What is Credit Card Skimming and How Does it Work?

  • By David Lukic
  • Published: Nov 09, 2020
  • Last Updated: Mar 21, 2023

You may or may not know what credit card skimming is and how it works, but you should. Credit card skimming is when thieves install skimming devices on ATMs or gas pumps that grab your credit or debit card information as you swipe. More than $1 billion is lost to credit card skimmers each year.

How Does Card Skimming Work?

Card skimming devices can be very sophisticated, so you don’t even notice, but they can grab your full debit/credit card number along with PINs and take over your bank account before you know what hit you.

First, thieves install card skimmer over the real ones that harvest and save your information. Then they use 3-D printed keyboards (overlaying the real keyboard) to record your PINs, and that’s all they need to start spending.

Most U.S. credit card skimming devices target the magnetic strip on the back of the card. Even cards with a chip also have the magnetic strip as a backup. In Europe, however, they have made the full transition, but criminals have kept up and focused on EMV cards and chips.

In some cases, malware or other software is installed onto the card reader or gas pump. Malware on card readers is how the Target and Home Depot data breaches occurred, capturing millions of users’ credit cards.

It’s not just the number pads and scanners you need to be wary of. Some skimming devices record your PIN codes with cameras and others save your touchpad inputs. Skimming can happen anywhere, but these strategies are oft used at gas stations. The separation between the gas pump and checkout desk lets criminals install their devices more easily.

What is Credit Card “Shimming?”

credit card skimming

Thankfully, most American criminals haven’t stepped up their technology game just yet. However, another version of card skimmers is called shimmers, and they can bypass the extra security of chip-enabled cards.

Shimming attacks chip readers in addition to the magnetic stripes. These are far less common than traditional skimmers, though.

It works by putting a small device known as a “shim” into a checkout chip reader. The shim uses a microchip to collect chip information before feeding it into the legitimate payment device. This allows the payment process to happen as usual and doesn’t tip anyone off that their data was stolen.

Additionally, because shims must be thin enough to fit into chip readers, they are far more challenging to detect than traditional skimming attacks. To make matters worse, installing a shim is as easy as inserting a special card into the chip reader and making a payment.

Discovering a shim is nearly impossible unless someone routinely takes apart point-of-sale (POS) machines. One of the only ways for individuals to protect themselves from a well-placed shim is to wiggle their card as it slides in. This allows them to roughly feel if there are any obstructions in the slot.

Bluetooth Credit Card Skimming

Some more sophisticated skimming gadgets allow the bad guys to sit in their car (up to 100 feet away) and hack your credit card number from there. This crime is called bluesnarfing because it uses Bluetooth technology.

It’s common for Bluetooth skimming strategies to disable a payment terminal’s compatibility with chip-based cards. The criminal may physically obstruct the chip reader or tamper with it, so it always returns an error.

This forces customers to swipe the less secure magnetic stripe, which is still widely used for backward compatibility purposes.

Aside from the automatic transfer, bluesnarfing is the same as traditional skimming. The compromised machine captures the card information and sends it to a nearby connected phone or laptop. If you keep a careful eye out, then you’ll probably notice signs of tampering or other suspicious details.

Gift Card Skimming

Skimming attacks aren’t restricted to debit and credit cards. Any card with a magnetic strip or chip is in danger. This includes reloadable cards, gift cards, and prepaid cards, which aren’t tied directly to a bank or lender and have untraceable purchase histories.

Non-traditional cards often have more lax security features, making them even easier for criminals to break into. Their short-term use incentivizes businesses to cut corners on safety, especially on gift cards. Embedding more secure EMV chips onto gift cards increases production costs and would force retailers to charge more than they’re worth. 

For example, a $20 gift card would retail for $22. Who would buy that? 

These factors make gift cards a prime target for skimming schemes. It also helps that people tend to go long stints of time without using their gift cards and won’t notice their money was stolen.

The process is ultimately unchanged. Criminals install an overlay that captures a card’s magnetic stripe information. They then create a duplicate card to use until the balance runs out. According to the FTC, about $75 million was lost in 2019 from gift card scams.

