Beware the ATM Skimmer Scam
One of the biggest threats to financial networks is not malware, phishing, or denial-of-service attacks. It’s “ATM skimming,” the illegal capture of debit card data including PIN numbers by a “skimmer” device inserted into an ATM. Here's what you need to know...
How Does ATM Skimming Work?
It is estimated that ATM skimmers result in losses of over $2 billion each year. And the number of ATMs compromised by skimming increases 40% annually, according to the FICO Card Alert Service which monitors hundreds of thousands of ATMs for the nation’s banks.
The NY Times reported this week the arrest of Marcus Catalin Rosu, a Romanian national who had been the subject of a years-long investigation into a skimming scheme that netted hundreds of thousands of dollars. After attracting the attention of police through an altercation with an airport car rental agent, Rosu was found with about a thousand blank magnetic strip cards and other ATM skimming components. But Rosu is just one of many players in the skimming underground.
Skimmer devices have improved dramatically in recent years. A modern skimmer may be little thicker than a debit card, and slips invisibly into the same slot into which you slide your card. Some are installed as overlays on the card reader slot. Inside is a tiny computer, magnetic stripe reader, and storage device. When an unsuspecting victim uses the ATM, the skimmer reads the card’s critical data from the stripe.
And even if you have one of the newer cards with a chip built in, you could still be affected. According to Brian Krebs of Krebs on Security, "many chip-based cards issued by American and European banks alike still have cardholder data encoded on a magnetic stripe in addition to the chip."
Fortunately, consumers are rarely the ones who absorb skimming losses - directly, that is. Under the Electronic Funds Transfer Act (a 93-page PDF), consumers are generally not liable for funds stolen from their bank accounts via frauds such as skimming, as long as they report the losses within 60 days of their occurrence. Financial institutions take the hit directly -- but of course, they seek to recoup their losses from customers in other, legal ways. That estimated $2 billion in losses will result in higher fees and interest rates, which are passed along to consumers.
Capturing card data is only part of the fraud formula; the thief also needs your PIN. So tiny cameras are sometimes installed unobtrusively near the ATM’s keypad to record the buttons you press. Newer skimming devices incorporate infrared transmitters to send the captured data to the camera, so both your PIN and the card data can be captured. Some skimmer scammers even use overlays on the keypad, to capture your PIN.
Many ATMs now have plastic shields around their keypads, and banks urge you to cover the keypad with your hand while entering your PIN, even if no one is looking over your shoulder. I've always used the "two finger method" for entering my PIN number at the ATM. Point two fingers at the keypad, but only press with one. This makes it impossible for hidden cameras or anyone nearby to see what numbers you actually press.
How Are ATMs Protected?
Bank-owned ATMs are usually rigorously policed by the banks themselves. They send out inspectors to check ATMs for skimmers. But non-bank ATMs, such as the standalone machines found in convenience stores, are not so vigilantly policed. FICO reports that 60% of skimmer-compromised ATMs are non-bank machines. So you may want to avoid them to reduce your chance of being skimmed.
You should be especially careful when using non-bank ATM machines in tourist locations. Security researcher Brian Krebs wrote a fascinating article, Who’s Behind Bluetooth Skimming in Mexico? which details how ATMs in popular Mexican tourist destinations are being hacked. But the problem isn't limited to the withdrawal of cash at automated teller machines. Point of sale terminals at gas stations and other retail locations that aren't under constant surveillance can also be compromised. Any time you swipe your card, you should be wary.
So-called chipped cards are not invulnerable to skimming yet. Many U.S. merchants have not upgraded their card readers to use this enhanced security, so chipped cards still have the magnetic strips that skimmers can read. Banks can hardly wait for all card readers to be upgraded so that the magnetic strip can finally be eliminated. Many are offering merchants incentives and penalties to push them into this upgrade.
Telltale signs that an ATM may harbor a skimmer include a card slot housing that seems loose or wiggly; glue around the housing; and unusual difficulty inserting your card. If you stick to using just a few bank ATMs, anything unusual that appears in them will be more readily apparent to you.
Sixty Days or Six Hundred Dollars?
With skimming skyrocketing, your best defense is to monitor your bank accounts for unusual activity regularly, and report any unauthorized transactions well within the 60-day time limit. Even though the law protects you against losses due to fraud, you may find yourself out some serious money for a few days or weeks while your bank processes your fraud claim. The average amount of money lost per skimmed card is $600, according to FICO. That’s not chump change for most of us.
Have you or someone you know been skimmed by the scum that schemes to scam, as you withdraw funds from an ATM? Your thoughts on this topic are welcome. Post your comment or question below...
This article was posted by Bob Rankin on 21 Jul 2020
|For Fun: Buy Bob a Snickers.|
[PRIVACY] Are You Over-Sharing?
The Top Twenty
Geekly Update - 22 July 2020
Post your Comments, Questions or Suggestions
Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter
Copyright © 2005 - Bob Rankin - All Rights Reserved
Article information: AskBobRankin -- Beware the ATM Skimmer Scam (Posted: 21 Jul 2020)
Copyright © 2005 - Bob Rankin - All Rights Reserved