When we think about cyber security threats, we tend to think of computers.   But not all threats involve computers – at least not the kind you may have on your desk.   Information theft via card skimming devices is becoming more sophisticated and increasing at an alarming rate.

Card skimming is the use of an illegal device to capture credit or debit card information when the card is swiped.  These devices are often found on ATMs and gas pumps, but they can be found anywhere a card swipe device is used to transact business.  Many of these devices are built to fit over the existing parts of a machine and they blend in very well.

Here is an example of one style of a skimming device.  Once installed, it looks like it is part of the machine and is very difficult to detect.

The purpose of a skimming device is to read the magnetic strip on your card and store the information.  A typical credit card has three tracks on the magnetic strip.  Track 1 and Track 2 contain card and card holder information.  This information is pulled from the card by the skimmer and stored on the illegal device.

If the keypad of the machine you’re transacting on was also replaced, your PIN can be captured as well.  The thief simply comes back to the machine with the skimmer installed, removes it, and downloads the stored information into a computer.   The information can then be used to conduct fraudulent transactions, or the information list can be sold to others for the same purpose.

Your card can also be skimmed when you are not personally doing the swiping.  How many times have you paid for a meal at a restaurant and your card leaves your sight?  A dishonest employee could use a skimming device in the back room to capture your information.

A true skimming device does not even need to be used for this type of data theft.  A USB magnetic swipe device can be purchased online for under $50.  These devices connected to a computer would allow a thief to scan a card directly into Microsoft Word (or any other document program).  The swipe acts no differently than a keyboard – reading the data and inserting the contents into a document.

Here are some things you can do to help avoid becoming the victim of a skimming device:

  1. Look Around: Skimming devices must be installed on a machine.  The thieves obviously don’t want to be caught installing the device so they’ll tend to target machines that are hidden from view or in areas that are not well-lit.   Also make sure there are no cameras nearby that could be recording your entry on the keypad.  Always keep your card hidden from view and cover the pad when typing in your PIN.

 

  1. Examine the Machine: Inspect the machine you’re about to use. Does the keypad and swipe slot look like they belong on that machine?  Are the materials and colors a match to the machine?  If you’re at a gas pump, do all of the keypads and swipe slots look the same on every pump?  Does the swipe slot and keypad feel loose?  Skimming devices are designed to be removed so they usually won’t be permanently attached to the machine.  If it feels loose, be suspicious.  Look for signs of tampering – are there pry marks or is the security seal tape broken?

 

  1. Change Your Habits: If you’re at a bank, go inside and use the ATM in the lobby rather than the one in front of the building.  Pay for your gas inside.  The credit card scanner behind the counter is far less likely to be the target of a skimmer than the one at the pump.

 

  1. Select the Correct Card: If your debit card is skimmed for information you could be handing over access not only to the account your card is linked to, but to any other account linked to that account.  A better choice is to use a credit card – and preferably one with a chip.  When a chip card is used, your card is authorized on the device and your personal information is not transmitted.  Although it’s not impossible for an EMV device to be compromised, it is much more difficult.

 

  1. Watch Your Accounts: Keep a close eye on your credit card transaction activity and monitor your credit reports.  If using debit cards, watch your balance closely.  Consider putting alerts on your accounts to advise you of suspicious transactions.  If you see something suspicious, report it immediately.

 

The next time you pull out your credit or debit card to transact business, take note of your surroundings and the steps you are about to take.  If something doesn’t feel right, don’t swipe that card.

For a much more in-depth explanation of skimming and a gallery of examples of skimming devices, visit this excellent Krebs on Security page.