Credit Card Skimming: How thieves can steal your card info without you knowing it

Taking just 5 seconds to inspect any credit/debit card readers before you swipe could end up saving you from identity and credit card theft. I’ll show you what to look for before you swipe your next card. The con is called skimming. Skimming works by retrofitting a perfectly legitimate card reader (like an ATM) with a camouflaged counterfeit card reader. The counterfeit reader records all of your card’s information as it passes through. To give you an idea of what we are dealing with, here is a picture of an ATM with a skimmer overlaid on to the slot where you insert your card and a micro camera hidden behind a bogus white plastic piece above the PIN keypad. This ATM was reported to police on September 6, 2008.
Image is Courtesy of Naples Police Department:

Would you have known it was stealing card data? The purpose of this blog is to educate you on how to identify a skimmer. To that end I’ve compiled a portfolio of example photos made up of both basic and advanced skimmers. It is by no means all inclusive but should give you a heads up on what to look out for the next time you go to swipe your card.
<!--pagebreak-->

According to law enforcement [1], “Credit card skimming has been around for years and is a growing problem that seems to be getting worse.” Many of us take for granted that inserting your credit/debit card into an ATM or swiping it at the grocery store or gas station is a safe practice. And most of the time you’d be right. However, skimmers are increasingly being retrofitted to legitimate ATMs, gas pumps, grocery/department store checkout machines, restaurants, etc., etc., you name it criminals are trying to skim your credit card from it. Here’s a look at the insides of the micro camera that is capturing video of your keypad presses.
Image is Courtesy of Naples Police Department:



<!--pagebreak-->

This is how the skimming scam works:

• Thief buys his skimming gear online from one of a slew of sources for around $400. Keep in mind that these sources in most cases legitimate companies selling credit card readers to real merchants for point of sale devices. This brings up the first problem; the sale of this equipment is completely unregulated. Below are some screenshots of perfectly legitimate businesses selling card reader gear for legal purposes. But since there are no regulations, skimmers can also buy them.
  Example bundle includes both a card reader and a writer. This reader must be plugged into a USB port to work. Later I’ll show you fully self contained and even smaller readers.
  

<!--pagebreak-->

The bottom image is the reverse image of the keypad showing the micro electronics that record and store your key presses. This keypad just overlays flat over the top of the real keypad.

<!--pagebreak-->

The bottom image is a look at a skimmer that is attached to a mobile device that can send off the collected data via txt messaging real time.

<!--pagebreak-->
This type of device is typically used in a card cleaner scam because it is so tiny and innocent looking. The thief will stick this skimmer horizontally somewhere around the real card reader with a label that says something like “Free Card Cleaner. Restore your cards magnet stripe here.” I think we’d be surprised at how many would do it.



The middle image shows a skimmer that fits conveniently in the palm of your hand.


The bottom image depicts some of the real world specs that are typical of the skimmers I’ve shown you so far. These little devices are self contained computers.

<!--pagebreak-->

<!--pagebreak-->

<!--pagebreak-->

I’ve been giving security talks to Cisco users groups lately and thought it would be interesting to add a few slides on skimmers to my presentation. Before I presented I asked the audience how many have heard of skimmers. I was very surprised by the result. Only about 1/3 of the room said they had. This was surprising to me mostly because of the fact that my audience was comprised solely of technical professionals. Granted that few of them were security focused but still all of them were wise to the ways of technology and Identity theft. For example, if I would have asked who has heard of Phishing I’m sure everyone would have said yes. What is more disturbing perhaps is what the result would have been if I asked a group of “baby boomers” if they knew what a skimmer was? 5 Percent, maybe less, would say yes is my guess.

This ad-hoc poll suggests to me that public awareness of the real threat posed by credit card skimming is almost non-existent and in need of help. Thus the reason I am writing this blog, to help get the word out. Now you, friendly reader, have been enlisted to help spread the word to your friends and family as well.

There are several websites that have recommendations for defending yourself against card skimming and what to do if you become a victim. Here are two such sites
Fightfraud.nv.gov [1]
Federal Trade Commission [1]

So were you aware of this threat? Did you know it was becoming more common? Have you ever been skimmed before? What actions are you going to take during your next credit card swipe? Is anything safe these days. I guess if nothing else this makes brick and mortar shopping just as risky as Internet shopping wouldn’t you agree?

The opinions and information presented here are my personal views and not those of my employer.

More from Jamey Heary:
* iPhone raises Privacy concerns: it records screenshots every time you hit the home button
[4]
* Cisco enters the crowded AV and DLP client market [5]
*Cisco's new ASA code allows you to securely take your Cisco IP Phone with you anywhere [6]
* Cisco targets Symantec, McAfee with its new antivirus client [7]
* Google's Chrome raises security concerns and tastes like chicken feet a> [8]

Go to Cisco Subnet [9] for more Cisco news, blogs, discussion forums, security alerts, book giveaways, and more.