What is Card Skimming and How to Stay Safe from ATM Fraud?

According to the FBI, card skimming fraud poses a major threat, resulting in annual losses exceeding $1 billion for both financial institutions and consumers. The problem has escalated recently, particularly in 2023, with a notable 96% rise in incidents involving debit card skimming and a sharp increase in the number of compromised cards.  

Card skimming is a form of fraud in which criminals use specialized devices to illegally capture data from credit and debit cards, also known as debit card skimming. It poses a significant threat to financial institutions and consumers alike, leading to financial losses and identity theft. Understanding how to prevent skimming is essential for both financial professionals and individuals to safeguard sensitive information.

With card skimming on the rise, especially in ATMs and point-of-sale (POS) terminals, taking steps to protect financial data is more critical than ever.

What is Card Skimming?

Card skimming is a type of financial fraud where criminals use hidden devices to illegally capture the data stored on a payment card's magnetic stripe or chip. This stolen data typically includes sensitive information such as the cardholder’s name, card number, expiration date, and sometimes the card’s CVV (card verification value) or PIN (personal identification number).

Card skimming occurs without the knowledge of the cardholder, often going unnoticed until fraudulent transactions are detected.

At its core, card skimming involves the use of a small, discreet device called a skimmer which is typically attached to an ATM, point-of-sale (POS) terminal, or any other machine that reads payment cards.

These devices can be placed over or inside card readers, and they operate by copying the magnetic stripe or chip data when a legitimate transaction is made.

5 Types of Card Skimming Fraud

Card skimming fraud can occur in multiple ways, each method has its own set of tools and approaches, and understanding these types is critical for financial institutions in order to develop targeted countermeasures.

1. ATM Skimming

ATM skimming remains one of the most common and devastating forms of card skimming fraud. In this type of fraud, criminals install hidden skimming devices on ATMs (or sometimes on gas station pumps) that record card data when users insert their payment cards. Often, a tiny pinhole camera is also placed nearby to record the PIN entered by the user, providing full access to the stolen card data.

According to a 2023 report from the Europol (European Union Agency for Law Enforcement Cooperation), ATM skimming continues to be one of the leading methods for data theft across Europe. Fraudsters' use of wireless technology to retrieve stolen data has increased the frequency of these crimes.

2. Point-of-Sale (POS) Skimming

POS skimming refers to the practice of installing skimming devices on legitimate POS terminals at retail stores, restaurants, or other businesses. These devices can capture card data during a legitimate transaction, often without the cardholder’s knowledge.

According to the USC Credit Union:

“FICO reported a 77% increase in the number of cards impacted in the first half of 2023, totaling 120,000 cards, a staggering 77% increase from 2022”.

3. Mobile Skimming and Wireless Skimming

Mobile skimming is a newer, more advanced type of card skimming fraud that takes advantage of mobile devices or wireless technology. Fraudsters use portable skimming devices that can be disguised to look like legitimate card readers. These devices are often small and unobtrusive, making them difficult to detect.

Select Blinds, a window coverings retailer based in Arizona, has revealed a major data breach that went unnoticed for almost nine months, impacting the personal information of 206,238 customers.

This is only one incident that highlights an increase in wireless card skimming attacks.

4. Gas Pump Skimming

Gas pump skimming is a specific type of skimming that occurs at fuel stations, where criminals install skimming devices on gas station terminals. Since many gas stations are often unattended or minimally monitored, they present an easy target for fraudsters looking to steal card data.

The U.S. Secret Service estimated that millions of dollars are stolen annually due to gas pump skimmers. Also, criminals have developed Bluetooth-enabled credit and debit card skimmers that allow data to be transmitted wirelessly to another internet-connected device, eliminating the need to physically retrieve the skimmer.

5. Self-Service Terminal Skimming

Self-service terminals, such as those found in airports, ticket machines, or vending machines, can also be targeted by fraudsters. These terminals often have less security oversight than traditional POS systems, making them vulnerable to skimming attacks.

