Payment methods have evolved greatly over the years, from barter to coins and then later to paper money and checks. Each of those payment methods had its own weaknesses and vulnerabilities: Checks can be forged, money can be stolen and you can’t conveniently carry enough chickens for large purchases.
In recent decades, credit and debit cards have become the preferred payment methods for many of us. Unfortunately, those also have their vulnerabilities, from low-tech theft to high-tech data breaches. One persistent threat to card users is skimming, the use of an illicit card reader to steal the data from your credit or debit card. Unlike many other threats, this is one you can spot and avoid if you know what to look for.
What Is a Credit-Card Skimmer?
If you look at the card readers in ATMs, gas pumps and point-of-sale terminals, you’ll see that there are just a few basic physical formats used across most machines. Criminals are nothing if not imaginative, and at some point an unsung hero of the underworld realized that they could be hijacked with relative ease.
That’s how skimming works: Criminals construct a card reader of their own, designed to resemble and fit over the machine’s legitimate card reader. When you insert your credit or debit card, it’s read by the legitimate machine and everything seems to work as it should, but the criminals also get access to all the information stored on your card.
The criminals return periodically to retrieve the data, which they can then use to create a working duplicate of your card. It doesn’t take a lot of imagination to realize that this is a Very Bad Thing.
Spotting a Credit-Card Skimmer
The good news is that because skimming relies on a physical piece of equipment, it’s something you can identify by simply paying attention. The illicit reader needs to install over the legitimate one, so give the machine a good once-over before inserting your card. Does the reader move if you try to wiggle it? Is it a match for the color and materials used in the rest of the machine? Does it partially obscure some of the molded details on the machine? Does it seem to stick out farther than the ones on neighboring machines?
Aside from the reader itself, look at the rest of the machine. Does it have any holes in it, or unexplained plates or decals that you don’t recall seeing on similar machines? On a gas pump there’s often a security seal right at eye level to show whether the panel has been opened and tampered with. The access panels on ATMs usually have similar seals, though they’re not as obvious.
Scammers also want your PIN, which makes your card information significantly more useful. Sometimes they’ll install a new keypad over the legitimate one on the machine, which is relatively easy to spot if you’re already being vigilant. You should also look for a pinhole camera mounted somewhere above the PIN pad (on a wall, ceiling or even the machine itself), where it can see and record your finger presses. There may even be a “shoulder surfer” apparently waiting for the machine, but really recording your hand’s movements on their phone’s camera.
Know Where Skimmers Are Likeliest
Another level of protection lies in knowing where you’re most likely to see skimmers. The criminals who operate these machines need uninterrupted access in order to install and remove the skimmers and harvest data from them. The last thing they want while they’re going about their business is curious onlookers wondering what they’re up to.
This means skimmers are likelier at less-trafficked locations, where constant interruptions are less likely. Busy, well-lit spots are problematic for the criminals, so they favor quieter locations with less lighting and few or no security cameras. Inside stores, they’ll gravitate to machines that aren’t monitored by security cameras and are blocked from the cashier’s view (good store design can eliminate that risk).
Gas stations are another common location for skimmers, because the outermost pumps (facing away from the cashier) are relatively easy to meddle with. Again, watch for a lack of lighting and the absence of security cameras. If the location seems favorable to skimmers, scrutinize it closely.
What To Do If You Spot a Credit-Card Skimmer
If you believe you’ve spotted a skimmer in the wild, your first response should be the obvious one: Don’t use that machine. Take a few photos of the device with your phone, if lighting permits, so you’ll have some proof to show in case the scammers should return and retrieve their skimming device.
Next, report the incident to your local police — because you have, after all, detected a crime in progress — and, if it’s during regular business hours, to the business’ management. There is a possibility that a rogue staffer may sometimes be an active participant in the skimming scheme, so simply reporting it to whoever’s working won’t necessarily get the job done (and might, in a worst-case scenario, earn you a knock on the head from one of their associates).
Protecting Yourself From Skimming Attacks
You won’t always be able to spot a skimmer, and newer “shimming” attacks use a smaller card reader that fits invisibly inside the machine. Those are especially sneaky, since the only telltale sign of their presence is that your card may not slide neatly into the machine. That being said, there are a few extra steps you can take to protect yourself against skimming and shimming.
The most obvious is to stick to using your card only in well-lit, high-traffic locations. A second is to pay by tapping whenever possible, rather than inserting or swiping your card. Better yet, use an electronic wallet such as Apple Pay or Google Pay on your phone.
If your card gives you the choice, use it in credit-card mode rather than debit mode, so you don’t need to use your PIN and potentially give it away. Physically shield the keypad from view whenever you do enter a PIN, to protect against prying eyes.
Recognizing When Your Card Has Been Compromised
Unless you detect a skimmer yourself, or read in the news about a skimming ring being broken up by police, you won’t likely know that it’s happened. At this point it’s the same as any other form of data breach or identity theft: What counts is that your credit-card data is now out on the open market, and that’s bad news.
There are plenty of signs to show that your personal information has been compromised. The best way to spot them is through personal vigilance: Monitor your bank and credit-card accounts closely, and request copies of your credit report regularly (you’re entitled to a free one every year from each of the Big Three agencies, so that’s one every four months if you spread them out). If you see new accounts that you didn’t open, or purchases you didn’t make, that’s a big red flag.
If you want to be proactive about the risk of falling victim to identity theft or credit-card fraud — whether it begins with skimming or not — your best bet may be an identity-theft prevention service like Spokeo Protect. It monitors the shady internet marketplaces of the Dark Web, where personal information is bought and sold, and provides you with an alert if your own information shows up. That gives you the heads-up you need to take action.
What To Do If Your Card Has Been Compromised
If you’re warned that your card may have been compromised, either from Spokeo Protect or news coverage of a skimming ring, there are some steps you should take. If you suspect you’re at risk but haven’t yet seen any illicit activity on your card, you might place a credit freeze or credit lock with the credit-reporting agencies. That makes it harder for scammers to open up new credit in your name. You might also consider preemptively closing the affected credit-card account, or having the carrier issue you a new card with a different number and cancel the old one.
If there is fraudulent activity on your account already, you’ll have more work to do. Start by placing a fraud alert with your bank or credit-card company and challenging the bogus transactions. You should also place a fraud alert with the main credit-reporting agencies and report your problem to the FTC’s ReportFraud website (or IdentityTheft.gov, if your credit-card problem seems to be part of a larger identity-theft issue). In order to get fraudulent charges reversed, it’s possible you may also need to file a police complaint with local law enforcement.
Ultimately, protecting yourself from this kind of crime comes down to your own vigilance: both in person whenever you use your cards and from paying attention on an ongoing basis to your own accounts and credit report. Unlike so many risks of modern life, this is one you can — at least in part — manage and control.
- PC Mag: How to Spot and Avoid Credit Card Skimmers and Shimmers
- US Federal Trade Commission: Watch Out for Card Skimming At the Gas Pump
- CSO Online: Credit Card Skimmers Explained: How They Work and How to Protect Yourself
- Park National Bank: Fight Against Credit Card Skimming and Fraudulent Transactions
- ReportFraud: Report to Help Fight FraudIdentityTheft.gov: Report Identity Theft and Get a Recovery Plan