We’re not talking about water bugs, tools to clean your
pool, or skipping rocks. These skimmers steal your financial identity. The news
had reported that skimmers were discovered on a local gas station’s pumps. This
particular station consistently has problems with pump maintenance and just the
overall condition of the pumps seems to be “beat up”. It was not a surprise that skimmers had
been installed. Not that the owners had any involvement, but meaning that the
owners/operators are not paying attention to the condition of the pumps. Or
what is going on at the pumps. This station is also known to allow third party
vendors to sell their goods on the lot and accost customers at the pumps. Big
personal security peeve-Do not approach me while I’m using a gas pump or ATM.
These little things add up and go back to not being surprised. The condition
and environment of a business can be both a determent and invitation to
criminals.
Not everyone may know exactly what a skimmer is or the
extent of the problem. I thought some background might help us from becoming
victims. A little education goes a long way.
Skimmers
So what are skimmers?
Credit card skimmers or skimmers are electronic devices that are
attached to machines with credit card slots. Mostly ATM’s or gas pumps. The
parasite device usually fits over top of the original slot so that the customer
believes they are inserting their card into the machine’s card slot. When in
reality the card is swiping through the criminal’s device. The device retrieves
the credit card data from the magnetic strip and stores it until the criminal
retrieves the device. Newer, more sophisticated devices attach internally to
the machine’s card slot or transmit the data via Bluetooth.
Although criminals can make use of debit card information,
it is much easier with the associated PIN. To gather this information there
will also be a camera attached somewhere to video the customer entering the PIN
on the keypad. Or a fake keypad accompanies the slot reader and records the keystrokes.
Most times the operation of the machine is not affected. If the machine fails
to work, you may have already become a victim.
History of skimmers
The idea of the use of credit card skimmers was mostly urban
myth. In the late 1990’s, we were just getting use to personal computers, let
alone tiny devices that could steal data from a magnetic strip. Nobody believed
that such things existed or could work.
The skimmer myth also gained notoriety in restaurants. Wait
staff would be issued a small skimming device to carry with them. They covertly
slide the card through the device to collect the data from the magnetic strip
on the way to cash register. The device holds all of the data until the end of
the shift when they pass off device and are paid for their efforts. The victims
then start seeing charges on their cards.
If you think about it, a restaurant is the only place you
hand a stranger your credit card and let them walk out of sight.
Here is a synopsis:
2002- A CBS report confirmed the existence of skimmers
when they reported devices that could record the names, account numbers and
other identifying information from credit card magnetic stripes.
2008-Naples Police Department investigated a
rudimentary device jammed over an ATM's actual reader. The thief inserted a
"micro camera" under a plastic sheet to capture the victims' keypad
strokes. This was one of the first times
a device had been recovered.
2009-Skimming really takes off as the devices, in
different shapes and sizes began being discovered on ATM’s.
Over
the next few years the technology progressed. The Internet allowed for
distribution networks to manufacture devices and kits that were identical to
the machine the criminal hoped to crack.
2011-ATM
manufacturers began cracking down on skimming by installing anti-skimming devices
on their machines. These consisted of translucent, circular casings over the
card reader, which the criminals quickly learned to replicate.
2012-Skimmers become too small to be detected. Some
being paper thin and inserted into the card slot.
2013-Gas pumps became targets. A series of scams in Oklahoma saw
thieves take home $400,000 from a chain of Murphy's gas stations before they
were eventually caught. The thieves used a card skimmer and fake PIN pad
overlay to obtain the necessary information. Even more eye opening, these
skimmers used Bluetooth enabled devices that sucked power from the pumps
themselves allowing them to run indefinitely,
and allow remote access to the data. ; once it was installed, the
thieves would never need touch the skimmer again.
How it works
The devices used come in all shapes and sizes. Most fit over
the card slot. Some actually are big enough to replace the machine face. The
closer to resembling the original card slot the less chance of being detected.
Home 3D printers are making these deceptions a lot easier. As with everything
else electronic, these devices are getting smaller everyday. Some skimming
devices are so small and thin, they slide inside of the card slot itself. Newer
devices attach to the internal wiring of the card slot. These are mostly used
on gas pumps. How do criminals get inside the pumps you ask? Universal keys are
available that open the pump faces exposing the card readers. The criminal will
have one or more accomplices to block camera/attendant views while they install
the device. Victims never know what hit them.
Once collected, the numbers are used in different ways
depending on the criminal. Some are sold on the Internet for around $50 a piece
(+/-). Some criminals use the
collected numbers to make counterfeit cards, which they use to purchase items,
usually electronics, for resell. (Similar to Melissa McCarthy in the movie
Identity Thief) The more advanced organizations use the cards to purchase gas.
They drive around in specially outfitted passenger vehicles filling up covert
gas tanks. This gas is then off loaded into tanker trucks and sold to less than
scrupulous gas stations.
There are thousands of iterations of card skimmers. If you’d
like to see what they look like just search “credit card skimmers” in Google
images.
Protection
Criminals and the technology they use are getting more
sophisticated. The Internet provides enough intelligence that consumers can
protect themselves. But criminals are sharing information as well. Once law
enforcement or consumers defeat one strategy, criminals learn and improve their
methods. So what can you can do.
Some gas stations are installing seals to cover the seams
that hold the payment box. A broken seal is obvious, but multiple seals overlaid
is a clue and, of course, enterprising thieves can replicate seals. Another
clue can be the condition of the machine in which you are about to slide your
card. If the payment box area is not maintained or appears to have been forced open, be
wary. Inspect the card slot. Give it a tug. If anything is out of sorts or the
slot comes off in your hand report it to the station and the police.
If your transaction attempt doesn’t work, don’t keep trying.
Stop and perform an inspection. The skimmer may be causing a malfunction.
Some habits to get in to help protect your card security:
- Use Pumps/ATMs near attendants. Less chance they were
compromised.
- Pay inside
- Pause before you swipe, inspect car slot, look for security
seal
- Feel for difficulty inserting or sliding card
- Wiggle slot housing. Don’t have to break it. Criminals
aren’t going to install anything that takes time or is permanent
- Check nearby pumps, compare slots for differences
- Guard the card number
- Use Apple/Samsung/Android pay whenever possible
- Check accounts regularly
Any suspicions report to the business owner, the police, and
the issuing bank.
This post focused mainly on gas pumps. Another area of
concern is the new style parking meters that allow you to swipe at the meter.
Seems like easy targets. Get back to you on those.
Please feel free to share. See the blog archive for more articles on personal
security
