Skimming is a term for a man-in-the-middle attack that illegally spies on the data of credit cards or bank cards for credit card fraud. “Skimming is the illegal process of obtaining card data by reading data from magnetic stripes and copying it onto counterfeit cards.” The counterfeit card is then used to withdraw or pay at the expense of the legitimate cardholder.
How ATM Skimming Works
A typical attack pattern is the simultaneous spying on the magnetic stripe contents of the credit or debit card together with the PIN at an ATM. The data of the debit card is then typically applied to an empty card blank (so-called white plastic), which the fraudsters can then use – together with the PIN – to withdraw cash from ATMs (account plundering). Since the card remains in the possession of the owner, the owner of the account usually does not notice this attack until the bank statements are picked up or when the bank intervenes after the overdraft facility has been overdrawn.
In the case of ATMs, various variants have now been described, which have in common that the progressive miniaturization of readers simplifies the manipulation of ATMs enormously. One variant is to attach a reader in the form of a small plastic frame to the slide-in slot directly at the ATM. The card is then simply swiped through the additional reader into the machine and the contents of the magnetic strip are read. Alternatively, incidents are also reported in which an additional reader has been installed in the door opener of the branch, because access to the anteroom with the ATM often requires the use of the card.
---
Deep-insert skimming involves inserting extremely thin “card reader bugs” directly into the card slot of ATMs. These bugs consist of a metal plate with a reading unit, memory chip and a very thin battery cell.
The entry of the PIN is usually filmed with a small wireless camera, which is often hidden above the keyboard in a glued-on plastic strip (so-called “camera bar”). This is usually hardly noticeable, even for suspicious users. However, entire keypad dummies (skimmers) are also used, which are glued over the actual keypad and simply record the keystrokes. Even with thermal imaging cameras, the PIN can be read from the keyboard after it has been entered.
These attack patterns are possible because access to the card data is controlled by the reader, not by the chip on the card itself, as is the case with more modern smart cards. The card data is unprotected on the magnetic strip and can be read by anyone. This is different with smart cards: On the one hand, only part of the content can be read at all, and on the other hand, the card itself checks the correct entry of the PIN and locks itself after a certain number of failed attempts. Since many ATMs of many countries are not (yet) designed for smart cards (for example, in North, Central and South America), many of the credit cards or debit cards issued – even if they are equipped with a chip – still contain a magnetic strip for compatibility reasons, which favors skimming.
In the case of credit cards, the perpetrators proceed similarly. Here, for example, when paying in a restaurant, the victim’s card is swiped through a second card reader in addition to the regular card reader. Unless the victim has acted with gross negligence, the respective bank will compensate for the damage incurred. If there is a suspicion of theft of the data, a card can be blocked by placing phone call to the card issuer.
With antiskimming modules, skimming can be made almost impossible through the combined use of several defense mechanisms.
Signs of ATM Skimming
- Loose or protruding card reader components
- Misaligned or malfunctioning card reader
- Unusual or unexpected prompts on the ATM screen
- Suspicious-looking attachments or overlays on the ATM keypad or card slot
- Hidden cameras or suspicious individuals loitering near the ATM
Protecting Yourself Against ATM Skimming
While ATM skimming remains a pervasive threat, there are several measures you can take to protect yourself against falling victim to this type of fraud. Be aware of your surroundings when using ATMs and lookout for any signs of tampering or suspicious activity.
Shield the keypad with your hand when entering your PIN to prevent hidden cameras or onlookers from capturing it. Whenever possible, use ATMs located in well-lit, high-traffic areas or within bank branches, as they are less likely to be targeted by fraudsters.
Before using an ATM, visually inspect the card reader, keypad, and surrounding areas for any signs of tampering or unusual attachments. Regularly review your bank statements and transaction history for any unauthorized or suspicious activity, and report any discrepancies to your bank immediately.
Consider enabling transaction alerts on your bank account to receive notifications of any unusual or large transactions, allowing you to act quickly in the event of fraud. Whenever possible, opt for contactless payment methods such as mobile wallets or contactless cards, which are less susceptible to skimming attacks.
By remaining vigilant and taking proactive measures to safeguard your personal and financial information, you can minimize the risk of falling victim to ATM skimming and protect yourself against financial fraud and identity theft. Remember, when it comes to ATM security, vigilance is key.
