How to Spot and Prevent Card Skimmers: An Essential Guide
American consumers and businesses are increasingly being targeted by malicious credit card skimmers. The Federal Bureau of Investigation (or FBI) estimates that skimming costs consumers and financial institutions over $1 billion annually.
Much of this illegal activity takes place at gas stations. According to the National Association of Convenience Stores, roughly 39 million Americans fuel up their vehicles daily. Many time-crunched drivers pay at the pump with cards.
However, what you must remember is that enterprising thieves want to obtain drivers’ credit card and debit card information for fraudulent purposes. It’s, therefore, essential that you know how to spot and prevent card skimmers from stealing sensitive data.
This article discusses how card skimming works and how you can protect your business and your customers from this crime.
What Are Credit Card Skimmers?
A credit card skimmer is an illegal card reader located within a functioning credit card reader. Each skimmer gathers card data from everyone who uses that ATM or payment terminal. Later, the thief collects the data file and produces a cloned card for identity theft purposes.
Credit card skimmers are most frequently found at ATMs and gas station pumps. However, customers at retail stores, convenience stores, and restaurants often fall victim to skimmer theft too. Users of parking meters and ticket kiosks are also at risk.
What Does a Skimmer Look Like?
Users will have a tough time spotting a card skimming device. Thieves go to great lengths to make each skimmer device appear identical to legitimate card readers.
At gas pumps, for example, users should look for a card reader that might be larger than the one at nearby pumps. A reader with an extended card slot, or one that wiggles easily, may have a card skimming device. Look for a keypad (or pin pad) that’s different than nearby keypads. This may be a keypad overlay—a likely tampering indication.
Some especially creative criminals install a hidden camera to photograph customers’ pin numbers. Even if you look for this tiny camera, you aren’t likely to find it. Other scammers use Bluetooth and cell phone technology to remotely obtain card information.
How Does Card Skimming Work?
Card skimming involves the illegal installation of a tiny electronic device at a card terminal. The terminal may be located at a gas station, point-of-sale (or POS) station, or ATM. Some enterprising crooks may use a handheld skimmer attached to a small mobile POS terminal.
During each transaction, the skimmer (or a pinhole camera) captures the customer’s card number, PIN, and expiration date. This data is readily available from the card’s magnetic stripe (or magstripe).
What Happens When Your Card Is Skimmed?
Let’s assume a skimming device captures the customer’s credit card or debit card information. Now, hackers have the tools to create their own fake cards for eCommerce or mobile phone purchases.
If the customer paid with a debit card, the card’s PIN enables the crooks to empty the user’s bank account. Sadly, financial institutions don’t make it easy to dispute debit card-based incidents.
Fortunately, credit card users can more successfully dispute skimming charges. The credit card company likely maintains a zero-liability fraud policy. This means the cardholder will not have to repay those fraudulent funds to the card issuer.
How to Protect Yourself Against Credit Card Skimmers
Many credit card skimming incidents have historically taken place in large cities and other high-density areas. Today, they also occur in many suburban and rural areas. Fortunately, customers (and businesses) can use five payment strategies to protect against credit card skimmers.
1. Pay with a credit card
Credit card issuers typically maintain a zero-liability policy. This means that a user is not financially liable for illegal credit card charges.
2. Use contactless payments
Contactless payments use highly secure tokenization. During each purchase, the customer’s payment details are encoded. The credit card company sends a one-time code to process the transaction.
A contactless card never physically touches a card terminal. However, contactless cards utilize radio-frequency identification (or RFID) technology to send data to payment terminals. Theoretically, a criminal with a handheld skimmer can intercept RFID-transmitted data. However, credit card companies and banks encrypt this data so scammers cannot use it.
3. Carry a mobile wallet
A digital mobile wallet uses near-field communication (or NFC) technology to transmit card data to a close-range card terminal. It’s highly unlikely that a hand-held skimmer can get close enough to access the customer data.
A mobile wallet can contain the Apple Pay and/or Google Pay apps. Both applications use tokenization technology, and the application authorizes the payment. Both applications require two-factor authentication to complete each transaction.
4. Pull out the cash
Although low-tech cash has seemingly become antiquated, this tried-and-true payment form is 100 percent safe. In addition, some gas stations offer discounts on customers’ cash fuel purchases.
