Beware the ATM Skimmer Scam

Category: Finance

One of the biggest threats to financial networks is not malware, phishing, or denial-of-service attacks. It’s “ATM skimming,” the illegal capture of debit card data including PIN numbers by a “skimmer” device inserted into an ATM. Here's what you need to know...

How Does ATM Skimming Work?

It is estimated that ATM skimmers result in losses of over $2 billion each year. And the number of ATMs compromised by skimming increases 40% annually, according to the FICO Card Alert Service which monitors hundreds of thousands of ATMs for the nation’s banks.

The NY Times reported this week the arrest of Marcus Catalin Rosu, a Romanian national who had been the subject of a years-long investigation into a skimming scheme that netted hundreds of thousands of dollars. After attracting the attention of police through an altercation with an airport car rental agent, Rosu was found with about a thousand blank magnetic strip cards and other ATM skimming components. But Rosu is just one of many players in the skimming underground.

Skimmer devices have improved dramatically in recent years. A modern skimmer may be little thicker than a debit card, and slips invisibly into the same slot into which you slide your card. Some are installed as overlays on the card reader slot. Inside is a tiny computer, magnetic stripe reader, and storage device. When an unsuspecting victim uses the ATM, the skimmer reads the card’s critical data from the stripe.

And even if you have one of the newer cards with a chip built in, you could still be affected. According to Brian Krebs of Krebs on Security, "many chip-based cards issued by American and European banks alike still have cardholder data encoded on a magnetic stripe in addition to the chip."

ATM skimmer scams

Fortunately, consumers are rarely the ones who absorb skimming losses - directly, that is. Under the Electronic Funds Transfer Act (a 93-page PDF), consumers are generally not liable for funds stolen from their bank accounts via frauds such as skimming, as long as they report the losses within 60 days of their occurrence. Financial institutions take the hit directly -- but of course, they seek to recoup their losses from customers in other, legal ways. That estimated $2 billion in losses will result in higher fees and interest rates, which are passed along to consumers.

Capturing card data is only part of the fraud formula; the thief also needs your PIN. So tiny cameras are sometimes installed unobtrusively near the ATM’s keypad to record the buttons you press. Newer skimming devices incorporate infrared transmitters to send the captured data to the camera, so both your PIN and the card data can be captured. Some skimmer scammers even use overlays on the keypad, to capture your PIN.

Many ATMs now have plastic shields around their keypads, and banks urge you to cover the keypad with your hand while entering your PIN, even if no one is looking over your shoulder. I've always used the "two finger method" for entering my PIN number at the ATM. Point two fingers at the keypad, but only press with one. This makes it impossible for hidden cameras or anyone nearby to see what numbers you actually press.

How Are ATMs Protected?

Bank-owned ATMs are usually rigorously policed by the banks themselves. They send out inspectors to check ATMs for skimmers. But non-bank ATMs, such as the standalone machines found in convenience stores, are not so vigilantly policed. FICO reports that 60% of skimmer-compromised ATMs are non-bank machines. So you may want to avoid them to reduce your chance of being skimmed.

Unfortunately, we live in a world where financial scams are becoming ever more common. My article 10 Tips for Identity Theft Protection will give you practical tips you can use to protect yourself from financial scams at home, in public places and online.

You should be especially careful when using non-bank ATM machines in tourist locations. Security researcher Brian Krebs wrote a fascinating article, Who’s Behind Bluetooth Skimming in Mexico? which details how ATMs in popular Mexican tourist destinations are being hacked. But the problem isn't limited to the withdrawal of cash at automated teller machines. Point of sale terminals at gas stations and other retail locations that aren't under constant surveillance can also be compromised. Any time you swipe your card, you should be wary.

So-called chipped cards are not invulnerable to skimming yet. Many U.S. merchants have not upgraded their card readers to use this enhanced security, so chipped cards still have the magnetic strips that skimmers can read. Banks can hardly wait for all card readers to be upgraded so that the magnetic strip can finally be eliminated. Many are offering merchants incentives and penalties to push them into this upgrade.

Telltale signs that an ATM may harbor a skimmer include a card slot housing that seems loose or wiggly; glue around the housing; and unusual difficulty inserting your card. If you stick to using just a few bank ATMs, anything unusual that appears in them will be more readily apparent to you.

Sixty Days or Six Hundred Dollars?

With skimming skyrocketing, your best defense is to monitor your bank accounts for unusual activity regularly, and report any unauthorized transactions well within the 60-day time limit. Even though the law protects you against losses due to fraud, you may find yourself out some serious money for a few days or weeks while your bank processes your fraud claim. The average amount of money lost per skimmed card is $600, according to FICO. That’s not chump change for most of us.

Have you or someone you know been skimmed by the scum that schemes to scam, as you withdraw funds from an ATM? Your thoughts on this topic are welcome. Post your comment or question below...

Ask Your Computer or Internet Question

  (Enter your question in the box above.)

It's Guaranteed to Make You Smarter...

AskBob Updates: Boost your Internet IQ & solve computer problems.
Get your FREE Subscription!


Check out other articles in this category:

Link to this article from your site or blog. Just copy and paste from this box:

This article was posted by on 21 Jul 2020

For Fun: Buy Bob a Snickers.

Prev Article:
[PRIVACY] Are You Over-Sharing?

The Top Twenty
Next Article:
Geekly Update - 22 July 2020

Most recent comments on "Beware the ATM Skimmer Scam"

Posted by:

21 Jul 2020

Some bank ATMs and some gas station brands let you use their smartphone app to get a one time code rather than inserting your card. I regularly go to a gas station where I tell my app the pump number and it authorizes the pump. I get a one time code from the app that I then have to put in. And my bank has something similar.

