Credit Card Skimmers and Shimmers: Everything You Need to Know to Stay Safe (2024)

Have you ever thought about how woefully insecure credit and debit cards are? Try this experiment: Plug a USB magnetic strip reader into a computer, open a word processor, swipe a credit card, and boom—you just stole your own card information. It's that easy.

Now consider that the same technology comes in faster and smaller forms. Tiny "skimmers" can be attached to ATMs and payment terminals to pilfer your data from the card's magnetic strip (called a "magstripe"). Even smaller "shimmers" are shimmed into card readers to attack the chips on newer cards. There's now also a digital version called e-skimming, pilfering data from payment websites.

Worried? The first step to defending yourself from these scammers is to understand more about them. Read on for a complete rundown of the ways they attempt to steal your information—and your money.

What Are Skimmers?

Skimmers are tiny, malicious card readers hidden within legitimate card readers that harvest data from every person who swipes their cards. After letting the hardware sip data for some time, a thief will stop by the compromised machine to pick up the file containing all the stolen data. With that information, he can create cloned cards or just commit fraud. Perhaps the scariest part is that skimmers often don't prevent the ATM or credit card reader from functioning properly, making them that much harder to detect.

Getting inside ATMs is difficult, so ATM skimmers sometimes fit over existing card readers. Most of the time, the attackers also place a hidden camera somewhere in the vicinity in order to record personal identification numbers, or PINs, used to access accounts. The camera may be in the card reader, mounted at the top of the ATM, or even in the ceiling. Some criminals go so far as installing fake PIN pads over the actual keyboards to capture the PIN directly, bypassing the need for a camera.

Credit Card Skimmers and Shimmers: Everything You Need to Know to Stay Safe (1)

The yellow part attached to the ATM's card reader slot is a skimming device (Credit: PCMag)

This picture is of a real-life skimmer in use on an ATM. Do you see that weird, bulky yellow bit? That's the skimmer. This one is easy to spot because it has a different color and material than the rest of the machine, but there are other tell-tale signs. Below the slot where you insert your card are raised arrows on the machine's plastic housing. You can see how the grey arrows are very close to the yellow reader housing, almost overlapping. That is a sign a skimmer was installed over the existing reader since the real card reader would have some space between the card slot and the arrows.

ATM manufacturers haven't taken this kind of fraud lying down. Newer ATMs boast robust defenses against tampering, sometimes including radar systems intended to detect objects inserted or attached to the ATM. However, one researcher was able to use an ATM's onboard radar device to capture PINs as part of an elaborate scam.

Are Skimmers Still a Threat?

While researching for this article, PCMag reached out to Kaspersky Labs, and company representatives said something surprising: skimming attacks were on the decline. "Skimming was and still is a rare thing," said the Kaspersky spokesperson.

The Kaspersky representative cited EU statistics from the European Association for Secure Transactions (EAST) as indicative of a larger trend. The EAST reported a record low in skimmer attacks, dropping from 1,496 incidents in April 2020 to 321 incidents in October of the same year. The effects of COVID-19 might have something to do with that drop, but it's nonetheless dramatic.

That doesn't mean skimming has gone away, of course. In January 2021, a major skimming scam was unearthed in New Jersey. It involved attacks on over 1,000 bank customers, with criminals attempting to make off with over $1.5 million.

From Skimmers to Shimmers

When the US banks finally caught up with the rest of the world and started issuing chip cards, it was a major security boon for consumers. These chip cards, or EMV cards, offer more robust security than the painfully simple magstripes of older payment cards. But thieves learn fast, and they've had years to perfect attacks in Europe and Canada that target chip cards.

Instead of skimmers, which sit on top of the magstripe readers, shimmers are inside the card readers. These are very, very thin devices and cannot be seen from the outside. When you slide your card in, the shimmer reads the data from the chip on your card, much the same way a skimmer reads the data on your card's magstripe.

There are a few key differences, however. For one, the integrated security that comes with EMV means that attackers can only get the same information they would from a skimmer. In his blog, security researcher Brian Krebs explains that "Although the data that is typically stored on a card's magnetic stripe is replicated inside the chip on chip-enabled cards, the chip contains additional security components not found on a magnetic stripe."

Thieves couldn't duplicate the EMV chip, but they could use data from the chip to clone the magstripe or use its information for some other fraud. The Kaspersky representative I spoke to was unequivocal in their confidence in chip cards. "EMV is still not broken," Kaspersky told PCMag. "The only successful EMV hacks are in lab conditions."