Self-service skimming, while less common than ATM or POS skimming, has been reported as a growing concern in high-traffic, unmonitored locations.

During a recent operation in Clark County, Nevada, law enforcement agencies, including the U.S. Secret Service and local police departments, inspected 1,100+ point-of-sale terminals, gas pumps, and ATMs across 125 businesses.

The effort resulted in the removal of four skimming devices, preventing an estimated potential loss of nearly $1.3 million. This operation is part of a broader initiative to combat the nationwide rise in skimming, which costs financial institutions and consumers over $1 billion annually.

How Does ATM Skimming Work?

The process typically involves several key steps, which vary in complexity depending on the sophistication of the criminals involved.

Step 1: Skimmer Device Installation

The most common method of ATM skimming involves the installation of a credit/debit card skimmer device on the ATM card reader. This ATM skimming device is typically a small, unobtrusive piece of equipment that fits over or inside the slot where a customer inserts their card.

The skimmer captures and records the card’s magnetic stripe data as the card is inserted into the machine. Modern ATM skimming devices are often designed to look like part of the ATM’s standard equipment, making them difficult for customers to detect.

Step 2: Pinhole Cameras or Fake Keypads

To capture the PIN associated with the card, fraudsters may also install hidden pinhole cameras or fake keypads. These small cameras are often placed in areas around the ATM that record the customer’s PIN entry.

In more advanced schemes, the fake keypads are designed to mimic the look and feel of the original keypad, capturing the entered PIN as it is typed in. The data from both the magnetic stripe and the PIN is crucial for fraudsters to create duplicate cards or conduct unauthorized transactions.

Step 3: Data Retrieval

Once the skimmer device collects the card data, it stores it on the device or transmits it wirelessly to the fraudsters, sometimes in real time.

In some cases, the device is designed to store the stolen data, which is then retrieved manually when the criminals return to the ATM. In more sophisticated setups, criminals use wireless technology to access the stolen data remotely, minimizing the risk of detection.

Step 4: Card Duplication or Fraudulent Transactions

After retrieving the card data and PIN, criminals can encode the stolen information onto blank cards with magnetic strips, effectively creating counterfeit cards.

These counterfeit cards can then be used to withdraw funds, make unauthorized purchases, or sell the stolen data on the dark web. In some instances, the fraudsters may even engage in account takeover, using the stolen data to access and drain victims' accounts.

Advanced Methods: Shimming

In more advanced cases, criminals may use a technique called "shimming" to skim data from EMV chip cards. Unlike traditional skimming, which targets magnetic stripe data, shimming involves placing a tiny device inside the ATM card reader that extracts the data from the chip.

This method is less detectable, as chip cards are typically considered more secure than magnetic stripe cards. However, as shimming technology advances, it becomes an increasing concern for both financial institutions and cardholders.

Key Indicators of Card Skimming Threats

To identify card skimming threats, financial institutions should regularly inspect ATMs and POS terminals for unusual attachments, loose card slots, or signs of tampering.

Look for hidden devices like pinhole cameras or fake keypads that capture card and PIN data. Wireless skimmers, using Bluetooth, and shimming devices targeting chip cards require advanced detection tools.

Also, monitoring customer complaints and transaction anomalies can highlight compromised terminals. Ongoing employee training and awareness, combined with technology like real-time alerts and surveillance, are crucial to spotting and preventing skimming threats effectively.

How to Prevent Card Skimming Fraud

Card skimming fraud is a serious concern, and it's important for customers, businesses, and financial institutions to take steps to prevent it. So here is how to prevent credit card skimming:

1. For Financial Institutions

1. Monitor for Unusual Transactions: Implement transaction monitoring systems to detect patterns that may indicate skimming activity, such as multiple withdrawals from the same ATM.