Posted by:

21 Jul 2020

This is a very timely article, but the skimming scam goes far beyond ATM machines.

Self-serve gas pumps and vending machines are notorious for having skimmers affixed to the keypads.

Recently, a skimmer was installed inside a CVS pharmacy on self-service checkout card reader.

I expect we will soon be finding these skimmers inside grocery stores, big box stores, or anywhere we find unattended credit card processing equipment.

There has never been a better time to return to using our credit cards only at cash registers with a live clerk present!

Posted by:

21 Jul 2020

Over ten years ago,I used to have my AMEX card linked to my bank account to get cash anywhere I traveled.One evening at a nightclub,I decided to get some cash from a ATM and withdrew $60.

A week later,I was called by my card company that my card account was being used fraudulently.Right away,the service rep cancelled that card and had a new one issued.I thought about what had happened and remembered the cash withdrawal.When I got my new card,I decided to discontinue the ATM option for my account.I figured the ATM I used was compromised by some skimmer scheme and considered myself lucky it wasn't worse.

Posted by:

21 Jul 2020

Another issue, and it has happened to me, is stealing credit card information via a wireless skimmer. I have read that "The signal emitted from the card can be read at a distance of up to three feet, but equipped with an antenna that can magnify the signal, RFID signals can be read from a distance approaching five feet." I now keep all my cards in RFID blocking sleeves.

Posted by:

d rbodz
21 Jul 2020

Why is it that whenever I read an article about skimmers or see a TV story on skimmers they never feature pictures that would help us identify a compromised card reader?

Posted by:

21 Jul 2020

Bob --


On my last visit to a drug-store (in California it has many meaning, this is the kind that sell MANY different kinds of medicine, not the kind that sells a single category of a plant based herbal medicine).

Because of SARS-CoV-2 and COVID-19, they don't allow me to key-in my 'pass-code' to keep contamination behind their counters as clean as they can. They also encourage use of Check, near exact cash-change, or Bank Debit-Credit cards because they are 'cleaner' than passing a presumed 'hot' item across the sneeze (splash) guard.

I was astounded that when I gave my bank-card (Debit-Credit) to pay for my meds, the clerk simply swiped it, tapped 'credit' rather than 'Debit', signed FOR me, and handed me back my Bank-card while wearing gloves.

The point being that NO PIN was required, simply tapping 'credit' rather than debit allowed for the clerk to 'sign' for me (i.e. "Doc by Michell") and it went through. Plus if I don't make X purchases a month with my debit card, I get charged $10 for a 'service' fee on my checking account.


Thanks Bob!

Posted by:

Bob K
21 Jul 2020

If the skimmers generally work by reading the magnetic strip on cards, and most legitimate readers read the chip, would it be beneficial to erase the mag strip? Rubbing a magnet on it should do wonders.

Posted by:

21 Jul 2020

Bob, You've got to stop with the large flashing hot pink ads. Keep it up and you lose a long time supporter.

EDITOR'S NOTE: Everyone sees different ads, and I don't control which ones appear. There's nothing I can do, sorry.

Posted by:

michael mclaughlin
21 Jul 2020

We need an organization that can go after internet thieves. Right now you rarely get caught. It will only get worse when the bad people keep believing they will never get caught. How about a bounty? You know, dead or alive kind of poster.

Posted by:

Bob K
21 Jul 2020

John: What am I doing wrong? I don't see any flashing hot pink ads.

I'm running Firefox on the latest Ubuntu, and don't think I set anything up to block ads.

If you see them in the email, again nothing obnoxious there. That is Thunderbird. Yes, there are ads, but they sit quietly along the right edge.

Posted by:

Emily Booth
21 Jul 2020

Brian Krebs, at his website, has photos of what skimmers look like.

There is video of a customer at Target who installed a skimmer at the check out lane because the cashier wasn't looking.

My brother's bank had a skimmer installed on their drive thru ATM.

Posted by:

22 Jul 2020

If there is a person or a camera observing you enter your PIN, Bob's two-finger method does not help much. Instead of thousands of possibilities, guessing the PIN will then require the thief to try a maximum of just 16 combinations of the pairs you chose for your two-finger presses. The odds are 2 x 2 x 2 x 2. So it only hinders thieves if a certain number of failed attempts, even when spread perhaps over 2 or 3 other ATM locations, will cause the account to get locked. Though the assets may be protected in such a case, it still results in some inconvenience for you the cardholder.

Posted by:

22 Jul 2020

I have been aware of skimmer devices for many years and every time that I use my card, whether it be at an ATM, at the fuel pumps, or any place that uses a card reader, I always grab it and give a pull/wiggle. To my understanding, they are all inserted into the card slot and with a little tug they can pop right out. I have yet to find one and in the event that I do I will immediately call the police to let them deal with it.

Post your Comments, Questions or Suggestions

*     *     (* = Required field)

    (Your email address will not be published)
(you may use HTML tags for style)

YES... spelling, punctuation, grammar and proper use of UPPER/lower case are important! Comments of a political nature are discouraged. Please limit your remarks to 3-4 paragraphs. If you want to see your comment posted, pay attention to these items.

All comments are reviewed, and may be edited or removed at the discretion of the moderator.

NOTE: Please, post comments on this article ONLY.
If you want to ask a question click here.

Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter

Copyright © 2005 - Bob Rankin - All Rights Reserved
Privacy Policy     RSS/XML

Article information: AskBobRankin -- Beware the ATM Skimmer Scam (Posted: 21 Jul 2020)
Copyright © 2005 - Bob Rankin - All Rights Reserved