The real problem is that shimmers are hidden inside victim machines. The shimmer pictured below was found in Canada and reported to the RCMP. It's little more than an integrated circuit printed on a thin plastic sheet.

Credit Card Skimmers and Shimmers: Everything You Need to Know to Stay Safe (2)

Shimmer circuitry on a tiny plastic card (Credit: Coquitlam RCMP)

3 Ways Avoid Online Credit Card Skimming

Not surprisingly, there's a digital equivalent called e-skimming. The 2018 British Airways hack apparently relied heavily on such tactics.

As Bogdan Botezatu, Director of Threat Research and Reporting at Bitdefender, explained, e-skimming is when an attacker inserts malicious code into a payment website that snatches away your card information.

"These e-skimmers are added either by compromising the online store’s administrator account credentials, the store’s web hosting server, or by directly compromising the [payment platform vendor] so they will distribute tainted copies of their software," stated Botezatu. This is similar to a phishing page, except that the page is authentic—the code on the page has just been tampered with.

Recommended by Our Editors

7 Easy Tips to Avoid Scammers on Social Media

Wrong Numbers, Fake Invoices, and Catfishing: How to Avoid the Top Internet Scams

Don't Be Caught by Email Scams: How to Avoid Phishing

"E-skimming attacks are increasingly becoming adept at evading detection," said Botezatu. "The more time an attacker maintains this foothold, the more credit cards they are able to collect."

Credit Card Skimmers and Shimmers: Everything You Need to Know to Stay Safe (6)

Credit Card Skimmers and Shimmers: Everything You Need to Know to Stay Safe (7) It's Surprisingly Easy to Be More Secure Online

Combating this type of attack is ultimately up to the companies who run these stores. Below are a few things you can do to protect yourself:

1. Use Security Software

Botezatu suggested that consumers use security suite software on their computers, which he said can detect malicious code and prevent you from entering your information.

2. Use a Fake Credit Card Number Online

You can avoid entering your credit card information altogether by using a virtual credit card. These are dummy credit card numbers that are linked to your real credit card account. If one is compromised, you won't have to get a new credit card just generate a new virtual number. Some banks, like Citi, offer this as a feature, so ask your bank if it's available. If you can't get a virtual card from a bank, Abine Blur offers masked credit cards to subscribers, which work in a similar way. Apple Pay and Google Pay are also accepted on some websites, too.

3. Activate Alerts for Your Credit Card Accounts

Some banks will send a push alert to your phone each time your debit card is used. This is handy since you can immediately identify bogus purchases. If your bank supplies a similar option, try turning it on. Personal finance apps like Mint.com can help ease the task of sorting through all your transactions.

Stay Aware to Stop Credit Card Scammers

Even if you do everything right and go over every inch of every payment machine you encounter (much to the chagrin of the people behind you in line) you can be the target of fraud. But take heart: As long as you report the theft to your card issuer (for credit cards) or bank (where you have your account) as soon as possible, you will not be held liable. Your money will be returned. Business customers, on the other hand, don't have the same legal protection and may have a harder time getting their money back. Click here to check out our guide to stopping ATM scammers in their tracks.

Pay attention to your credit card statements and act quickly if you find charges you don't recognize. If something doesn't feel right about an ATM or a credit card reader, don't use it. Whenever you can, use the chip instead of the strip on your card. Your bank account will thank you.

Fahmida Y. Rashid contributed to this story

Like What You're Reading?

Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.

This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.


Thanks for signing up!

Your subscription has been confirmed. Keep an eye on your inbox!

Sign up for other newsletters

Credit Card Skimmers and Shimmers: Everything You Need to Know to Stay Safe (2024)

FAQs

How do you stay safe from card skimmers? ›

Follow these guidelines every time you use your card.
  1. Do a quick scan. Before using any machine, take a look to make sure it hasn't been tampered with. ...
  2. Be wary of non-bank ATMs. ...
  3. Check the keypad. ...
  4. Block your PIN. ...
  5. Use mobile wallet. ...
  6. Pay inside. ...
  7. Stay in public view. ...
  8. Check your account regularly.

What is the difference between shimmer and skimmer credit card? ›

Card shimmers work just like card skimming devices except, instead of reading the magnetic strip, they read the card's microchip. Just as with skimmers, shimmer devices are placed on ATMs and at POS terminals. Whenever a chip-enabled card is inserted, the microchip data is stolen.

Does tapping your card protect you from skimmers? ›

Use tap to pay or contactless pay whenever you can. These methods are usually safer because the skimmer can't grab your card info like it can when you slide or dip. This uses Near Field Communication (NFC) technology, which only works over a very short distance (a few centimeters).

