The moment I started seriously worrying about credit card and debit card skimmers wasn’t when my entire bank account was transferred to Turkey, or when I had to replace a credit card three times in two months because of fraudulent charges. It was when I learned that stealing a credit card number is as easy as plugging in a magnetic strip reader into a computer and opening a word processor. Every swipe spit out the credit card number, with no extra setup required. More advanced devices to steal your information are installed by criminals directly on to ATMs and credit card readers. These are called skimmers, and if you’re careful you can keep from being victimized by these insidious devices.
What Are Skimmers?
Skimmers are essentially malicious card readers attached to the real payment terminals so that they can harvest data from every person that swipes their cards. The thief often has to come back to the compromised machine to pick up the file containing all the stolen data, but with that information in hand he can create cloned cards or just break into bank accounts to steal money. Perhaps the scariest part is that skimmers often don’t prevent the ATM or credit card reader from functioning properly, making them harder to detect.
Classic skimming attacks are here to stay, and will likely continue to be a problem even now that banks have made the shift to EMV chip cards, according to Stefan Tanase, a security researcher at Kaspersky Lab. Even if the cards have a chip, the data will still be on the card’s magnetic strip to be backwards compatible with systems that can’t handle the chip, he told us. Even now, long after the U.S. rollout of EMV cards, some merchants still require customers to use the magstripe.
The typical ATM skimmer is a small device that fits over an existing card reader. Most of the time, the attackers will also place a hidden camera somewhere in the vicinity in order to record personal identification numbers, or PINs, used to access accounts. The camera may be in the card reader, mounted at the top of the ATM, or even in the ceiling. Some criminals install a fake PIN pads over the actual keyboards to capture the PIN directly, bypassing the need for a camera.
The above picture is a real-life skimmer in use on an ATM. You see that weird, bulky yellow bit? That’s the skimmer. This one is easy to spot because it has a different color and material than the target machine, but there are other tell-tale signs. Below the slot where you insert your card are raised arrows embedded in the machine’s plastic casing. You can see how the grey arrows are very close to the yellow reader housing, almost overlapping. That is a sign a skimmer was installed over the existing one, since the real card reader would have some space between the card slot and the arrows.
From Skimmers to Shimmers
When the US banks finally caught up with the rest of the world and started issuing chip cards, it was a major security boon for consumers. These chip cards, or EMV cards, offer more robust security than the painfully simple magstripes of older credit cards. But thieves learn fast, and had years to perfect attacks in Europe and Canada that target chip cards.
Instead of skimmers, which sit on top of the magstripe readers, shimmers are inside the card readers. These are very, very thin devices and cannot be seen from the outside. When you slide your card in, the shimmer reads the data from the chip on your card, much the same way a skimmer reads the data on your card’s magstripe.
There are a few key differences, however. For one, the integrated security that comes with EMV means that attackers can only get the same information they would from a skimmer. On his blog, security researcher Brian Krebs explains that “data collected by shimmers cannot be used to fabricate a chip-based card, but it could be used to clone a magnetic stripe card. Although the data that is typically stored on a card’s magnetic stripe is replicated inside the chip on chip-enabled cards, the chip contains an additional security components not found on a magnetic stripe.”
The real problem is that shimmers are much harder to spot because they sit inside ATMs or point of sale machines. The shimmer pictured below was found in Canada and reported to the RCMP. It’s little more than an integrated circuit printed on a thin plastic sheet. If the owners of the compromised device hadn’t been careful, this could have stolen the information from everyone who used it.
ATM manufacturers haven’t taken this kind of fraud lying down. Newer ATMs boast robust antitampering devices, sometimes including radar systems intended to detect objects inserted or attached to the ATM. However, one researcher at the Black Hat security conference was able to use an ATM’s onboard radar device to capture PINs as part of an elaborate scam.
The threats are real and evolving; that’s why it’s so important to give any ATM or credit card reader a quick check before you use it.
Check for Tampering
When you approach an ATM, check for some obvious signs of tampering at the top of the ATM, near the speakers, the side of the screen, the card reader itself, and the keyboard. If something looks different, such as a different color or material, graphics that aren’t aligned correctly, or anything else that doesn’t look right, don’t use that ATM. The same is true for credit card readers at the checkout line or at gas stations.
If you’re at the bank, it’s a good idea to quickly take a look at the ATM next to yours and compare them. If there are any obvious differences, don’t use either one, and report the suspicious tampering to your bank. For example, if one ATM has a flashing card entry to show where you should insert the ATM card and the other ATM has a plain reader slot, you know something is wrong. Most skimmers are glued on top of the existing reader, and will obscure the flashing indicator.
If the keyboard doesn’t feel right—too thick, perhaps—then there may be a PIN-snatching overlay, so don’t use it.
Even if you can’t see any visual differences, push at everything, Tanase said. ATMs are solidly constructed and generally don’t have any loose parts. Credit card readers have more variation, but still: Pull at protruding parts like the card reader. See if the keyboard is securely attached and just one piece. Does anything move when you push at it?
