Credit card skimmers explained: How they work and how to avoid them

What is a credit card skimmer?

In the security industry, a skimmer has traditionally referred to any hardware device designed to steal information stored on payment cards when consumers perform transactions at ATMs, gas pumps and other payment terminals. More recently, the use of the term has been extended to include malicious software or code that achieves the same goal on e-commerce websites by targeting payment card data inputted during online purchases.

Whether hardware- or software-based, skimmers are tools that enable fraud. The data they capture is used to either clone physical payment cards or to perform fraudulent card-not-present transactions online.

How card skimming devices work

Physical skimmers are designed to fit specific models of ATMs, self-checkout machines or other payment terminals in a way that is hard to detect by users. Because of this, they come in different shapes and sizes and have several components.

There is always a card-reading component that consists of a small integrated circuit powered by batteries. It is usually contained in a plastic or metal casing that mimics and fits over the real card reader of the targeted ATM or other device. This component allows criminals to get a copy of the information encoded on a card’s magnetic strip without blocking the real transaction the user is trying to perform.

A second component is usually a small camera attached to the ATM or a fake PIN pad that covers the real one. The purpose of this component is to steal the user’s PIN, which, along with the data stolen from the magnetic strip can enable criminals to clone the card and perform unauthorized transactions in countries where swipe-based transactions are still widely used.

However, as many countries around the world have moved to chip-enabled cards, criminals have adapted, too, and there are now more sophisticated skimmer variations. Some skimming devices are slim enough to insert into the card reading slot — this is known as “deep insert.” Devices called “shimmers” are inserted into the card reading slot and are designed to read data from the chips of chip-enabled cards, though this is effective only against incorrect implementations of the Europy, Mastercard and Visa (EMV) standard.

Copyright © 2020 IDG Communications, Inc.

Source link