New York City commuters — who aren't easily shocked — discovered today that someone had installed a credit card skimmer at a subway card vending machine in the city's busy 59th Street/Columbus Circle station.
According to the Metropolitan Transportation Authority (MTA), "an unidentified customer noticed the device, removed it from the machine and brought it to the station agent on duty. The New York Police Department is investigating the device."
This isn't the first instance of a credit card skimmer showing up at a vending machine, of course: The Federal Trade Commission (FTC) estimates that 9 million Americans have their identity stolen every year due to these or similar kinds of scams. The ease with which skimmers operate, however, raises several questions about the security of credit- and debit-card transactions. [7 of the Greatest Scams Ever]
How skimming works
Skimming uses a few James Bond-esque devices to capture an unsuspecting consumer's card data. First, the thief inserts a phony card reader into the slot where you would normally slide your card in the vending machine.
In the case of gas pump skimming, thieves simply unlock the gas pump's front panel (most pumps use an easily-copied universal key), remove the original electronic card reader and insert their own card reader in its place. The gas station attendants might not even know when a skimmer has been installed.
But scam artists still need to know your PIN number to steal your funds, so they also install a small, discreet camera nearby to watch you enter your not-so-secret number. Scammers can disguise the camera to look like an electrical outlet or other device, or they may hide it in a brochure rack.
Some thieves will skip the camera and install fake keypads that can store your PIN number (or, in the case of credit cards, your ZIP code). Several days later, the scammers will return to the vending machine to retrieve their equipment, which by then will contain information from dozens, perhaps hundreds, of cardholders.
But in another "improvement" on skimming equipment, some thieves will install wireless Bluetooth-enabled skimmers, which means the thieves do not have to retrieve their equipment.
"They just need to be within 30 feet [9 meters] of the skimmer, so one guy can go in to buy a Slurpee and distract the clerk while his partner sits in their car near the pumps downloading all of the stolen card data," Al Pascual, senior analyst of security risk and fraud at Javelin Strategy & Research, told Consumer Reports.
Once scam artists have your PIN and debit card info, they can make a fake debit card and use it anywhere to buy almost anything.
How to outwit skimmers
Consumers can take several steps to protect themselves against credit or debit card skimming. First, be wary of any vending machine equipment that appears to be rigged: Keypads may be an unusual color or texture; card readers may feel shaky or will "snag" when used, or the plastic may look or feel cheap.
When entering your PIN number or ZIP code, cover the keypad with your other hand, or lean over the keypad to block it from view. In all cases, consumers should keep tabs on their debit and credit card transactions, and immediately report any suspicious activity to their banks.
And to completely thwart skimmers, consider paying with good old-fashioned cash.