A credit card skimmer is a device by which thieves and fraudsters steal credit card information. Often, these theft events will occur in the retail setting, but there are other ways by which the devices can be used to steal information from card owners for criminal purposes. Unfortunately, all it requires is a little illicit technology and a lot of criminal intent.
A credit card skimmer is a small device that can scan and store credit card data from the magnetic stripe on the back of the card. Credit card skimmers can be installed on a gas pump, on ATMs, or on other card-reading devices. Sometimes, corrupt employees can have a credit card skimmer on their person, out of sight of customers but easily accessible to the dishonest employee.
Once the card is run through the skimmer, the data is recorded. The information can be used for identity theft by the fraudster or sold through a contact or online, at which point counterfeit cards can be made using the stolen card information. Criminals can then go on shopping sprees with a cloned copy of the credit or debit card—often with fraudulent names to further avoid detection—and cardholders are unaware of the fraud until a statement arrives with purchases they did not make.
How a Credit Card Skimmer Device is Used
Credit card skimmers have been around for years, but the different devices are growing more sophisticated with evolving technology. A credit card skimmer can come in different shapes and sizes. Most operate as a portable capture device that is attached in front of or on top of the legitimate scanner, passively recording the card data as the credit card is inserted into the legitimate scanner. However, mobile credit card readers can also be used to independently capture information, or even with the use of a smartphone. This is a common way that employees capture and exploit card information in the traditional retail setting.
A typical credit card skimmer fits over the existing card reader at a gas pump, ATM, or other convenient self-service point-of-sale terminals. At gas stations, devices may be installed inside the pump casing and out of sight of the customer.
When a credit card is swiped through the card reader, the skimmer will record the account data from the magnetic stripe on the back of the card. Sometimes thieves will even place a hidden camera in the vicinity of the card reader with a view of the number pad in order to record personal identification numbers.
The camera may be in the card reader, mounted at the top of the ATM, or to the side of the device hidden in brochure cases or other inconspicuous places. Some criminals may even install a fake PIN pad over the actual keyboard to capture the PIN directly, bypassing the need for a camera.
Some of the more common places where credit card skimming might occur include:
- Gas Stations: Gas stations are a favorite target for thieves who use skimmers because there are multiple credit card devices sitting outdoors, none of which have an associate directly monitoring their use.
- ATMs: Popular for the same reasons as illicit use at a gas station, thieves can leave a skimmer on a card reader collect your information.
- Retail Stores: While most employees are honest, hardworking people, we must remain aware of those with dishonest intentions. Portable skimmers can quickly be used to gather information in a matter of seconds, often out of sight of the actual cardholder but occasionally right at the terminal, depending on the illicit skill of the dishonest employee.
- Restaurants/Bars: Similar to incidents in retail stores, these thefts can occur by using a small, mobile card reader. Most customers never think twice about leaving cards unprotected in the hands of an employee at the restaurant or bar, but be beware of the possibilities.
Ten Tips for Avoiding Credit Card Skimmer Incidents
Following are ten tips to follow to help avoid becoming the victim of a credit card skimming operation. While these incidents can happen to anyone, remaining aware and following a few common sense rules can help avoid many situations.
Inspect the card reader, PIN pad, and the surrounding area. Check for obvious signs of tampering at the top of the ATM, gas pump, or other card reading device. Check near the speakers, the side of the screen, the card reader itself, and the keyboard. If something looks different, such as a different color or material, graphics that aren’t aligned correctly, or anything else that doesn’t look right, it might be a skimmer.
Compare nearby gas pumps, ATMs, or other card reading devices to see if they match. If there are any obvious differences, it might be a skimmer. For example, if one has a flashing card entry to show where you should insert the card and the other has a plain reader slot, something may be wrong.
Wiggle everything. Does anything move when you push or pull at it? Legitimate devices are solidly constructed and generally don’t have any loose parts. See if the keyboard is securely attached and just one piece.
Try to avoid situations where your card leaves your sight if you can help it. Store transactions should generally occur in your presence. While this may be more difficult in a restaurant setting, try to remain aware of the service provider, where they take your card, and for how long.
Check Security Tape. Many gas/service stations use security tape on the device to verify that no one has entered or compromised the device. If the security tape has been broken or if the security tape isn’t consistent on all devices, there may be reason for concern.
Avoid Using Your PIN at the Gas Pump. When you pay at the pump, you usually have the option to use it as a credit or debit card. It’s best to choose the credit option that allows you to avoid entering your PIN. When you use it as a credit card you usually only have to enter your billing ZIP code as verification which is much safer. It’s also generally safer to use a credit card versus a debit card, because it’s easier to stop payment or cancel a payment than it is when money’s already taken out of the account. Typically, the most you’d have to pay for unauthorized use of your credit card is $50, and if your funds are stolen, you won’t have to wait to recover your losses with an empty account.
Read Your Surroundings. Criminals are more likely to install a credit card skimmer in locations where they are less likely to be observed installing malicious hardware or collecting the harvested data. Readers located in poorly lit or more remote areas (for example gas pumps outside of easy view of employees) are more likely to be targeted.
What Day is It? The chances of getting hit by a skimmer, especially those used on ATMs, are higher on the weekend than during the week, since it’s harder for customers to report the suspicious activity. Criminals typically install skimmers on the weekend, and then remove them before business offices reopen on Monday.
Keep an Eye on Your Accounts. If you suspect that you might have had your card skimmed. Keep an eye on your account balance and report any suspicious activity immediately. Consider monitoring your checking account transactions daily on your bank’s website. You can also request “card not present transaction” notification. If someone tries to use your credit or debit card number online, you’ll be notified immediately.
Use Chip Technology When Possible. Rather than swiping the card, as you would for a card with a magnetic stripe, insert the card into a terminal slot during a transaction and then remove it once the transaction is complete. EMV cards provide a higher level of security. Unlike the magnetic stripe on a card, which contains data that remains the same, EMV cards change with each transaction and are basically impossible to predict.
This article was originally published in 2016 and was updated January 23, 2018.