2. Upgrade Technology: Ensure ATMs are equipped with the latest anti-skimming technology, including chip readers and encryption systems.
   

Skimming credit cards has evolved from simple point-of-sale tampering to highly sophisticated wireless techniques.

To effectively combat skimming credit cards, cybersecurity protocols must adapt just as quickly as the criminals innovating them.

3. Educate Customers: Provide educational resources on how to spot credit card skimming threats and protect their information.

4. Invest in Surveillance: Use video surveillance to monitor ATM areas and detect suspicious behavior around machines.

2. For Businesses

1. Install Anti-Skimming Devices: Equip point-of-sale systems with anti-skimming technology to prevent the attachment of skimming devices.

2. Conduct Routine Inspections: Regularly inspect ATMs, gas pumps, and POS systems for tampering or unfamiliar devices.

3. Employee Training: Train staff to recognize the signs of card skimming and educate customers about safe practices.

4. Use Secure Payment Methods: Encourage customers to use chip-enabled cards or contactless payments for added security.

5. Report Suspicious Activity: Promptly report any suspected skimming devices to authorities and temporarily disable the affected machines.

3. For Customers

1. Inspect ATMs and POS Terminals: Always check for unusual attachments or loose card slots. Avoid using machines that look tampered with.

2. Cover Your PIN: When entering your PIN, cover the keypad with your hand to prevent skimming and hidden cameras from recording it.

3. Use Chip Cards: Prefer chip-enabled cards, as they are more secure than magnetic stripe cards.

4. Use Trusted Machines: Use ATMs and POS systems located in well-lit, high-traffic areas, which are less likely to be tampered with.

5. Monitor Accounts: Regularly check bank statements or use mobile banking to track transactions and spot any unauthorized activity quickly.
   

6. Opt for Digital Wallets: Instead of swiping your physical card, consider using digital wallets such as Apple Pay, Google Pay, or Samsung Pay for more secure transactions.

7. Pay Inside the Store: If the gas station hasn't upgraded its pumps to accept digital payments or you feel unsure about the safety of the machine, go inside the store to complete your purchase.

8. Choose Well-Lit and Monitored Locations: Prefer machines that are situated in well-lit, visible areas with security cameras, as these are less likely to be compromised or tampered with.

9. Enable Fraud Alerts: Set up fraud alerts with your card provider to stay notified of any suspicious activities and quickly take action if needed.

10. Follow Your Gut Feeling: Trust your intuition when using machines, if something seems off or if you're uncertain about a machine's safety, opt for a different one or consider another payment option.

Conclusion

Preventing bank card skimming requires a combination of technological, physical, and educational measures. By staying informed and adopting best practices, both financial institutions and consumers can significantly reduce the risk of card skimming fraud.

Financial institutions must invest in the latest anti-skimming technology like card skimming devices and regularly educate customers on how to avoid becoming victims of fraud. Consumers should be vigilant and proactive about protecting their card information.

FAQs:

Q1. How Can Card Skimming Be Stopped and Data Recovered?

When card skimming devices are found, quickly shut down the compromised machines and notify affected customers. Begin an investigation to assess how the breach happened and check if any cardholder data has been exposed.

Q2. Are Chip Cards Safer Than Magnetic Stripe Cards?

Yes, chip cards offer greater security than magnetic stripe cards. They create a unique transaction code for every purchase, making it nearly impossible to replicate or clone the card.

Q3. What Actions Should Be Taken if a Skimming Device is Found?

Report the discovery to authorities immediately, deactivate the compromised ATM or POS terminal, and inspect the surrounding area for other hidden skimming devices. Alert affected customers and keep an eye on their accounts for unusual activity.

Q4. How Do Financial Institutions Detect Card Skimming Using Transaction Monitoring?

Financial institutions use transaction monitoring systems to spot suspicious behaviors, like multiple withdrawals from the same machine or unusual buying patterns. These early alerts can help identify and prevent card skimming attacks.