You’re running errands and pull into a gas station to fill up. Or you’re in need of cash, so you drop by the ATM in the bank’s parking lot. Little do you know, thieves have installed a device on the card reader. And, suddenly, your everyday purchase or ATM withdrawal has lifted the info off your card and given thieves everything they need to clone it.
While card-skimmers are sneaky by design, there are some quick ways to spot them.
Skimmer set-ups are used to glean the data from your card (stored on its magnetic stripe). In general, they involve the following parts (according to educational site ShieldYourPIN.org):
- The skimmer itself: This is a card-reading device that gets placed over (or sometimes into) the legitimate card slot. Your inserted card passes through the skimmer (which lifts the data stored on the card) and then enters the actual card-reader, so that your transaction is processed as usual.
- The camera OR keypad: To get your PIN, fraudsters install a camera (that watches from above and records your fingers typing in your PIN) or a PIN-pad overlay that records your keystrokes.
With this information, thieves have all they need to clone a copy of your card and – if they got your PIN — take it to the ATM to withdraw money. More disturbing, skimmers aren’t hard to come by or expensive for crooks.
“It’s important to realize how easy it is for fraudsters to get skimmers,” says Steven Bearak, CEO of IdentityForce, a company that offers privacy-protection services. “You can see them being bought and sold on eBay for less than $100.
Where you’re most likely to find skimmers
Skimmers are more common in some places than others. Unattended card readers (like those on gas pumps or ATMs) are more likely to be rigged than those at registers inside the store – although criminals have been known to rig in-store POS devices with skimmers (check out this video, for example).
“Skimmers are ubiquitous,” Bearak says. “However, fraudsters typically avoid areas that use surveillance cameras, like an ATM within a bank lobby. I’d personally recommend not using ATMs at retail stores because they may not be checked regularly for skimmers.”
Unattended terminals are more skimmer-friendly because thieves need privacy to install the skimmer, says Jason Lesley, public information officer for the Georgetown County, South Carolina, Sheriff’s Office. Georgetown’s neighboring counties have seen a rash of skimmers this summer.
Plus, thieves generally require privacy to come back and pick up the skimmer. While some skimmers are able to transmit card info wirelessly or even via text, garden-variety skimmers record and store the precious info and require pick-up later.
“They’ve got to come back at night and get the skimmer,” Lesley says. “They put it on a pump in the middle of the night while a clerk may be distracted. And they’ve got to come back again the next day or in a day or two and retrieve it.”
Tips for spotting skimmers
Next time you’re at an outside ATM or fuel pump, pay attention – you may spot a wild skimmer:
- See if anything looks “off:” “Our officers have advised people to examine the portal they’re using,” Lesley says “And if there’s some add-on piece they can see that doesn’t look quite right, that would be a hint that it’s not part of the original equipment.”
Or, Bearak says, look to see if the various parts of the reader, screen or keyboard are made of a different material or are a different color.
A reader that looks broken may be another clue. ShieldYourPIN.org has lots of photos you can browse of real skimmers, including this one (the upper-left corner of the plastic is cracked):
- Give the card-reader a tug: Many skimmers are simply attached with double-sided tape for quick removal by the thieves, Bearak says. So, if you can easily move (or remove) the card-reader, it’s probably not the original.
“All parts of the ATM should be secure, and if something isn’t, it’s a good chance that machine has been compromised,” Bearak says.
- Compare your pump/ATM with the others: The gas station you’re at probably has multiple pumps, and there may be multiple ATMs outside the bank. So see if the one you’re about to use is not like the others.
“At a gas pump, for instance, if it doesn’t look quite right to you, compare it to some other pump,” Lelsey says. “Does it look the same? That would be a hint that it’s been compromised.”
An easy discrepancy to look for is the lights. For example, if the keypad on the machine you’re about to use isn’t lighting up but the others are, a keypad overlay could be blocking the light. Same goes for other lights on the machine.
“One key sign to look out for is if one ATM has a flashing light where your card should be inserted and other one does not,” Bearak says. “This could be because a skimmer has been applied and is blocking the indicator light.”
If you suspect a skimmer, call the police.
“Say, ‘I want to report what I think is a skimmer on the gas pump,’” Lesley says. “Don’t worry about inconveniencing the police, they’ll come take a look at it.”
Law enforcement may keep an eye on the pump or ATM in question to try to catch the crooks when they come to retrieve their skimmer, Lesley says.
Even if you have a sharp eye, you may not spot a skimmer. Some sophisticated ones can be slipped inside the card reader (rather than installed over it on the outside). Camera holes are tiny, and keypad overlays are difficult to recognize. There are even large overlays that cover the entire front of an ATM.
In a recent case at First Citizens Bank in Georgetown County, Lesley says, an ATM skimmer compromised nearly 40 debit cards before it was noticed.
“They’re hard to spot,” Lesley says. “Here, 39 people got scammed at the bank and didn’t see anything wrong.”
So you’ll have to accept you may not be able to spot a skimmer before inserting your card into one. Follow these tips to decrease the chance your card gets compromised:
- Cover the PIN pad at the ATM: If the thief has installed a camera-and-skimmer set-up, covering the pad while you input your PIN prevents the camera from recording the numbers – and prevents thieves from draining your bank account by using your cloned card at another ATM.
If the thief installed a keypad overlay to record your keystrokes, however, shielding your PIN won’t work.
“Even if you put your hand over it, it’s stealing the PIN right from underneath you,” Lesley says.
- Watch your account for fraudulent charges: If you start seeing strange charges and ATM withdrawals, call your bank and report the fraud immediately. Most issuers have robust zero-liability protections for withdrawals and purchases you didn’t make and will refund you.
Lesley notes that Georgetown County’s adjoining counties (which thieves are hitting hard with skimmers) attract a lot of vacationers, who may be “lower hanging fruit.” So, even while on vacation, check your accounts every day.
“You can check your balance every day and see that the charges on there are fraudulent,” Lesley says. “And that would alert you quickly to get that stopped.”
Aren’t EMV chip cards supposed to fix all this?
EMV chip cards are far less skimmable and far less cloneable. But some retailers are still using old-fashioned swipe card-readers that don’t read chips. Moreover, ATMs aren’t required to upgrade to EMV until Oct. 2017 – and gas stations aren’t required to upgrade until 2020.
“So, even though you may now have credit cards with EMV chips, they are not only just as susceptible as they were before, they could be more vulnerable now that the fraudsters have a window to target those terminals,” Bearak says.
Plus, the bad guys have developed technology that can skim chip cards and use the swiped info to created limited-use magnetic stripe cards. So keep a close watch on your balance – and advise loved ones to do the same.
“The more word gets out that this exists, the less effect it will have,” Lesley says.
For more on skimmers, visit the FBI’s page dedicated to them.