What information do card skimmers get? ›

When a card is skimmed, the information stored on its magnetic strip can be stolen. This includes sensitive details such as the cardholder's name, card number, and expiration date. Scammers may use the stolen data to: Make unauthorized transactions.

Can skimmers read CVV? ›

E-skimmers or online skimmers mainly look for payment information for fraudulent purchases and theft. Specifically, here's what a threat actor targets: Credit card details - card numbers, expiration dates, CVV codes.

Do skimmers read chips? ›

Chip cards are less vulnerable to skimming than magnetic stripe cards, but they aren't completely safe. Crooks can still capture your card information from a chip card using a technique called shimming. Shimming allows criminals to create fake credit cards with your card information.

How do you tell if your card has been skimmed? ›

You won't know that your card has been skimmed until you see unusual transactions, which is why it's important to regularly monitor your account and review card statements. You can also set up card alerts to get emails, texts or app notifications for new transactions.

How do credit card shimmers work? ›

Skimming occurs when devices illegally installed on or inside ATMs, point-of-sale (POS) terminals, or fuel pumps capture card data and record cardholders' PIN entries, if applicable. Criminals use the data to create fake payment cards and then make unauthorized purchases or steal from victims' accounts.

Can Apple Pay be skimmed? ›

Apple Pay is made to be private and secure. Plastic cards are vulnerable. They can be stolen, copied, skimmed, and even fraudulently swiped. Apple Pay is designed so that only you can make purchases.

Do skimmers need your PIN? ›

Remember, skimmers need your PIN as well as your card number to access the funds and information on your card, so the best way to protect yourself is by not entering your PIN. When you have to enter your PIN, always cover the PIN keypad.

How do I protect my credit card from being scanned? ›

Use an RFID shield wallet or protective sleeve, wrap it in foil, or store your card next to an RFID jamming card to protect its signal. Distance yourself from other customers when using your card. For maximum security, only use it for at-home, online purchases.

Is tapping your card safer than swiping? ›

Tap-to-pay is less vulnerable to credit card skimming and other types of fraud since the card itself never touches the payment terminal for a transaction. “Skimming” involves using a hidden device to read and translate credit card data when a credit card is swiped to make a purchase.

How to protect yourself from card skimmers? ›

Regularly checking your bank and credit card statements for any unauthorized transactions is also a way to protect yourself. If you suspect a card reader has been tampered with, report it to the business and your bank immediately.

How do shimmers work? ›

How do card shimmers work? Shimmers are very tiny, thin devices that can be fitted into a card terminal, and can read EMV microchip data much in the same way that skimmers can read magstripe data. Fraudsters can't yet fully "clone" an EMV chip that's encoded with a valid user's information.

How can you protect yourself from card skimmers when you're at a gas pump? ›

If you're using a card at a fuel pump, the FBI recommends you:
  1. Choose a fuel pump closer to the store and in direct view of the attendant. These pumps are less likely to be targets for skimmers.
  2. Run your debit card as a credit card. ...
  3. Consider paying inside with the attendant, not outside at the pump.
May 29, 2024

How do I protect myself from debit card skimming? ›

7 Ways to Protect Yourself from ATM Skimming
  1. Know what to look for. ...
  2. Look for hidden cameras. ...
  3. Pay attention to the keypad. ...
  4. Shield your PIN. ...
  5. Be aware of your surroundings. ...
  6. Get to know your financial institution. ...
  7. Know what's happening Review your statement and keep an eye out for anything that seems out of place.

How do you stop your bank card from being scanned? ›

Preventing Credit Card Scanning
  1. Buy a card sleeve or RFID wallet that blocks RFID transmissions.
  2. Stack your cards together to mitigate some of the scanner's ability to read information.
  3. Leave your cards at home and only use cash in public places.

References

Top Articles
Latest Posts
Recommended Articles
Article information

Author: Foster Heidenreich CPA

Last Updated:

Views: 5257

Rating: 4.6 / 5 (56 voted)

Reviews: 95% of readers found this page helpful

Author information

Name: Foster Heidenreich CPA

Birthday: 1995-01-14

Address: 55021 Usha Garden, North Larisa, DE 19209

Phone: +6812240846623

Job: Corporate Healthcare Strategist

Hobby: Singing, Listening to music, Rafting, LARPing, Gardening, Quilting, Rappelling

Introduction: My name is Foster Heidenreich CPA, I am a delightful, quaint, glorious, quaint, faithful, enchanting, fine person who loves writing and wants to share my knowledge and understanding with you.