5. Closely monitor your bank accounts
Customers (and businesses) should closely monitor relevant bank accounts. Monitoring your bank statements can be useful, and reviewing your accounts online daily is even better. Anyone who notices suspicious activity should notify their bank.
How to Spot Skimmers at ATMs and Gas Stations
Scammers often place credit card skimmers at high-traffic destinations such as ATMs and gas stations. Finding the malicious little skimmers requires a keen eye for detail.
First, note that a skimming device is frequently placed over the legitimate card reader. This can cause the skimmer to be canted at a strange angle. The skimmer might also cover the panel’s directional arrows. To confirm any suspicions, compare this card reader to others around it.
Next, the user should physically inspect the card reader and its keypad. A conventional card reader is ruggedly built to withstand abuse. The card reader should not wiggle when touched. The keypad buttons should not be hard to depress.
If the user gets either result, the device has likely been tampered with. They should find another ATM or gas pump and notify the bank manager or gas station attendant.
Special user precautions for ATMs
Official bank ATMs are located on the bank’s premises. With customer activity and onsite surveillance cameras, these ATMs are less likely to have skimmer installations. A user should ideally choose bank-maintained ATMs instead of those elsewhere.
Special user precautions for gas pumps
Evading gas pump skimmers takes more effort. First, realize that busy gas station employees cannot monitor multiple gas pump card readers. Users should minimize their risks by using a pump near the cashier station.
Next, users should determine if the pump door shows evidence of tampering. Look for a compromised security seal and a “VOID” label that means tampering has taken place. Determine if anything has been inserted into the card reader. Likewise, see if the card slot and/or keypad seem different compared to similar devices at other pumps.
To minimize their skimmer risks, users should pay inside if possible. Skimmers are less likely to be installed on a card reader at the checkout counter. If users must pay outside, they should use a credit card that offers zero-liability protection.
If a debit card is the only option, the user should press the “credit card” button to complete the sale without a PIN. And while completing a debit transaction, they should cover their hand to thwart a camera while entering the PIN.
Users who frequently fuel up at the same gas stations may purchase the brand’s gift cards. With limited values and no personal information, they’ll have minimal losses if scammers access the card data. Gas apps are another convenient option.
Skimming vs Shimming: What You Need to Know
Many consumers have become aware that credit card skimmers can access magnetic stripe card data. Therefore, customers have increased their use of more secure chip-based credit cards and debit cards. Now, scammers have developed a new technique that enables them to access chip card data.
A difficult-to-see “card shimmer” functions like a tiny shim that sits between the card’s chip and the card reader. The super-thin shimmer efficiently duplicates the card’s magnetic stripe data. Equipped with the customer’s valuable information, the scam artist can easily create a magnetic stripe card.
Businesses Should Always Remain Vigilant
Everyone should take precautions to protect their transactions from card skimming devices. Small businesses can minimize customers’ risks by working with a merchant services provider with a strong PCI compliance focus. Payment Depot certainly fits the bill.
In addition, Payment Depot employs multiple credit card fraud prevention practices that support its PCI compliance program. Contact Payment Depot today to learn about its top-ranked small business-friendly merchant services.
Are chip cards safe from card skimming?
Credit card skimmers can read a chip card’s magnetic stripe. However, the skimmer cannot decipher the chip data. Therefore, always use the chip card reader rather than the magnetic stripe reader. At a gas station, always use a pump-based chip reader. If one isn’t available, take a few extra minutes to pay inside.
What should you do if you’re a victim of skimming?
Credit card and debit card issuers use sophisticated fraud detection software. If a company’s fraud analyst thinks a user’s card may have been skimmed, they will immediately freeze its further use.
However, card issuers can’t catch everything. Therefore, fraudulent account transactions may be the first indication that a card has been skimmed.
If that occurs, the user should contact their card-issuing bank without delay. This will freeze the card access and limit financial liability. The user should also notify the business where the skimming likely occurred.
Finally, the user should contact local law enforcement and the state attorney general’s consumer division. The Federal Trade Commission also wants to document every skimming incident, hopefully helping to prevent additional skimming attacks.