ATM Skimming: It’s About To Get Worse

What is ATM Skimming?

Mom & baby in train station
••• images by Tang Ming Tung / Getty Images

What is ATM Skimming?

Automatic teller machine skimming occurs when a criminal places a small device over the card slot on an ATM. This device looks like the original card slot, and it blends into the face of the ATM. To an untrained eye, there is nothing that looks different, but when the card slides through the slot, all of the information on the magnetic strip is read, or “skimmed.” This is a common practice because the technology is easy, and there is not yet technology to protect the plastic card system, which is antiquated.

There are two parts of the devices that allow criminals to take the data from the card. First, there is the skimmer device itself, and second is a tiny, wireless camera that records the PIN as the user types it into the keypad.

Some of the places where the cameras are often hidden include:

  • In the brochure holder of the ATM
  • In the light bar at the top of the keypad
  • In the speaker on the face of the ATM
  • In a box behind the small mirror on the ATM

The traditional way to get a card number is to place the phony card reader on top of the ATM card reader, and then come back to get it. These days, however, it is possible to send the information via Bluetooth through SMS technology that is built right into the skimmer. When you couple that with keypad overlays and wireless cameras, it is easier than ever to get a PIN number.

These thieves are also brazen enough to look for work that will give them ATM access. When they have these jobs, they install software that can transmit a PIN to their personal mobile device. Since these transmitters and memory chips are so thin and light, they often go undetected.

Thanks to technological advances, criminals are getting the upper hand when it comes to ATM skimming. If you must use an ATM, it is best to use one that is located inside of the bank, and wherever you use it, you should make sure that you thoroughly inspect the machine before you swipe your card.

Different Scams Associated with Skimming

There are a number of different scams that are associated with ATM skimming. They are as follows:

  • Fake ATMs – In this case, the crook will actually install a fake machine in an area that will attract users. What the victims don’t know is that every time they swipe their card, the thief gets their information.
  • Wedge Skimming – This is when an employee runs a card through a reader tool that transfers the data collected from the magnetic strip of the card. The crook then downloads this information, burns it onto a fake/cloned card, and then uses that card to make phone or online orders.
  • Data Intercepting – This practice occurs when a crook poses as a serviceman at a gas pump, for instance, unlocks the pump with a special key, and then installs a device to read any card that is swiped through it.
  • Point of Sale Swapping – POS Swapping occurs when a skimming device is placed at a card terminal where a purchase is made. No retailer is safe, and even companies such as McDonald’s have been a target.
  • ATM Skimming – As mentioned, this is when a thief installs a card reader and camera into an ATM machine. They are very inconspicuous, often wireless, and can read the PIN and card data.

You Can’t Just Buy an ATM, Right?

DEFCON is an annual convention that occurs in Vegas each year, and the convention brings hackers from all over the world. At a DEFCON, a few participants set up a fake ATM near the convention center security office. Other hackers started using it, and the hackers were able to get their information.

After hearing this story, I wanted to see how easy it was to buy an ATM and set it up. Surely, it’s not, right?

I started my search on eBay, and to my surprise, I found several new and used ATMs that ranged from $500 to $2,500. I decided that I didn’t want to pay that much, and shipping charges were about $300, so I looked local. I tried Craigslist and read a post from a bar owner north of Boston who was getting rid of various items including old beer signs, pool tables, and an ATM.

I met a guy, Bob, at the bar with a friend of mine who is a white hat hacker, one of the good guys. The bar was old and closing down, and Bob was helping the owner sell the assets, including the ATM. The machine was near the bar, and my hacker friend got to work. He looked at the manual, got the machine working, and then determined that it was worth the $750 price. We loaded it onto a trailer and took it to my garage. The first thing the next morning, I took some rubber gloves, a bottle of Windex, a couple of paper towel rolls and took the ATM apart.

When my friend, the hacker, got to my garage a bit later, he had the manual and was giddy with excitement. “Watch this,” he said, and then punched in the machine’s master code. This allowed him to access the data on the machine from the memory chip, which is called an “EPROM.” What happened? We got a printout of several hundred debit and credit card numbers. Scary, right?

Things are Getting Worse!

A recent report from FICO says that crimes concerning “skimming” have made a huge spike in the past two decades. This includes bank ATMs, of course, but public ATMs have seen the biggest increase. When the thieves access your stolen data, they can do so much with it from taking the numbers and withdrawing cash to creating a phony debit card that they can use for online or phone purchases, as they will not need a photo ID. Before you know it, your bank account is totally sucked dry!

The beauty of this, for thieves, anyway, is that this is such a simple process that ATM users don’t even realize that they are getting scammed until it is too late. To the victim, they simply swipe their card and access their money. The thief, however, has a plan, and the damage can be done in a matter of hours or even minutes:

  • He comes back to the ATM in the middle of the night
  • He downloads the data from all of the cards that were swiped on that machine
  • He burns this information onto a phony card and starts shopping
  • Need a PIN? No problem. He also has access to a camera that he has affixed somewhere on the ATM machine to record the numbers the victims press

Skimming Scam Protection

There are some practices that you can use to protect yourself from the skimming scam:

  • Only use an ATM that is inside of a bank. The riskiest ATMs to use include those located in bars, restaurants, public kiosks and nightclubs.
  • Regardless of the ATM location, take a look at the machine. If the scanner’s colors do not jibe with the rest of the colors, this is a red flag.
  • Try to jiggle the card slot to see if there is anything attached to it.
  • Take a look at the card slots when at gas stations or other non-ATM card readers that can scan a debit card.
  • Examine the area where a camera may be hidden. Even if all is clear, when entering the PIN, cover your hand.
  • If you can avoid using a debit card, you should. With a credit card, at least, you can dispute the charges before you lose money. With a debit card, this isn’t usually possible.
  • Check your bank and credit card statements frequently.

Always Protect Your Cards

Here are some ways that you can protect your debit and credit cards:

  1. Some only make any online payments with a prepaid or single-use cards.
  2. If you have recurring payments for any account, only use one credit card to pay them.
  3. When shopping, use a prepaid or one-time use card. Though a single-use card is linked to your actual card number, it prevents your real number from being exposed. Citibank, Discover, and Bank of America all offer single-use numbers.
  4. A prepaid card is different than a single-use card as it is not connected to your real card. If the prepaid card is stolen, you can replace it without affecting your account.
  5. If you have access to a debit card, do not shop with it. Use it to take funds out of the ATM only. If a thief gets your debit card number, the money instantly could be stolen from your account.
  6. Though you will get reimbursed for any fraud that occurs with a debit card, it only happens after your account has been wiped out. So, avoid using a debit card at places where it’s easy for a crook to compromise a reader, such as casino machines or gas stations.
  7. Before using your debit card, always look for any signs of tampering on the card reader, such as a small camera that can capture the PINs.
  8. Set up text or email notifications through your credit card company or bank to alert you of any charge. This way, if an unauthorized charge comes in, you will find out immediately.  
  9. What do I do? I use my credits cards for everything. Online, over the phone, etc. I don’t use prepaid or single use etc. I simply pay attention to my statements and get text and email alerts for every charge in real time.