ATM skimming is a type of payment card fraud. It is a way of stealing PINs and other information off credit cards and debit cards by rigging machines with hidden recording devices.
Bank ATMs and payment terminals at gas pumps and other merchants are the targets of this scam. Thieves then use the stolen information to produce fake cards and spend victims’ money or take cash straight from their bank accounts.
“If they are able to retrieve the card number itself, it’s common to use those in online marketplaces or to sell the card numbers in batches to other criminal groups who may attempt to use them for fraudulent purchases,” says Nathan Wenzler, chief cybersecurity strategist at Tenable, a cybersecurity firm in Columbia, Maryland.
Here is what you need to know about ATM skimming and how to protect yourself.
Methods of ATM skimming
Thieves employ several techniques to steal data that’s embedded in the magnetic stripe on credit and debit cards:
A plastic overlay placed over the ATM keypad captures PINs as they are entered.
An overlay placed over the card insertion slot records the data on the magnetic stripe.
Tiny cameras placed on an ATM record keypad entries and your fingers as you type.
An overlay that covers the whole ATM faceplate is embedded with cameras and card-slot and keypad overlays.
“Skimmers are getting harder and harder to detect, especially with the advent of 3-D printers and other inexpensive fabrication devices,” warns Wenzler.
Even chip-enabled payment cards, which are more secure than magnetic stripe cards, are vulnerable to theft. By placing a super-thin shim between the chip and the chip reader inside the ATM, thieves can capture your PIN and other card information. These devices are called “shimmers,” and as chip technology becomes more prevalent, they are starting to supplant skimmers as thieves’ choice tool.
How prevalent is ATM skimming?
You hear quite a lot about ATM skimming these days, especially at gas pumps. It’s a scam that costs consumers and U.S. financial institutions more than $1 billion each year.
“ATMs and gas pumps are certainly the most common targets,” Wenzler says, “but customers should be aware and vigilant of any card reader anywhere, whether that’s restaurants, retail stores, coffee shops or wherever else you may swipe your card.”
Wenzler notes that advancements in 3-D printers that can replicate an ATM’s card reader are making skimming cheaper, easier and more accessible to less sophisticated criminals.
“Plus, they can sell or share these (skimming) blueprints with others, making it easier to scale up attacks wherever that particular model of ATM is used … This makes it even harder for law enforcement to track and trace who is performing these kinds of attacks,” he says.
Also, wireless technology enables cyber-thieves to retrieve stolen PINs and other card data “without approaching the ATM ever again, making it very difficult to catch them in the act,” Wenzler says.
Ways to avoid ATM skimming
To avoid becoming a victim of ATM skimming and possibly having your bank account cleaned out, follow these tips:
Go with cardless ATM transactions. Using your smartphone and your bank’s mobile app, you can conduct ATM transactions from anywhere, without a physical debit card.
Use debit and credit cards with chip technology, which is more secure.
Run your debit card as a credit card transaction and don’t enter your PIN.
Avoid using a debit card if you have linked accounts. Use a credit card instead.
Use a mobile payment system such as Google Pay, Apple Pay, Samsung Pay or PayPal.
Check your bank statements regularly for suspicious transactions; get account alerts and notifications.
Besides using safer payment methods, there are some physical, common-sense ways to avoid being an ATM skimming victim:
Don’t use ATMs located in dark, out-of-the-way places, in bars and restaurants or in areas with lots of tourists. Go to your bank or inside a store to use an ATM.
If the ATM doesn’t immediately return your card after the transaction, waste no time in reporting it to the card issuer.
Look over the ATM for signs of skimmers or ask the store manager to do it for you. Don’t use ATMs that have damaged or loose parts or look as if they have been tampered with.
“Try wiggling the card reader area to see if it feels loose or if there is a ‘cover’ over it,” advises Wenzler. “That could be a sign of a skimmer having been placed on top of the actual card reader itself.”
Use a gas pump that is within view of the gas station attendant or pay inside.
Cover the PIN pad when you enter your PIN.
Beware of e-skimming
While some criminals skulk around banks and stores to attach skimmers to physical payment terminals, other criminals steal your credit and debit card data without getting out of their pajamas.
“Cyber-criminals now practice the concept of digital skimming or e-skimming,” says Ameet Naik, security evangelist and director of product marketing at PerimeterX, a California-based cybersecurity company. “Instead of placing a physical device on the ATM, they inject a piece of malicious code into a website script that skims credit card numbers from checkout pages on e-commerce sites.”
When there is an online payment transaction, the business collects personal data from the buyer, explains Naik. This usually includes name, email address, phone number, password, payment card data and verification code. “This data is most vulnerable at the point of entry,” Naik says.
The store, payment processor or bank is often not aware that skimming has occurred, Naik says, because the information was taken from the consumer’s device, not a company server.
“The lack of visibility means that the attacks often go undetected for weeks or months, while hackers yield a rich bounty of credit card numbers to sell on the dark web,” he says.
Ways to avoid e-scamming:
Don’t enter your card number repeatedly on a website. “If your trusted merchant has an option to save the card number for future purchases, choose it so as to minimize the times you have to type in your information,” advises Naik.
Use alternative payment methods such as Apple Pay, Google Pay or PayPal so that you don’t have to type in payment card information. “However, consumers must ensure they use strong passwords to secure these services and avoid account compromise,” Naik says.
Be on the lookout for fake checkout pages that impersonate an online merchant. “Be especially wary of payment transactions that appear to fail,” warns Naik. “If that happens, immediately contact the card issuer who can place a fraud alert on your account.
Monitor your credit reports and bank and credit card statements routinely for suspicious activity, and report it right away.
Whether you are using a physical bank ATM, a point-of-sale terminal at a merchant or doing cardless ATM transactions, there is always a risk of fraud. Chip-enabled credit and debit cards are safer than magnetic stripe cards, but even those can be hacked.
“Frankly, until we can move away from using magnetic stripes for transactions, the technology that creates skimmers will continue to advance and improve, resulting in more attacks against more devices against the globe,” Wenzler says.
To minimize your risk exposure, follow the tips and advice outlined here and stay vigilant.
How do cardless ATMs work? Pros and cons
ATMs in a pandemic: How to interact with the touch machine
Worried about mobile banking security? Follow these best practices