Skimmers read the magnetic stripe as the card is inserted, so give the card a bit of a wiggle as you put it in, Tanase advised. The reader needs the stripe to go in a single motion, because if it isn’t straight in, it can’t read the data correctly. If the ATM is the kind where it takes the card and returns it at the end of the transaction, then the reader is on the inside. Wiggling the card as you enter it in the slot won’t interfere with your transaction, but will foil the skimmer.
This tactic won’t work on shimmers, and won’t work with any ATM that captures and holds your card while your transaction is in process. However, there are still ways to protect yourself when using these machines.
Think Through Your Steps
Whenever you enter your debit card’s PIN, assume there is someone looking. Maybe it’s over your shoulder or through a hidden camera. Cover the keypad with your hand when you enter your PIN, Tanase said. That’s a good policy even if you don’t notice anything odd about the ATM. Obtaining the PIN is essential, since the criminals can’t use the stolen magnetic stripe data without it, Tanase told us. Of course, that assumes the attacker is using a camera and not an overlay to obtain your PIN.
Criminals frequently install skimmers on ATMs that aren’t located in overly busy locations since they don’t want to be observed installing malicious hardware or collecting the harvested data. The ATMs inside banks are generally safer because of all the cameras, although some daring criminals do still succeed at installing them there. The ATM inside a grocery store or restaurant is generally safer than the one that is outside on the sidewalk. Stop and consider the safety of the ATM before you use it.
That said, no place is safe from an enterprising criminal. Take this video, for example. The thief installs a skimmer on the point of sale unit inside a grocery store in seconds.
The chances of getting hit by a skimmer are higher on the weekend than during the week, since it’s harder for customers to report the suspicious ATMs to the bank. Criminals typically install skimmers on Saturdays or Sundays, and then remove them before the banks reopen on Monday.
Whenever possible, don’t use your card’s magstripe to perform the transaction. For credit card readers in stores, feel underneath the PIN pad for a slot to insert your card and its EMV chip to be read. When you use your EMV chip, the card is authorized on the device and your personal information is never transmitted. This forces criminals to attack the inner workings of EMV-enabled readers. While cracking EMV readers is possible, it’s much harder than magstripe skimming.
If the credit card terminal accepts NFC transactions, consider using Apple Pay, Samsung Pay, or Android Pay. These services tokenize your credit card information, so your personal information is never exposed. If a criminal somehow intercepts the information, he’ll only get a useless virtual credit card number. Note that on certain devices, Samsung Pay can actually emulate a magstripe transaction if you hold your phone over the card reader. This is much safer than using your actual credit card.
One scenario that often requires using your magstripe is paying for fuel at a gas pump. These are rife for attacks, because many don’t yet support EMV or NFC transcations, and because attackers can gain access to the pumps without being noticed. It’s much safer to go inside and pay the cashier. If there isn’t a cashier on duty, use the same tips for using ATMs and investigate the card reader before you use it.
Digital Attacks and Solutions
The recent British Airways hack introduced a novel concept: the digital card skimmer. Instead of a physical device to capture your card information, or a bogus phishing website that tricks you into entering your data, a digital skimmer is malicious software injected into a legitimate website.
Combatting this type of attack is ultimately up to the companies to ensure that their sites and services are secure. But there are a few things consumers can do to protect themselves. One option is to use virtual credit cards. These are dummy credit card numbers that are linked to your real credit card account. If one is compromised, you won’t have to get a new credit card, just generate a new virtual number. Some banks, like Citi, offer this as a feature so ask yours if its available.
If you can’t get a virtual card from a bank, Abine Blur offers masked credit cards to subscribers. These are prepaid credit cards that you can create on the fly and use for online purchases. Abine even supplies a bogus name and billing address to use, further disguising your personal information. If one of these is exposed, you won’t lose any money or private information.
Another option is to enroll in card alerts. Ally Bank, for example, will send a push alert to your phone each time your debit card is used. This is handy, since you can immediately identify bogus purchases. If your bank supplies a similar option, try turning it on.
If you don’t notice a card skimmer and your card data does get stolen, take heart. As long as you report the theft to your card issuer (for credit cards) or bank (where you have your account) as soon as possible, you will not be held liable for the lost amount and your money will be returned. Business customers, on the other hand, don’t have the same legal protection and may have a harder time getting their money back.
Also, try to use a credit card whenever possible. A debit transaction is an immediate cash transfer and requires making an FDIC claim whcih can take weeks to be processed. Credit card transactions can be halted and reversed at any time, and doing so puts pressure on merchants to better secure their ATMs and point-of-sale terminals.
Timely reporting is very important in cases of fraud, so be sure to keep an eye on your debit and credit card transactions. Personal finance apps like Mint.com can help ease the task of sorting through all your transactions.
Lastly, pay attention to your phone. Banks and credit card companies generally have very active fraud detection policies and will immediately reach out to you, usually over phone or SMS, if they notice something suspicious. Responding quickly can mean stopping attacks before they can affect you, so keep your phone handy.
Just remember: If something doesn’t feel right about an ATM or a credit card reader, just don’t use it. Whenever you can, use the chip instead of the strip on your card. Your bank account will thank you.