For most of us, the period of time just before the holidays is a popular time of year for payments to be made by swiping our plastic cards. Most likely, this is because there are a lot of transactions happening as you scramble to find the perfect gift for everyone on your list.
Credit/debit cards make your funds easily accessible. The convenience of having a plastic card linked to all the money in your account is nice, however, that convenience for you is enticing bait for criminals. All a criminal needs to be able to spend your money is your PIN and the data contained in your card’s magnetic stripe. These things can be stolen with help from skimmers. It is important to be aware of and know how to spot skimmers so you are less likely to become a victim of fraud.
How do plastic cards work?
In order to understand how skimmers work, it is important to first know how your plastic card works. The magnetic stripe (or magstripe) on the back of your plastic card is comprised of a plastic-like film with tiny iron-based magnetic particles in it. Each particle is really a bar magnet about 20 millionths of an inch long. These bar magnets can be magnetized to north or south pole directions, so as to “write” the magnetic stripe. The magstripe contains all the information a thief needs to make fraudulent transactions with your debit or credit card; your credit card number and expiration date, and the card holder’s full name.
How do skimmers work?
Every time you swipe your card, the card reader on a point of sale terminal or ATM collects all the information that is stored on your card and uses it to process the payment. A criminal can disguise a skimmer on the machine with the hopes that an innocent user will not recognize that the machine has been tampered with. Their transaction will be able to go through as normal. Meanwhile, unbeknownst to them, a malicious second card-reading device also collected their data when they swiped their card.
Skimmers can either collect and store victim’s information locally on a memory card, or more likely today, connect via bluetooth to the criminal’s nearby device to store victim information. This way, the criminal doesn’t need to risk being caught retrieving information from the machine.
Signs to look for: If a part on the machine doesn’t look normal or you notice a loose part, it could be a skimmer. If you pull out your phone and notice a bluetooth device named by a string of letters and numbers as an option to connect to, it could be a skimmer, and the criminal’s device could also be nearby.
Where are skimmers usually found?
Skimmers are most often found at gas station pumps. The main reason for this is that there is not very much (if any) supervision of the pump card readers. Often, the pumps may even be facing the opposite direction of the employees inside the store of the gas station, so it is almost impossible to supervise these areas.
Skimmers can also be found at ATMs where cardholders use their debit card to withdraw money, make deposits, and/or check their balance(s). At these machines, it is also common to find a camera or overlay keypad that works with the skimmer. The purpose of the camera or keypad would be to collect corresponding PINs to the credit/debit card numbers the skimmer is collecting.
Point-of-sale (POS) terminals can also be infected with skimmers. Unless you know what you are looking for, these skimmers can be hard to spot. Thankfully, skimmers are less commonly found on these machines because there is a higher risk of being caught since the store attendant is usually nearby.
Ingenico POS terminals are commonly found at Walmart self checkout lanes. A skimmer on these devices can be installed in the blink of an eye. You’ll notice the device with a skimmer placed over it (left) has a wider border than the device without the skimmer (right). This is because in order for the overlay to fit atop the POS terminal, it must be physically larger.
Signs to look for: If you are familiar with the look of these machines and notice a wider-than-normal border around the screen and keypad area, you may want to further inspect if there is a skimmer installed. This specific model (shown above) also has a backlit keyboard. When a skimmer is installed, the backlighting is not visible. Another sign of a skimmer is that the stylus may no longer fit in its designated tray. This is due to the skimmer overlay fitting largely.
Types of Skimmers
There are many types of skimmers; skimmers that wrap around the existing card reader/acceptance slot (external skimmers), skimmers that can be inserted in the slot itself (internal skimmers), and skimmers that can be hooked up to the internal wiring of a gas station pump. There are many more, but the most common skimmers are external and insert skimmers.
External skimmers usually sit on top of the existing card acceptance slot. These are meant to look very similar to the card reader on the machine in hopes that it goes unnoticed. This skimmer, which was found on a bank ATM, looks very sophisticated and well made. Most of the components of the skimmer are hidden behind the flap below the card acceptance slot.
Looking at the back of the device, you’ll notice all of the electronics that make it work. The device even features a small camera to record the PIN numbers of individuals who use the machine.
Signs to look for: larger than normal card acceptance device that is loose or wiggly. Also look for signs/stickers that were not there before, such as instruction labels and signs. The skimmer pictured above features an instructional sign whose purpose is to hide part of the device.
“Insert skimmers” work just as you might imagine them to work by their name. These are found in the ATMs/card readers where you insert your plastic card for the duration of the transaction. The criminal installing the skimmer must use a special tool to install, then use another special tool to remove it.
Brian Krebs, author of KrebsOnSecurity, wrote about insert skimmers on his blog. He shared a video that he acquired from an insert skimmer peddler. This video shows how an insert skimmer works and the small size of the skimmer. You can imagine how well it could stay hidden and remain undetected; all while picking up credit card information from countless fraud victims.
Signs to look for: These skimmers can be hard to detect, as there is no visible part to be seen. One sign is that your card may stick or grab at some point when you slide the card in and/or out. However, keep in mind that when an insert skimmer is properly installed, the goal is to make it not stick.
Precautions to take
- Before swiping your card in a machine, make sure it is in a well-lit, busy area. Criminals are more likely to install skimmers on/in machines where they feel as though they can’t be seen. So if you are thinking about using a gas station ATM located in a secluded, dark spot, it’s best to skip it and find a different ATM.
- Regularly and strenuously monitor your bank transactions. If you notice something strange, it is a good idea to visit or call your bank. They may be able to tell you if there has been a wave of suspect transactions happening. To help catch something that may be awry, you can also keep a disciplined log of your income and expenditures and balance your checkbook.
- Make it a habit to analyze each machine you put your card into. Check for loose parts/parts that don’t fit, cameras, abnormal signs and stickers (on ATMs), an overlay on POS terminal that makes it seem bigger, and stylus tray that no longer fits the stylus.
The time around the holidays is a busy time for all of us. Most likely, credit/debit cards will be used to make many purchases. In these next few months, make sure you take precautions before you swipe your debit and credit cards. After all, it could save you time, stress, and money.