This type of skimming is a big problem since cardholders have so few options for chargebacks after fraud. The Fair Credit Billing Act doesn’t protect cards that can’t harm the holder’s credit. Victims may only dispute fraudulent charges if they registered the card with their personal information and there’s an overseeing agency.

Luckily, card institutions like Mastercard, Discover, and Visa offer customer service and protections on their prepaid offerings. These cards often charge extra fees per use based on “how and when funds are loaded,” so businesses have a stake in upholding customer satisfaction.

Can Businesses and Banks Detect Cloned Cards?

Banks spend hundreds of millions a year on fraud detection and cybersecurity. So, surely, they must have ways to catch duplicate cards before criminals can do too much damage.

It might be possible for tellers to notice a fake card, but criminals don’t make a habit of handing fakes to trained employees. They use the clones at random ATMs and businesses with the least danger of getting caught.

Rather than physically inspecting each card, businesses need a way to detect fakes automatically. The most significant step toward this goal was the introduction of the EMV (Europay, Mastercard, and Visa) chips. Criminals can’t copy a chip’s encryption like they can for a magnetic stripe.

However, this security measure is also easily circumvented by only shopping at stores that allow both swipe and chip payments. So, card readers need a way to detect fakes using only the magnetic stripe data.

Researchers in Florida have noticed patterns in cloned cards that could allow even the most basic card readers to detect fakes. They saw that legitimate card data was always written in highly consistent patterns. This is a given since real cards are manufactured in official facilities.

On the other hand, cloned cards are cheap imitations made with less-than-steady machinery. So, the data bits are scattered much more haphazardly. These poorly made clones pass muster because modern card readers only read the data on the card rather than how neat the pattern of data bits is.

Making card readers check the uniformity of digital bit patterns in a magnetic stripe will go a long way in detecting counterfeits. The biggest obstacle in the way is America’s reluctant and sluggish uptake of new security measures.

A more tried method for detecting fraudulent activity is comparing recent card activity to a cardholder’s buyer profile. Companies create a database for every customer that predicts how that customer will spend their money. If their spending habits start to deviate too far from those predictions, then a flag is set off, alerting the cardholder of possible fraud and identity theft.

How to Avoid a Credit Card Skimmer

credit card skimmer

When approaching an ATM before using it, look for loose parts or signs of tampering. Pay close attention to the card reader area. Does it look too big, out-of-place, or discolored? Is the keyboard too thick? Look for tiny cameras or anything that seems odd near the ATM. If anything seems out of place or doesn’t match, don’t use the machine. Report it to the bank and walk away.

It’s hard to notice anything right away as a well-installed skimmer barely appears different from the original. Take a quick glance at your bank’s other ATMs or another terminal at the gas station. Doing so will give you an immediate frame of reference for what “normal” should look like.

When entering your PIN either at the gas pump or an ATM, assume someone is watching even if you don’t see anyone around. Always cover your hand when entering your code.

Be extra cautious of using ATMs that are in isolated areas that might be perfect spots for the criminals to set up shop. They are less likely to be able to install skimming device on ATMs and gas pumps in highly trafficked areas. Non-bank ATMs are the most vulnerable to card skimmers. Stay away from ATMs at grocery or convenience stores that are way back in a corner.

At the gas pump, make sure the dispenser door hasn’t been opened. Bandits need to insert the reader inside there. If it won’t close properly or looks like it has been opened, use another pump. Always wiggle the card reader, if it jiggles and isn’t secure, it may have been fooled with. Pay inside just to be safe.

Android introduced an app that turns your phone into a Skimmer Scanner. It tests using a Bluetooth connection before you insert your card to ensure there is not a skimmer within range.

Statistics show that credit card skimming occurs more often on the weekends, and criminals install the devices on Saturday and Sunday and then remove them full of credit card data on Monday. If possible, avoid using ATMs and gas pump payment stations on the weekends

If possible, try never to use your magnetic strip and always insert the card into the chip slot instead. Even better, if the merchant allows NSC transactions use Apple Pay, Samsung Pay, or Android Pay instead. These are much more secure payment methods that use virtual credit card numbers that cannot be reused.

