card skimmersWe all know that our credit cards or debit cards could be stolen or misused – either through physical theft or through online phishing. But there’s another tool scammers can use to steal your credit or debit card number — card skimming. We discuss the phenomenon of card skimming, detail how it has evolved over the past several years and break down how you can avoid getting skimmed.

What is card skimming?

Card skimming is a process by which payment information is harvested from a card-reading terminal. Usually scammers insert a physical device that’s wired into checkout terminals and ATMs. Once devices are attached to card readers, they can transmit or store payment data. EMV cards have likely reduced the severity of card skimming, given that EMV chips provide a unique code for every transaction — unlike magnetic stripe cards which use your card’s information to process every payment. But since the EMV rollout is still ongoing, a number of consumers lack chip cards. Additionally, some vendors continue to use out-of-date systems which are incompatible with EMV, forcing customers to still have to pay with magnetic stripes.

How have card-skimming devices evolved over the years?

A number of security experts have noted the appearance and function of skimmers at every phase of their evolution. There are several things, however, that make today’s skimmers particularly unnerving:

1. They’re a lot more inconspicuous. Old skimmers tended to be clunky and, in some cases, placed haphazardly. There were exceptions, but once consumers started becoming educated about skimming, they could somewhat reliably avoid it. Today’s skimmers are more sophisticated, generally being smaller and hidden within components almost indistinguishable from those of the machines they hijack.

2. Skimming devices are unique. Since the sophistication of skimming has increased, no two skimmers are alike. Scammers now have a number of different ways to install skimmers – from micro-cameras to keyloggers to onboard Bluetooth and infrared transmitters – and each skimmer “skims” consumers in different ways. With the techniques used to hide skimmers also improving, this means each skimmer can be perfectly adapted to a specific brand or type of terminal.

3. Location doesn’t matter as much anymore. The common wisdom used to be that you’d be safe from skimming if you stuck to using card terminals and ATMs in open, well-lit and public places, but that isn’t as much of a guarantee as it used to be. The small size and adaptability of newer skimmer designs mean that scammers can now install skimmers quickly and in more places.

4. EMV “shimming” is the new skimming. Unfortunately, even EMV cards — thought to be nearly impervious to existing forms of fraud — are being targeted with a technique similar to skimming. Dubbed shimming, the technique involves a paper thin shim within the slot where the EMV card is to be dipped. Although EMV chips utilize a one-time use code, since most EMV cards have both chips and magnetic stripes, the information needed for both types of transactions is on the card. As such, scammers use this as an opportunity to steal the credentials associated with the magnetic stripe and clone it onto a traditional credit card. The good news is that even with stolen payment information, making purchases is getting harder as the number of terminals accepting non-EMV cards is decreasing, even if somewhat slowly.

How can you avoid having your card skimmed?

Despite skimming’s continual evolution, the fundamentals regarding how to stay safe remain relatively unchanged. Whenever you’re out shopping, you should keep the following in mind:

1. Inspect your surroundings. While the tell-tale signs of hijacked card terminals are more covert than they used to be, you can still benefit from taking note of your surroundings. For example, is there a camera facing behind you at your ATM or by the keypad on the terminal? If so it wouldn’t hurt to put your hand over the PIN pad as you type (or to leave that ATM entirely). You should also be mindful of other subtle issues, like extremely stiff keys or neighboring card terminals with a slight differences in appearance, as these could indicate tampering.

2. If you’re suspicious, shake payment systems. Skimmers, by design, generally come out easily so that they can be retrieved by scammers. This means that shaking and pulling terminals, whenever you’re feeling suspicious, is a valid way to inspect if a terminal has been hijacked.

3. Don’t enter a PIN if you don’t have to. If you’re using a card for payment, you should generally opt to use a credit card over a debit card, given all of the protections available to credit card users. If you still prefer to use debit, be sure you run the transaction as credit so you can to pay without using your PIN — the cashier should be able to help you with such transactions, as this is a pretty common request.

4. Beware of transactions that force your card to “default” to using magnetic stripes. Although this hasn’t really been seen outside of the lab, several security researchers have demonstrated that it is possible to force EMV-compatible terminals to reject a card’s EMV chip and require the customer to pay with the magnetic stripes. This was used in scams in Europe, where the technology is older, but it has yet to be seen in the U.S. Regardless of how viable this technique may be, make sure to avoid using your card’s magnetic stripes, especially when EMV is an option.

5. Use NFC or other contact payment options if possible. Newer forms of payment like contact pay, Apple Pay, Android Pay or Samsung Pay solely use unique payment tokens, as opposed to data associated with your credit card, making them slightly more secure than EMV cards, which, as we mentioned earlier, hold data for both the chip and the magnetic stripe.

6. Always monitor your accounts. This last point is a given, but it’s something worth repeating. You should have a regularly scheduled time, like every week, where you look over bank and credit card statements. Not only could this protect you from fraud, but it can also allow you to catch any potential errors your bank or card issuer might have made on your statements.

Although you can’t protect yourself from every type of fraud or cyberattack, being aware of the threats and knowing what to look for can go a long way. For more information about security and avoiding fraud, keep reading our scams blog.