A skimming attack is when a third party gains unauthorized access to your financial information through an ATM or EFTPOS terminal. The device used for skimming typically records the personal identification number (PIN) of the cardholder, and stores it on an attached microchip or magnetically on a strip of tape. The PIN can then be used later to withdraw money from the account at any ATM using the same PIN.
How skimming attacks work
The skimmer is hidden inside a fake fascia, sometimes in plain view – such as with some card readers masquerading as CCTV cameras – but often in places that are not obvious to passers-by. Fake screens are often used while legitimate ones are switched between genuine and counterfeit ones in a way that is almost undetectable.
The PINs obtained are used to create fake cards, allowing criminals to access accounts and ATM machines under the guise of a cardholder in person.
One method for skimming uses an oversize card reader snatched from a legitimate terminal with pincers or an adjustable spanner. The device may also be placed inside the mouth of a cash machine or nearby on the floor. Typically they can be found attached directly onto the faceplate of an ATM without any visible wiring into it (such as glue) where other devices have been previously attached. Another common spot would be on top of, or underneath the keypad below where there’s no camera watching. Surveillance cameras can also be used at ATMs to capture both the PIN and card being inserted, so that a thief can later copy it with a hidden camera or scanner.
Why you should care about skimming fraud
The risk of skimming is ever-present, especially when using an unfamiliar ATM. Fraudulent withdrawals from individuals’ accounts have been known to happen just hours after their cards were skimmed and discarded in public places such as parks. Unfortunately, often it is not until days later or even weeks that customers notice fraudulent transactions on statements while making withdrawals from other ATMs around the world. If your card is lost or stolen be sure to report this immediately – don’t wait for your monthly statement to come through. This will allow time for the bank to block your account before any unauthorized transactions take place.
Card skimming is a growing industry, and the criminals behind it have been getting smarter. The methods of attack have grown with it, making it harder to detect and avoid these crimes.
How to protect yourself from skimming attacks
Being vigilant in protecting your personal information is key in avoiding fraudulent activity using your plastic. Consider taking the following measures when withdrawing cash at ATMs:
- Always cover the PIN pad while keying-in your PIN with one hand – this may not be enough if someone has installed a camera above or beside you; however, they will not be able to see your PIN if you have covered it so that even if they record video of what you are doing, they still cannot retrieve your PIN.
- Always cover the keypad when you are finished with the withdrawal, even if you have covered the PIN pad as noted above – this will ensure that no one can see where you have touched the keypad and use it to glean your PIN in cases where a camera is present. This only works if there is either a CCTV camera or another person (or device) watching your actions; otherwise, it’s best to just assume that someone has installed everything they needed to do so recently without being noticed and be extra careful about covering your hand while keying in numbers.
- Use ATMs located inside banks whenever possible – gone are the days when thieves used crowbars to pop open cash machines at gas stations. Further, ATMs in relatively busy areas are more likely to be under surveillance than those in quiet corners.
- Don’t use the ATM if you see anything that makes you uncomfortable – for example, is there anything visibly wrong with the machine (i.e., loose wires or exposed electronics)? If so, report it immediately so that maintenance can be done before someone tries to use an attack kit on it.
Consequences of falling victim to skimming
Once an attacker has collected your credit card information, they have virtually unlimited options for what to do with it. In some cases, the attacker will use it immediately for in-person purchases or ATM withdrawals in ATMs that are not covered by surveillance cameras. Thieves can also use it to buy gift cards online and then liquidate them shortly after purchase; this is one way of laundering money from stolen plastic because gift cards must be activated before they can be used but are rarely cancelled once activated.
The most popular approach is to sell large batches of compromised plastic on underground marketplaces where cybercriminals congregate; these sites specialize in allowing buyers to place orders based on the specific stolen card types (i.e., Visa, MasterCard, etc.) and bank logos that they want.
Frequently asked questions about skimming
Can a skimmer record my PIN?
No. This is one of the major differences between skimming and other ATM attacks like shimmers or keypads overlays because, with skimming, there isn’t much to see – the entire attack takes place below the surface where no one can observe what you are doing except for cameras installed over or beside you (but even these cannot read your PIN as it’s entered). However, this doesn’t mean that people have not thought about ways to discover your PIN; camera technology has improved significantly in recent years but currently falls short of being able to identify individual keyboard keys from images at such distances.
Can a skimmer read my card’s data?
Yes – this is one of the major differences between skimming and its predecessor, shimming. As with skimmers, shimmers were used to steal card data; however, they did so by inserting a device partially into an ATM’s card slot while the user was still withdrawing cash. The shimmer then recorded everything that happened inside the ATM after that point and could not be detected without disassembling the ATM entirely. Skimmers are also most commonly found on ATMs that have recently been installed (hence how criminals can install them before anyone notices) but this isn’t always the case; some are installed on older models when banks don’t upgrade their machines in order to save money for other projects.
What is “card trapping”?
In addition to placing a skimmer on top of an ATM, it’s also possible for thieves to install a “trap door” beneath the cash dispenser that can be opened by pulling or prying the front panel away from the body. The process is simple enough; after they’ve installed their skimming device, all criminals have to do is replace / patch up any physical damage they caused during installation without leaving any trace of themselves behind (thereby making it appear as if the machine had been tampered with before).
Patching ATMs can cause some problems as banks don’t always keep spare parts on hand. When this happens, they may opt to simply remove and dispose of affected machines instead of replacing them; since banks are generally uninterested in the security of their ATMs, this is a very common occurrence.
What are “cash-out” skimmers?
Cash-out skimmers are devices that have been programmed to capture the information stored on a card’s magnetic stripe and transmit it back to the thieves who installed them. After being skimmed, cards can be used directly at POS terminals or sold on underground marketplaces where they’re converted into cash through other means (e.g., by using fake credit cards to buy gift cards from big box stores and then selling these online). Cash-out skimming is much simpler for criminals than methods of stealing physical banknotes but also more dangerous – getting caught with these devices in your possession is usually enough to land you in prison for years.
How do I know if an ATM has been skimming before I use it?
Unfortunately, there isn’t an easy way to know if a machine has been compromised. The best advice we can give is to avoid using ATMs in secluded areas (like the one in the photo above) and try not to withdraw large amounts of money at once. Use common sense – if something feels funny about an ATM you’re about to use then walk away. You should also check your bank statements regularly for any discrepancies or suspicious activity that shouldn’t be there; banks usually don’t let unauthorized transactions through unless they’ve been caught doing so by customer complaints first.
Schedule Your Demo
Tired of your website being exploited by malicious malware and bots?We can help
Subscribe and stay updated
Insightful articles, data-driven research, and more cyber security focussed content to your inbox every week.