credit card skimmers, so always be on the lookout for anything that looks suspicious and use common sense when snagging money from an unfamiliar ATM or using a gas pump.