Article Lead Image

Photo via AlixKreil/Getty Images

How to find and avoid credit card skimmers

Don't fall victim to this devious trick.


David Gilmour


Posted on Aug 29, 2016   Updated on May 26, 2021, 3:55 am CDT

Using a simple device that can be legally purchased online for as little as $70 and fixed to a credit card reader in seconds, fraudsters can empty your entire bank account. 

It’s called credit card skimming, and, aside from testing the limits of current credit card technology, it’s costing financial institutions and consumers worldwide upwards of $2 billion. So, what exactly is it and how can you avoid falling victim? We decided to find out.

What is a credit card skimmer? 

Basically, it’s a device that fraudsters use to harvest and store your personal banking information all while you believe you are engaging in a normal transaction. There are a full range of credit card skimmers available to buy that exploit various vulnerabilities in banking and card technology. They have been found fixed to ATMs, card payment machines, pay phones, and gas pumps. 

“Skimmers can show up anywhere that you can insert a credit card,” Tom Keenan, an author and professor at the University of Calgary who has researched the fraudulent phenomenon, tells the Daily Dot.

“A big issue is that some deluxe new skimmers are so thin that they can be put inside the card slot, making them almost impossible to detect.”

Where is a credit or debit card most vulnerable?

The magnetic stripe technology on every credit card lacks a number of basic layers of protection, even though it contains all the necessary financial data needed to make a transaction. On a skimming threat model, magnetic stripe technology is the biggest design-centric flaw.

For that reason it’s the oldest and most lucrative skimming scam in the book. A thief can ‘clone’ a card by subtly swiping the card’s black magnetic stripe through an Encoder. This data can later be written into a new counterfeit card or sold online on ‘carder sites.’

But what about chip-and-PIN, isn’t that safe?

EMV chip technology, or chip-and-pin, was introduced to combat skimming fraud by encrypting the financial and personal data that was originally in the magnetic stripe onto a microchip. This encryption system was made even more secure using a second authentication, a personal identification number (PIN). 

Still, credit card skimming thieves have tried to crack this, too, relying on unthinking or naive card owners. 

“Even with EMV there are ways to make the pin entry fail and merchants then default to using the stripe,” Kennan explains. “They sometimes install hidden cameras to capture the numbers from watching your fingers as you enter your code.” 

Not all fraudsters are so crudely amateur though, Keenan adds. “As shown at [cybersecurity conferences] DEFCON and Black Hat this year, if the bad guys can get into, say, an ATM machine (some researchers bought one and modified it) they can insert what they call a ‘shimmer,’ which can defeat chip-and-pin and also communicate with other ATM machines.” 

Despite the dedication to crack ATMs, some experts claim that the mass rollout of contactless technology leaves users as potentially vulnerable as in the days of before EMV.

How can you avoid falling victim?

Protecting yourself is part common sense, part vigilance.

When performing a transaction, understanding where the skimmer is likely to be is a good start. Keenan’s best advice is to “be suspicious” of card slots or requests to use your magnetic stripe. “Wiggle the plastic” card entry slot, especially if it looks poorly attached, he suggests. Look around the ATM for cameras before you use your pin, and always cover the keypad as you type.

As skimming technology becomes ever more subtle, it will become increasingly difficult to spot a compromised machine. A good practice is to “check your credit card and bank statements (for debit cards) for suspicious transactions and report them promptly.”

If you’re really worried, you can always use cash.

Share this article
*First Published: Aug 29, 2016, 6:00 am CDT