They’ve Got My Back

My wife got a call at 8am the other morning. It was American Express letting her know that someone was using her credit card. It seems they made a purchase at 3am and two others right after that. Since my wife doesn’t generally do that with her business AmEx, their software let them know that something was up. I’m glad they caught it. Thank you American Express!

Being married to a “security guy” my wife sort of gets the ideas by osmosis. We shred everything that has personal information unless we need it for tax records. We never throw receipts away at the ATM or the gas pump. We try to keep good passwords and all those other precautions you hear so much about. But the bad guys still have ways to steal credit card information.

One of those ways is the skimmer. This is a device that reads the card before it goes into the actual reading slot, usually on and ATM or at the gas pump. I haven’t been to Mexico recently, but a few years ago it was a big deal. Thieves would put genuine-looking “bezels” on the ATM card slots that had readers. Those readers would save card info in flash memory. The thieves knew when the banks checked and reloaded the machines, so they’d place the skimmers on after the machine was reloaded, and remove them before the next check. These removable devices are pretty easy to spot once you’ve seen them.

Now it seems gas pumps are an issue. A commercial running on US television shows a thief opening the credit card reader with a master key (just a regular little key – not any kind of security key) and removing a flash card with the credit card info. There is no way for the unsuspecting user to see the skimmer.

So what can you do to avoid skimmer fraud? Well, not using the card is one way: pay inside instead of at a gas pump, for instance. Change your pin when you change your passwords (such as every six months). Cover the keypad with your had when you enter your pin so a camera can’t record you entering it. Another possibility is to use a credit card so your liability for fraud is limited. Many debit cards have this feature, too, so check with the issuer.

Since ATM skimmers are often on the outside of the machine, if the slot isn’t flush with the faceplate, tug on the area around the opening and see if it is loose – a loose cover or bezel might mean a skimmer has been installed. Some newer ATMs have LED lights surrounding the card slot. If the user cannot see the LEDs, they are likely covered by a skimmer. Some clever skimmer makers are now including LEDs in their devices, though. The skimmers may be very difficult to detect! The manufacturers of the ATMs are working hard to detect skimmers placed on their machines.

[Technology note] How hard is a skimmer to build? It is actually very simple. Think of the popular Square and other card readers for taking credit cards with smartphones. The early ones were just readers for the magnetic stripe which are basically old cassette tape heads with a resistor. The head is properly positioned to read the appropriate data (called “track two”).  With a read-head and the electronics from a digital voice recorder, you could probably build a skimmer fairly easily. (You can probably find the details on the web, but I am not even going to give a pointer to them here.) More sophisticated designs exist including ones that send SMS messages with the card info. With such a skimmer the recipient of the messages can be anywhere in the world. Some skimmers are even wafer thin and fit inside the card slot itself…

To learn more about fraud and skimming and basic security check out course 468.

John McDermott

Type to search

Do you mean "" ?

Sorry, no results were found for your query.

Please check your spelling and try your search again.