Skimmers are very small or insignificant electronic devices, which are installed at the card insertion panel to steal user card credentials during legitimate transactions. As you insert the card into the slot, it first touches the skimmer and then enters the terminal, so everything will appear usual. Reetwika warns us against such attacks with the necessary precautions, in the weekly column, exclusively for Different Truths.
Have you ever noticed any unusual props at an ATM?
Do you check the POS machine before swiping your card?
Are you sure there are no hidden pinhole cameras at your favourite Box Office?
Which one do you prefer to make a POS purchase – Debit Card or Credit Card?
Does your card have an EMV chip or magstripe?
Well, these are a few questions which must light up a bulb in your mind the next time you use your bank’s cards. Unnoticeable card readers are often placed at the ATMs, POS machines, Petrol Stations, Box Offices, etc., to unlawfully capture your card information and later reuse them to carry out fraudulent transactions, create counterfeit cards or steal cash from your bank account.
Skimmers are very small or insignificant electronic devices, which are installed at the card insertion panel to steal user card credentials during legitimate transactions. As you insert the card into the slot, it first touches the skimmer and then enters the terminal, so everything will appear usual. However, the skimmer will scan and store all the card information by that time. Once the data is recorded, they are transmitted wirelessly to other devices using Antenna, Bluetooth or Infra-red technologies. Signal receivers are mostly situated somewhere physically close to the machine, maybe outside the ATM booth or side fascia of POS counters.
Due to the insignificant physical existence of the skimmers, it becomes increasingly important for users to keenly observe the devices before inserting the cards. You must familiarise yourself with the terminal components if you are visiting a particular ATM or POS counter frequently. Any visible changes or broken components should make you cautious.
You may closely inspect these areas for any suspicious tampering – Card reader snout, Machine sideways, Keypad area, Light diffuser area, Brochure holder, Speaker adjacent areas, Bottom panel etc. It can be ‘piggy-backed’ onto the card reader, a smaller equipment may be camouflaged to look similar to a normal card entry snout, it may also be attached to the ATM rain cover, PIN capturing device can be easily fitted to the top panel where the account details are screened or a skimmer plate may be attached on top of actual keyboard.
Skimming may happen typically in three ways and the skimmers are named as per their operating type – Magnetic Skimmer, Pinhole Skimmer, and Overlay Skimmer. If any combination of these can be installed together, the data stolen could be misused for any mal purpose. Whatever be the form, Skimming is illegal in every way across the world.
A Magnetic Skimmer is a small card reader which is generally mounted over the machine’s slot where we insert the card for swiping. It’s visually so inconspicuous that it makes harder for any layman to detect. The skimmer can sniff all the card info available on the magnetic strip at the back of the card (ex: Card Holder Name, Card No, Validity, CVV etc).
A Pinhole Skimmer is nothing but a tiny spy camera (almost the size of a pinhole and hence the name) which is placed near the keypad to stealthily capture the PINs (or keys) punched by the user through the keyboard. Other imaging devices can also be strategically positioned around the POS payment terminals to fraudulently arrest PINs.
The Pinhole Skimmers are generally placed behind small holes (screw tips, edges, joints, paper racks, micro speakers, bottom panel, etc) or any worn out plastic parts in and around the number pad. The device continues to operate normally, but the skimmer could easily copy your PIN strokes through the camera.
The Overlay Skimmer is basically a very thin fake keypad which is fitted in the guise of a real one to capture the PINs from the buttons pressed through the device’s numpad. These are perhaps the most difficult to detect of all skimmer types. When someone punches a key on the fake keyboard, the skimmer first locks that entry before the original keys get pressed underneath. However, the overlay fitment will not be as perfect as a factory-made machine component. You must be watchful of any oddly protruding fragment, loosely fit key surface, disturbing LED displays, overlays, the colour disparity with rest of the machine body, etc.
Like all my columns, here too I will reiterate how important it is to be a responsible technology user in order to shield yourself from any high tech cyberattacks. Shared below are a handful of useful tips to prevent being tricked by Skimmers:
1. Look out for any abnormal or unusual physical fitments inside the ATM or around the POS machine. Generally, the devices do not have any loose or broken parts. If you happen to come across any, there is a high chance that it has a skimmer installed. Unless explicitly sure, prefer not to use that terminal.
2. If you find any colour mismatches of the machine body parts (for example the plastic portions, payment terminal, bottom panel, numpad, blinking lights, any joints, mountings, etc), try to gently jiggle them with an intention to check the fitment strength. If there are any fake arrangements, you may notice loose fits during the exercise.
3. Prefer to use ATMs adjacent to banks rather than the standalone ones, especially those on highways, petrol bunks, fuel stations, malls, hospitals, etc are highly susceptible. Security and cash refill frequencies are higher in the former case, thus lowering the chance of skimmer installation.
4. Given a choice, try to use your Credit Card over Debit at any POS. There is a lower cash limit in normal Credit Cards and the payment reversal can be initiated faster compared to cash cards. So, in case of any skimming fraud, you may take quicker actions against a compromised Credit Card than a Debit Card.
5. Prefer to use ATMs under surveillance (CCTV, manned by a security guard, located inside bank lobby etc). They are less likely to be fiddled.
6. Always cover the keypad area with your hand while punching the card PIN. This will prevent the cameras from recording your strokes. A card skimmer without a PIN is half armoured and reduces the risk of exposure substantially.
7. Be very vigilant of any hidden cameras at the ATM especially near the keypad. It can be installed on the numpad, bottom panel, cash disbursement panel, beside the number keys, brochure rack, etc.
8. You should upgrade your magnetic strip card to an RFID equipped chip card. Leading international banks have already replaced their cards by now. If you are still using the older models, do get them exchanged immediately.
9. For POS machines where both magstripe and electronic chip reader are available, prefer to use the latter as it is much secured than magnetic strip reader because the information is transmitted wirelessly. Only Shimmers (electronic skimmers) can copy EMV chip info and are very difficult to install manually without insider support. Also, leading banks encrypt the data sensed by EMV chip readers of their POS terminals before committing the transaction.
10. If you are an Android-based smartphone user, you may also like to install a skimmer detection app like ‘Skimmer Scanner’. It can scan all visible Bluetooth devices in its vicinity that fall within your Bluetooth’s range. Majority of the skimmers are Bluetooth enabled these days so that data transfer could be done through wireless technology. Likely if there are any such skimmers installed inside the ATM or POS machine, this app will be able to detect it.
Last but not the least, immediately log a complaint with the respective bank if you happen to come across any tampered POS machine or ATM. Your timely action can save thousands of frauds targeted at users like you and me.
Photos from the Internet
#ATM #Bluetooth #Skimmers #SkimmerScanners #AndroidBasePhone #Apps #TypesOfSkimmers #CoverYourPin #CyberCrime #CyberSecurity #DifferentTruths
Reetwika Banerjee is a Cyber Security Expert presently associated with a US consulting giant. She holds international MBA degree in Information System & Security and aims to be the face of women in security. During leisure hours, she enjoys writing books, news columns, travel blogs and films. She holds 2 World Records and 3 National Records for devising three innovative concepts in Modern Literature. A native of Kolkata, she is now a resident of Bangalore.