You wouldn’t think your local gas station is a hotspot for cybercriminals. But you’d be wrong. These crafty thieves have been ripping people off for years at gas stations.
The common method is through card skimming and can be done in the blink of an eye. Criminals attach a card reading device to the pay point at the pump and capture your credit or debit card’s details. Tap or click here to see the difference between skimmers and shimmers.
Without even realizing that your card has been skimmed or cloned, the criminals can drain all your money from your account in a matter of minutes. Fortunately, there are ways to spot these dangerous devices.
Here’s the backstory
Before we could swipe our card at the pump and fill the vehicle, we had to go into the store, stand in line and manually pay for the gas. That is, if you remembered your pump number. Card readers on the pump allow us to pay, fill and drive away without having to walk any further than the pump itself.
But the convenience of doing so comes with technological dangers, like the card readers or card cloning devices that criminals use. The technology is hard to spot if you don’t know what to look for.
Update: We previously recommended apps to help you spot skimmers. While this technology can work, the apps didn’t have great reviews and one was pulled from the App Store. Instead, we’ll share what you should look for and a few ways to spot skimmers.
How to spot skimmers
The best way to spot a tampered card reader or gas pump is to look at it thoroughly. Ensure that it hasn’t been opened and the security seal is intact and seems to be in good order. If you’re concerned, touch the reader and wiggle it around. If a piece of equipment comes off easily, it’s probably been tampered with. In some cases, criminals attach an identical reader over the real one.
Let’s go through common skimmers so you know what to look for.
An overlay skimmer is one that fits over the card reader slot of an ATM or gas pump. For old or low-quality overlay skimmers, there are a few things you can look for. It’s usually modeled, or in some cases 3D printed, to look like the part it’s covering. However, it might not be the same quality or color as the rest of the machine. Maybe it’s protruding a bit too far or not installed straight. If it looks like it doesn’t quite fit, then that’s a possible warning.
You can also look around for additions to the machine that could hide a camera pointed at the keypad. This is often how crooks get your PIN. It might be installed on the ATM, or even above it.
That’s the case with a skimmer a passenger discovered on a MetroCard Vending Machine in the New York subway. Here’s the overlay part (after it was taken off the MVM):
And here is the camera installed above the machine disguised as a plug. See the pinhole on the bottom for the camera lens?
For these types of skimmers, it’s actually fairly easy to defeat them. Simply cover your hand when you’re typing in your PIN and the crooks won’t have all the information they need to clone your card.
Another type of skimmer is thin enough to fit right inside the retail location’s card reader slot. These devices can easily be purchased by anyone on the Dark Web.
To better understand how these skimmers work, watch these two videos. These are promotional sales videos that show the inner workings of skimmers that are for sale on the Dark Web.
In the first video, you will see a demonstration of how a debit card easily fits inside the card reader while the skimmer is inside. At the end of the video, you see how the criminal extracts the skimmer.
In this next video, the criminal shows how to install and remove a skimmer from a card reader that has been taken from an ATM.
Next, we’ll talk about another smaller version of a skimmer, called a shimmer.
Skimmers are somewhat bulky, making them easy to spot for the well-educated consumer. This has led criminals to turn to the shimmer.
Shimmers are much smaller versions of a skimmer that fit easily inside an ATM or POS card reader. They are embedded with a microchip and flash storage, which allows them to steal your cards’ data, including the PIN. This data is extracted at a later time when the thief returns and inserts a specially designed card that downloads the information.
This is what a shimmer looks like:
Image: shimmer found inside retailer’s checkout card reader. (Source: RCMP)
The shimmer is super easy for the thief to install and is so thin, you won’t be able to tell that it’s inside the card reader. It also won’t block the normal usage of your card.
Because these new devices are so small, they won’t be limited to gas stations and ATMs. You can expect to see them popping up at grocery stores and retail locations, especially ones that offer self-checkout.
A good example of an advanced skimmer comes from Brazil. It’s a type of overlay skimmer, but instead of overlaying the card reader, the entire front of the ATM is fake.
You also need to be aware of unscrupulous employees of a restaurant or store who might have handheld skimmers that you’ll never see. Or they might put out POS terminals that are really skimmers in disguise; they’ll even print out a receipt.
Defeating the skimmer
Here are some simple ideas to defeat skimmers:
- Shield your PIN – The easiest step you can take to avoid having your PIN stolen is to block your hand typing in the PIN with your other hand. Always assume someone is watching you enter your PIN.
- Check for tampering – Before putting your card into a reader check it for tampering. Look for anything different or misaligned. If it looks suspicious, do NOT use the machine.
- Wiggle everything – Gas pumps and ATMs don’t have loose parts. If anything jiggles, don’t use it.
- Frequently check bank statements – Criminals are becoming more sophisticated, which means you need to stay vigilant. Stay on top of your bank statements and report any suspicious activity ASAP.
- Report the theft – If you are a victim of a skimmer, report it immediately to your financial institution. Notifiy the gas station you fill up at if you suspect that’s where your information was leaked.
10 accounts more valuable to cybercriminals than your credit card
600K credit card records leaked online – See if you’re at risk