Card skimming at automated teller machines (ATMs) is one of the most "significant problems facing the credit-card industry" today, according to an advisory bulletin posted online by the U.S. Secret Service.
When you go to take a few bucks out of the ATM, the last thing you want to worry about is some bad guy getting a hold of your checking or savings account information and your personal identification number (PIN).
If that does happen, and you're a consumer in the United States, you'll be reimbursed for money stolen as a result, as long as you report the theft to the bank as soon as possible. Business customers, protected by less regulation, may have a harder time recouping their losses.
Washington, D.C.-based security expert Brian Krebs, author of the Krebs on Security blog, said that in 2008 — the last year for which the Secret Service released relevant figures — estimated annual losses to ATM fraud were about $1 billion. Those totals are almost certainly higher today.
How ATM skimmers work
Like a legitimate card reader, an ATM skimmer captures the card's data, including the account number associated with the card.
"The typical ATM skimmer is a device that fits over the top of a card acceptance slot, and in some cases inside the card acceptance slot," said Krebs. It extracts "the information stored in the magnetic stripe on the back of the card," he said.
"It may actually be built into the card overlay device," Krebs said. "It might be a little hidden camera pointing toward the PIN pad, or [the scammers] will put a hidden camera directly above or to the side of the PIN pad, pointing down at it."
But Krebs said there's another type of PIN capture device to be aware of — one that's even sneakier than a typical skimmer-linked camera.
"That's a PIN pad overlay," he said, referring to a flexible piece of circuit-embedded plastic that fits perfectly over the ATM's genuine PIN pad.
"Those are quite a bit harder to detect," Krebs said. "The overlay itself is the entire bottom panel, and it records your PIN presses and passes [them] on to the machines underneath."
Wireless data exfiltration
Skimmers use different communications technologies to get the stolen data to the card thief. The most basic skimmer has at least one flash-memory, battery-powered data-storage device somewhere in it.
"The thief has to come back and retrieve that device in order to get the stolen data," Krebs said.
Yet, as with many other technologies, ATM skimmers are going wireless.
"Bluetooth … is increasingly common in some of these skimmers," Krebs said. It "can transmit anywhere from a few dozen to a few hundred meters away from the ATM, so the thief could be across the street in a hotel, or in the parking lot in a car, and they don’t have to retrieve the device," he added.
Some skimmers even contain small cellular-network chips, and can send text messages to the thieves' mobile phones. That way, the criminal behind the skimmer can be anywhere in the world whenever a new card is swiped.
Once all the necessary data is captured, the stolen information is sold in criminal bazaars, and then imprinted on counterfeit credit or debit cards and used anywhere in the world — until the card-issuing bank catches on.
How to stay safe from ATM skimmers
How do you stop the bad guys from capturing your PIN? If you're confronted by a hidden camera, it's pretty simple: Cover your hand when you enter the number sequence on the PIN pad.
However, that technique won't work against a PIN-pad overlay, Krebs said, adding that thieves don't often use PIN-pad overlays because they're very expensive.
Krebs said you have a greater chance of being the victim of an ATM skimmer on the weekend than during the week, because criminals typically install their devices on Saturdays or Sundays after banks have closed. They don't want savvy customers finding their skimmers and alerting bank employees immediately.
Here are five ways to make sure you're not a victim of ATM skimmers.
1. Look around the ATM vestibule for places where a scammer could hide a tiny camera, such as a brochure rack, Krebs said.
2. Take a close look at the keypad. Try to see if there is a fake overlay on top of it. Maybe the keypad looks thicker than usual. You probably won't be able to detect the really top-notch PIN-pad overlays, but it doesn't hurt to check.
3. Look over the entire ATM for parts that don't match in styling, color or material. Krebs said scammers sometimes place a fascia (a large form-fitting mold) over the business area of the original ATM. The fascia will contain the skimmer and camera.
4. Try to jiggle the card reader. If it moves, so should you — to another ATM.
5. Cover your hands when you enter your PIN. It's one of the easiest and most effective ways to protect yourself from an ATM scammer's hidden camera.
The best way, however, can't be taught.
"It helps to trust your gut," Krebs said. "If you see something that doesn't look right, consider going to another ATM."