What is ATM Skimming?
ATM skimming is a type of payment card fraud where thieves use hidden recording devices to capture PINs and other information from credit, debit, and ATM cards. These devices are often rigged to ATMs and payment terminals at gas stations and other retail locations.
Once they have the stolen information, criminals can create counterfeit cards or directly access victims’ bank accounts to withdraw cash or make unauthorized purchases.
According to Nathan Wenzler, Chief Security Strategist at Tenable, “If thieves manage to obtain the card number, they may use it for online transactions or sell the card details in bulk to other criminal groups for fraudulent activities.”
Here’s what you need to know about ATM skimming and how to safeguard yourself against it.
Methods of ATM skimming
Thieves use various methods to steal data from the magnetic stripe on credit and debit cards:
- Plastic Overlay: A thin layer placed over the ATM keypad to capture PINs as they are entered.
- Card Slot Overlay: A cover placed over the card insertion slot to record data from the magnetic stripe.
- Tiny Cameras: Small cameras positioned on or near the ATM to record keypad entries and observe your fingers.
- Full ATM Faceplate Overlay: A cover that includes embedded cameras and overlays for both the card slot and keypad.
Nathan Wenzler warns, “Skimmers are becoming increasingly difficult to detect, especially with advancements in 3D printing and other inexpensive fabrication technologies.”
In some cases, skimming devices can transmit stolen data via Bluetooth, eliminating the need for physical contact with the card reader.
Even chip-enabled payment cards, which are considered more secure, are not immune. Thieves use “shimmers,” thin devices placed between the chip and the reader, to capture card information and PINs. As chip technology becomes more common, shimmers are increasingly replacing traditional skimmers as the preferred tool for thieves.
How prevalent is ATM skimming?
ATM skimming is a growing issue, particularly at gas pumps, costing consumers and U.S. financial institutions over $1 billion annually.
In 2022 alone, more than 161,000 cards were compromised due to skimming, affecting 2,730 different financial institutions.
California was the most targeted state, representing 47 percent of all skimming incidents. The northeastern U.S. was also heavily affected, with New York, New Jersey, Pennsylvania, Maryland, and Virginia accounting for 29 percent of cases.
Nathan Wenzler notes, “ATMs and gas pumps are common targets, but cardholders should stay vigilant with any card reader, whether it’s at restaurants, retail stores, coffee shops, or elsewhere.”
Wenzler adds that wireless technology allows cyber-thieves to retrieve stolen PINs and card data remotely, making it challenging to catch them in the act.
Ways to avoid ATM skimming
To protect yourself from ATM skimming and prevent your bank account from being compromised, follow these guidelines:
- Opt for Cardless Transactions: Use your smartphone and bank’s mobile app for ATM transactions, avoiding the use of a physical debit card.
- Use Chip-Enabled Cards: Choose debit and credit cards with chip technology, which offer enhanced security.
- Run Debit Transactions as Credit: When using a debit card, select “credit” and avoid entering your PIN. Alternatively, use a credit card directly.
- Utilize Mobile Payment Systems: Leverage mobile payment options like Google Pay, Apple Pay, Samsung Pay, or PayPal for added security.
- Monitor Your Accounts: Regularly check your bank statements for unusual activity and sign up for account alerts and notifications.
In addition to these digital precautions, follow these practical steps to avoid ATM skimming:
- Avoid Secluded ATMs: Use ATMs located in well-lit, secure areas, preferably inside banks or stores. Avoid ATMs in bars, restaurants, or tourist-heavy spots.
- Report Card Issues Immediately: If an ATM fails to return your card, report it to your card issuer right away.
- Inspect the ATM: Check for signs of tampering or skimming devices. Look for damaged or loose parts and ask a store manager to inspect the machine if needed.
- Test the Card Reader: Gently wiggle the card reader to check for loose components or covers, which may indicate a skimming device, advises Wenzler.
- Choose Visible Gas Pumps: Use gas pumps in view of the station attendant or pay inside to reduce the risk of skimming.
- Cover Your PIN: Always shield the PIN pad with your hand when entering your PIN, even if you’re alone.
Beware of e-skimming
While some criminals physically attach skimmers to payment terminals at banks and stores, others commit fraud from the comfort of their own homes.
“Cyber-criminals have embraced a method known as digital skimming or e-skimming,” says Ameet Naik, security evangelist and director of product marketing at Cloudflare. “Rather than installing a physical device on ATMs, they embed malicious code into website scripts to capture credit card numbers from checkout pages on e-commerce sites.”
During an online transaction, businesses collect sensitive information from buyers, including names, email addresses, phone numbers, passwords, and payment card details. “This data is most vulnerable at the point of entry,” Naik explains.
Since the data is harvested from the consumer’s device rather than from the company’s servers, the store, payment processor, or bank often remains unaware of the skimming activity. “The lack of visibility means these attacks can go unnoticed for weeks or even months, giving hackers ample time to gather and sell stolen credit card numbers on the dark web,” Naik adds.
Ways to avoid e-skimming:
- Avoid entering your card number multiple times on a website. “If your trusted merchant offers an option to save your card information for future use, take advantage of it to reduce the frequency of typing in your details,” advises Naik.
- Consider using alternative payment methods like Apple Pay, Google Pay, or PayPal to avoid entering payment card details. “However, ensure that you use strong passwords to protect these accounts and prevent unauthorized access,” Naik recommends.
- Stay vigilant for counterfeit checkout pages that mimic legitimate online merchants. “Be especially cautious if payment transactions seem to fail,” Naik warns. “In such cases, contact your card issuer immediately to place a fraud alert on your account.”
- Regularly check your credit reports and review your bank and credit card statements for any suspicious activity, and report any discrepancies promptly.
In Conclusion
Whether you’re using a physical bank ATM, a point-of-sale terminal, or conducting cardless transactions, there’s always a risk of fraud. While chip-enabled credit and debit cards offer more security than magnetic stripe cards, they are not immune to hacking.
“As long as magnetic stripes are used for transactions, the technology behind skimmers will keep evolving, leading to increased attacks on devices worldwide,” says Wenzler.
However, you can significantly reduce your risk by following the tips provided and staying vigilant.