We talk a lot about EMV chip technology with our clients and on our blog. I thought it would be interesting to show a real world example of what EMV is trying to stop. An increase in scams involving a credit card skimmer is a perfect place to start.
What is a Credit Card Skimmer?
Credit card skimming is a scam that uses a secret device to read your card information. The information from your magnetic strip is then used to create a fake copy of your card or a digital version.
Card skimmer devices are either implanted inside a terminal or placed over top of an existing one. As you swipe or insert a card, the strip slides across a tiny sensor that steals the info. A small camera is usually placed somewhere above, out of sight. The camera records the keypad as you enter your pin number.
It’s a pretty simple procedure and most people would never be able to detect the threat. Below are examples of external card skimmers. Would you ever think anything was out of the ordinary?
The level of sophistication varies from simple surface mount units to full machine faces. Some even overlay the key pads and collect data without the need of a camera.
Internal or insert card skimmers work in a similar way. They are much harder to detect, with no visible devices. KrebsOnSecurity has a more detailed article on insert skimmers. Here is a video from his blog showing a skimmer being inserted and removed.
ATM Card Skimmers VS Retail
Most thieves target ATMs because the larger machines make it easier to hide devices. You are also more likely to use a debit card and pin number. This allows for a cash withdraw rather than just stealing credit card info.
A recent string of thefts at Walmart stores, however, targeted self-checkout terminals. The scam used a full overlay device that stole both the card data and pin numbers. The thieves could install the face plate in seconds without attracting any attention. Most retail point of sale terminals now use EMV readers, which avoid scams by not requiring a swipe, or full insertion of your card. But, with an estimated 40% or more of cards still not using EMV chips, a lot of information can be stolen.
The images above from Hold Security show the overlay reader used on the Walmart self-checkout terminals. When fitted over the existing terminal it’s almost seamless.
Skimmer being installed at Walmart self-checkout terminal.