What to Do if You Are Victim of Credit Card Skimming

If you used your credit card at an ATM or gas pump, and suddenly you notice fraudulent charges on your account, you may have been a victim of credit card skimming. Take the following steps as soon as possible.

  • Cancel the credit or debit card and report the fraud to your bank.
  • Contact the location you used (gas pump or bank where the ATM is located).
  • Review your monthly statement carefully watching for any unauthorized charges.
  • Sign up for credit fraud monitoring with a company like IDStrong.com
  • Consider a credit freeze so no one can open up accounts in your name. 
  • Watch your inbox for any phishing or scam emails
  • Sign up for cards that mask your actual credit card number like Apple Card, or another phone-based payment method.

It is getting more difficult to spot credit card skimmers, so always be on the lookout for anything that looks suspicious and use common sense when snagging money from an unfamiliar ATM or using a gas pump.

About the Author
IDStrong Logo

Related Articles

What is Mail Theft and How to Prevent It in 3 Simple Steps

One of the many ways that identity thieves get their hands on your personal information is through ... Read More

Credit Card Fraud: What Is It and How To Protect Yourself Against It

Credit card fraud is a fact of life, and most Americans have experienced it or know someone who ha ... Read More

Lost or Stolen Phone? Don’t Panic, Follow These Steps

Most of us are tethered to our smartphones like a lifeline. In these tiny little computers, we car ... Read More

Stolen or Lost Wallet: What to Do?

Anyone who has ever lost their wallet or purse, or had it stolen, knows that instant spark of pani ... Read More

7 Most Common Types of Identity Theft That Can Happen to You

Identity theft is a major concern for many Americans these days with data breaches, ransomware att ... Read More

Latest Articles

Google Voice Scams: What They Are and How to Stay Safe

Google Voice Scams: What They Are and How to Stay Safe

Google Voice scams continue to pose a risk for users of this service. Scammers continuously attempt to lure users into divulging their verification PIN code.

What Are Pretexting Attacks: Scam Types and Security Tips?

What Are Pretexting Attacks: Scam Types and Security Tips?

Have you ever received a text from someone you do not know? Did you become alarmed by the message? Did the message contain information about you and the people you know?

What is a Time-based One-time Password (TOTP)?

What is a Time-based One-time Password (TOTP)?

Authentication is the process that verifies the user's identity to control access to resources, prevent unauthorized users from gaining access to the system, and record user activities (to hold them accountable for their activities).

Featured Articles

How to Buy a House with Bad Credit

How to Buy a House with Bad Credit

Buying your own home is the American Dream, but it might seem out of reach to those with bad credit. However, the good news is, if your credit is less than perfect, you do still have options and in most cases, can still buy a home.

How Secure Is Your Password? Tips to Improve Your Password Security

How Secure Is Your Password? Tips to Improve Your Password Security

Any good IT article on computers and network security will address the importance of strong, secure passwords. However, the challenge of good passwords is that most people have a hard time remembering them, so they use simple or obvious ones that pose a security risk.

Top 10 Senior Scams and How to Prevent Them

Top 10 Senior Scams and How to Prevent Them

Senior scams are becoming a major epidemic for two reasons. First, seniors often have a lot of money in the bank from a life of working hard and saving.

Notice

By proceeding with this scan, you agree to let IDStrong run a Free Scan of supplied parameters of your personal information and provide free preliminary findings in compliance with our Terms of Use and Privacy Notice. You consent to us using your provided information to complete the Free Scan and compare it against our records and breach databases or sources to provide your Free preliminary findings report.

Rest assured: IDStrong will not share your information with third parties or store your information beyond what is required to perform your scan and share your results.

Free Identity Threat Scan
Instantly Check if Your Personal Information is Exposed
All fields below are required
Please enter first name
Please enter last name
Please enter a city
Please select a state
Please enter an age
Please enter an email address
Close