The threat of credit and debit card skimmers has grown in both number and sophistication in recent years. Today, you can’t fill up your gas tank or withdraw cash from an ATM without the risk…
The threat of credit and debit card skimmers has grown in both number and sophistication in recent years. Today, you can’t fill up your gas tank or withdraw cash from an ATM without the risk of becoming the next victim of a skimmer.
Statistics about the prevalence of skimmers — electronic devices engineered to steal your credit card and debit card data — are a bit hard to come by. But credit scoring giant FICO says compromises of ATMs and point-of-sale devices, like card readers at gas pumps, in the U.S. rose 8 percent in 2017. That followed a 70 percent jump in compromises — which may happen when your credit or debit card information has been snatched without your knowledge — the previous year. Skimmers deserve a lot of the blame for those compromises.
Across the country, authorities continue to fight the spread of skimmers. For example, during a crackdown over the Thanksgiving 2018 holiday period, Secret Service agents and other law enforcement officers found nearly 200 skimmers at gas pumps in 16 states. The Secret Service estimates those discoveries thwarted an estimated $6 million in losses for consumers. Despite those efforts, skimmers keep cropping up at ATMs, gas pumps and other places.
How Do Credit Card Skimmers Work?
When you slide your credit or debit card into a card reader at an ATM, gas pump or other payment device, a skimmer reads the magnetic strip, or stripe, and stores the card number, expiration date and cardholder’s name. These strips even appear on newer chip-enabled cards.
Tom Kellermann, chief cybersecurity officer at cybersecurity firm Carbon Black, says hackers then use the stolen data to rack up fraudulent charges online or to create counterfeit cards. Your data might even be sold to other crooks on the dark web, an encrypted part of the internet where users can operate with anonymity, sometimes for illegal activities.
If you made a purchase with a debit card, your four-digit PIN might have been stolen as well, enabling crooks to drain your bank account. David Tente, U.S. and Latin America executive director of the ATM Industry Association, says this can be accomplished by installing a phony keypad over the real keypad to capture the PIN or installing a tiny pinhole camera to watch you enter the PIN.
Paige Hanson, chief of identity education at cybersecurity company Symantec, warns, “Often, you won’t know your information has been stolen unless you identify suspicious charges on your statement or receive an overdraft notice.”
Where Do Credit Card Skimmers Show Up?
Aside from ATMs and gas pumps, skimmers pop up at ticket kiosks, parking meters and other spots where you can swipe a credit or debit card. A retail or restaurant employee equipped with a handheld skimmer might even steal your card information when your card is out of your sight.
Experts say skimmers are especially common at gas stations because credit card chip readers at self-service pumps won’t be required until October 2020.
“Card skimming has been a problem for many years in this country, as we’ve stubbornly stuck behind the antiquated magnetic stripe cards while other countries transitioned to the more secure chip-based cards,” says David Kennedy, founder and senior principal security consultant of TrustedSec, an information security consulting company.
Responding to the rise of chip-equipped cards, thieves are devising new methods — namely devices called “shimmers” — to swipe your credit and debit card information.
A shimmer is a small, thin chip that’s tucked inside the slot of a card reader. By contrast, a skimmer often is fitted over a card reader, making it easier to see.
“The shimmer is extremely subtle and difficult to spot. It is also able to steal the card data from a chip-based card, thereby bypassing the enhanced security of the new smart-chip system,” Kennedy says. The shimmer records the card data, which then is used to produce a magnetic strip card, he says.
Some shimmers transmit your data to a criminal via low-power Bluetooth signals. “The crook could park nearby — within a hundred feet or so — leave a laptop running in the trunk of their car and walk away, coming back later to find all of the data stolen from the magnetic strips of gas pump customers’ cards,” says Alan Brill, senior managing director of cyber risk with cybersecurity company Kroll Associates.
What Can Happen When Your Card Is Skimmed?
According to FraudWatch International, an internet security organization specializing in online fraud and phishing, skimmed data typically is:
— Transmitted to other countries, where the information is copied onto counterfeit cards.
— Used to make internet or over-the-phone purchases. This is known as “card not present” fraud.
— Used to carry out identity theft. This occurs when a criminal relies on your stolen personal data to set up accounts or take out loans in your name.
What Should You Do If You Realize Your Card Has Been Skimmed?
Tente warns that you sometimes won’t know your card has been skimmed until a fraudulent transaction surfaces in your account. While credit card providers often are able to catch such fraud when it’s in progress and then send you a fraud alert, he says, fraudulent ATM transactions are a different story. “A lone withdrawal of $500 may not get the attention of the [card] issuer’s fraud systems,” Tente says.
Regardless of the type of card fraud involved, experts recommend contacting the issuer of your credit or debit card right away. If a thief stole your credit card data — but not your physical card — and an unauthorized purchase is made, you generally won’t be liable for a penny of the financial losses. In the case of your debit card, you won’t be liable for more than $50 in financial losses stemming from unauthorized purchases if you report them within 60 days of receiving the statement that shows those transactions.
In addition, you should alert the business where you believe the card fraud took place. If the alleged fraud happened at an ATM that’s not owned by a bank — they’re commonly found at convenience stores, hotels, bars and restaurants — look for a sticker on the ATM that displays the customer service telephone number for the owner.
You might even go a step further and report the suspected crime to a local law enforcement agency, the consumer division of your state attorney general’s office and the Federal Trade Commission. This might not fix your own situation, but it could keep someone else from being skimmed.
How Can You Prevent Being Duped by a Credit Card Skimmer?
Hanson suggests following this SCAN checklist when you’re at a card reader so you don’t fall victim to a skimmer:
— Scan the area for hidden cameras that might be recording you typing your PIN at an ATM. These may be mounted near the keypad, so always cover your hand while you type your PIN.
— Compare the card reader and keypad to the rest of the machine. The colors and styles should all match, and graphics should be aligned and unobscured.
— Assess for obvious signs of tampering — a broken security seal on a gas pump, for instance.
— Nudge the card reader and keypad. Card skimmers and fake keypads are meant to be removed, so if they feel loose, you might have come across a skimmer.
Keep in mind, though, that the SCAN checklist might not be enough to locate a skimmer. This is especially true at gas stations, where a skimmer might be inside a pump and not visible to the naked eye. If you believe something is wrong with an ATM, gas pump or other card-reading machine, report it to someone like a bank teller or gas station clerk.
“The best way to protect yourself against credit card skimmers is to take a moment to pause before any transaction. Too often when we are getting cash from an ATM or pumping gas, we’re in a rush to finish the transaction and not even thinking about the transaction itself,” Kellermann says. “By pausing, we can take a moment to orient ourselves to the environment.”