Credit card skimmers explained: How they work and how to protect yourself

What is a credit card skimmer?

In the security industry, a skimmer has traditionally referred to any hardware device designed to steal information stored on payment cards when consumers perform transactions at ATMs, gas pumps and other payment terminals. More recently, the use of the term has been extended to include malicious software or code that achieves the same goal on e-commerce websites by targeting payment card data inputted during online purchases.

Whether hardware- or software-based, skimmers are tools that enable fraud. The data they capture is used to either clone physical payment cards or to perform fraudulent card-not-present transactions online.

How card skimming devices work

Physical skimmers are designed to fit specific models of ATMs, self-checkout machines or other payment terminals in a way that is hard to detect by users. Because of this, they come in different shapes and sizes and have several components.

There is always a card-reading component that consists of a small integrated circuit powered by batteries. It is usually contained in a plastic or metal casing that mimics and fits over the real card reader of the targeted ATM or other device. This component allows criminals to get a copy of the information encoded on a card’s magnetic strip without blocking the real transaction the user is trying to perform.

A second component is usually a small camera attached to the ATM or a fake PIN pad that covers the real one. The purpose of this component is to steal the user’s PIN, which, along with the data stolen from the magnetic strip can enable criminals to clone the card and perform unauthorized transactions in countries where swipe-based transactions are still widely used.

However, as many countries around the world have moved to chip-enabled cards, criminals have adapted, too, and there are now more sophisticated skimmer variations. Some skimming devices are slim enough to insert into the card reading slot — this is known as “deep insert.” Devices called “shimmers” are inserted into the card reading slot and are designed to read data from the chips of chip-enabled cards, though this is effective only against incorrect implementations of the Europy, Mastercard and Visa (EMV) standard.

Skimmers can also be installed completely inside ATMs, typically by corrupt technicians or by drilling or cutting holes into the ATM cover and covering them with stickers that appear to be part of the intended design. A Visa report shows pictures of several types of physical skimmers found on ATMs around the world as well as modified standalone point-of-sale (POS) terminals sold on the underground market that can be used to steal card data.

How to avoid credit card skimmers

Because of the large variety of skimming devices, there isn’t any single way that consumers can avoid becoming a victim. Recommendations include:

• Avoid using ATMs that are installed outside buildings or are located in poorly lit areas. When deploying skimmers, criminals target ATMs that don’t see a lot of foot traffic, are not inside banks or stores, and are not covered by many security cameras. They also tend to install skimmers during weekends, when they’re less likely to be seen, so try to avoid withdrawing cash from ATMs during weekends if possible.
• Wiggle or tug on the card reader and the PIN pad to see if they come off or move before inserting your card. Criminals typically use low-grade glue to attach skimmers because they need to return and recover them. This video shows a cybersecurity professional discovering a skimmer attached to an ATM on a street in Vienna.
• Look for signs of tampering such as unusual holes, pieces of plastic or metal that look out of place, components of a color that doesn’t match the rest of the ATM, stickers that aren’t aligned properly. If there are visible seals on the machine for the service locks, check if they seem broken.
• Cover the PIN pad with one of your hands while entering your PIN to prevent any rogue camera from recording it. This won’t help in cases where there’s a rogue PIN pad, but it’s good practice.
• If your card has a chip, always use the chip-enabled card reader of POS terminals instead of swiping the card.
• Monitor your card statements for unauthorized transactions. If your bank offers app-based or SMS-based notifications for every transaction, turn the feature on.
• If your bank allows it, put a limit on how much cash can be withdrawn in a single transaction or over a period of 24 hours.
• Use a debit card attached to an account where you keep a limited amount of money and can refill it easily when you need more, instead of using a card attached to your primary account that has most or all of your funds.

Software skimmers

Software-based skimmers target the software component of payment systems and platforms, whether that’s the operating system of POS terminals or the checkout page of an e-commerce website. Any software that handles unencrypted payment card details can be targeted by data skimming malware.

POS malware, also known as RAM scraping malware, has been used to perpetrate some of the largest credit card data thefts in history, including the 2013 and 2014 breaches at Target and Home Depot that resulted in tens of millions of cards being compromised.

POS terminals have specialized peripherals such as card readers attached to them, but otherwise are not very different from other computers. Many use Windows and run cash-register-type applications that record transactions.

Hackers gain access to such systems through stolen credentials or by exploiting vulnerabilities and deploy malware programs on them that scan their memory for patterns matching payment card information — hence the RAM scraping name. Card data, except for the PIN, is generally not encrypted when passed from the card reader to the application running locally, so it can be easily copied once identified in memory.

Web-based card skimmers

In recent years, POS vendors have started to implement and deploy point-to-point encryption (P2PE) to secure the connection between the card reader and the payment processor, so many criminals have shifted their attention to a different weak spot: the checkout process on e-commerce websites.

These new web-based skimming attacks involve hackers injecting malicious JavaScript into online shopping sites with the goal of capturing card information when users enter it into the checkout pages. Like with POS systems, this targets a step in the transaction chain where the data is not protected, before it gets sent to the payment processor through an encrypted channel or before it’s encrypted and stored in the site’s database.

Web skimming has affected hundreds of thousands of websites to date, including high-profile brands such as British Airways, Macy’s, NewEgg and Ticketmaster.

How to protect yourself against software payment card skimmers

Consumers can’t do much to directly prevent such compromises because they don’t control the affected software, whether that’s the software in POS terminals or code present on e-commerce websites. It’s the responsibility of the merchants and their technology vendors to provide a safe shopping experience, but consumers can take some actions to reduce the risk their own cards will be exposed or to limit the impact if a compromise does happen:

• Monitor your account statements and turn on transaction notifications if offered by your bank. The sooner you discover fraudulent transactions and can replace your card, the better.
• Enable out-of-band authorization for online transactions if available. The revised Payments Services Directive (PSD2) in Europe requires banks to challenge online card transactions with second-factor authorization through mobile apps and other means. The deadline for complying with the new requirement has been extended, but many European banks have already implemented the security mechanism. It is likely that financial institutions in the US and other countries will also adopt out-of-band transaction authorization in the future or at least offer it as an option.
• Use virtual card numbers for online shopping if your bank offers them or pay with your mobile phone. Services like Google Pay and Apple Pay use tokenization, a mechanism that replaces the real card number with a temporary number that is transmitted to the merchant. This means your real card number is never exposed.
• Pay with an alternative online wallet service such as PayPal that doesn’t require you to input your payment card details directly into the checkout page of the site you’re shopping on. You can also choose to only shop on websites that redirect you to a third-party payment processor to input your card details instead of handling the data collection themselves.
• Since web skimming involves malicious JavaScript code, endpoint security programs that inspect web traffic inside the browser can technically detect such attacks. However, web-based malware is often obfuscated and attackers continually change it. While it’s always good to have an up-to-date antivirus program installed, don’t expect that it will detect all web skimming attacks.
• Even though some big retailers and brands have fallen victims to web skimming, statistically these attacks tend to affect small online merchants more, because they don’t have the resources to invest in expensive server-side security solutions and code audits. From a consumer perspective, the risk is probably lower when shopping from large and well-established websites.