Picture this: you walk up to an ATM that’s the same brand as your bank. The ATM itself is in a well-lit area, there are lots of families walking around, and there’s even a police officer right on the corner. Everything seems safe, right? You slide your card into the ATM, conduct your transaction, and conclude your business as normal.
The next day, your bank’s fraud alert team is calling you to let you know that in the last 24 hours, your debit card has been used to purchase gas, home goods, and groceries in a city four states away from where you live. They want to know if those transactions are legitimate. Fear and panic, of course, are the first emotions that set in. That money came from your checking account – are you going to get reimbursed (fortunately, yes). Are the police going to find out who did this and bring them to justice (unfortunately, the answer is probably no). And most importantly, how did this happen?
In this case, you’ve been a victim of skimming: theft of credit card information through a physical device, such as a tiny camera that is designed to capture PIN codes as they’re typed a pad, or an overlay device for a card reader that captures sufficient card information to clone the card onto a blank. According to ATM and banking equipment manufacturer Diebold, skimming accounts for 98% of all ATM card fraud. There are over 3 million ATMs globally, and according to the U.S. Secret Service the estimated loss from skimming amounts to about $8.5 billion per year globally, with over $1 billion of that loss occurring in the United States. Skimming is a lucrative business for thieves; according to multiple sources, a skimming device at a single ATM or other card reader (such as the type found on gas pumps, vending machines and other self-service equipment that accepts credit or debit cards) can net a criminal upwards of $50,000.
Unfortunately, card skimming devices are becoming substantially more realistic over time. Security blogger Brian Krebs (www.krebsonsecurity.com) has documented several skimming technologies over the years, including methods that not only capture card data but also attempt to capture the physical cards (and sometimes the cash they provide) so that the thief can go back and take these items after the victim realizes they can no longer recover their card or money. It seems that card skimming and credit/debit card theft are a massively growing problem, and the odds are that each of us encounter these devices at some point in the future.
So how can you ensure that you won’t be a victim? Fortunately, there are several tactics and techniques to mitigate this risk:
- Familiarize yourself with skimming technologies. ATM manufacturer NCR Corporation has developed a helpful “ATM Fraud Inspection Guide” (https://www.ncr.com/sites/default/files/white_papers/17fin6542_atm_fraud_inspection_guide_rgb.pdf) which provides great information on how to detect whether an ATM may be compromised. By familiarizing yourself with how to detect the tools of the trade, you’ll know when to walk away from a potentially compromised card reader.
- Cover your PIN. For debit cards, the PIN represents the “keys to the kingdom.” Many criminals use tiny pinhole cameras placed in a location that allows them to capture the PIN code when entered on a keypad. Coupled with a physical card skimmer, this provides criminals with everything they need to drain accounts. To minimize this risk, ensure that you’re always covering your hand when entering your PIN on the keypad, and always make sure that there no physical person is looking over your shoulder or from an angle when you enter your PIN.
- Opt for EMV if available. EMV of which the most popular type is “PIN-and-chip” in the U.S., provides an extra layer of security for cards. EMV uses a one-time digital token with each transaction that cannot be easily replicated as part of a transaction. While a criminal using a skimmer can duplicate the card itself, they cannot really duplicate this token. The result is that the card cannot be used at POS terminals or merchants that require the use of a chip reader for chip-enabled cards. While this doesn’t stop thieves from using the card online (where the token isn’t required) or at physical locations that don’t yet have EMV support, EMV is growing in popularity in the United States, and this will be a significant detriment to card skimming in the future.
- Use credit cards as opposed to debit cards, when possible. If a debit card is compromised, the money that is lost comes directly out of your account. If a credit card is compromised, the money that is lost belongs to the bank that issued the card. Credit cards offer better protection than debit cards from a maximum loss and recovery perspective.
- Listen to your gut. ATM skimmers, in particular, are more often located in high-traffic areas – such as areas that are heavy tourism locations – under the auspice that they’re likely snag more victims, and a larger percentage of those victims will be from other cities, states and countries. If you don’t feel comfortable using a card device – because you think there are too many people, too few people, not enough light, an ATM that appears to be of shoddy construction, a name on the ATM that you’re not familiar with, or any other reason – then simply don’t use the device.
While skimming fraud is a significant (and growing) fact of life, by using some common-sense protections and knowing what to look for you can minimize the risk that you’ll become the next victim of debit or credit card theft.