18 Sep Product Review: Skim Swipe POS Retail Terminal Card Skimmer Detector
Works in all swiping retail POS terminals including Verifone, NCR, Equinox, Ingenico, Hypercom, etc.
– Melbourne, Australia – Sep. 18, 2024
If you regularly fill up your car with gas, you’ve probably encountered it at one time or another: a sign on the pump, or on the card machine inside, saying that the device is broken and requesting that you pay in cash — and if you have no cash, that you’re welcome to use the onsite ATM to get some.
When you need to fill up, you need to fill up — which is why so many unsuspecting customers dutifully insert their cards into the machine, only to look at their bank statement days or weeks later to find out that their card details have been swiped and are being used by criminals to embark on a worldwide spending spree, online and off.
This very specific type of crime is possible because cybercriminals — often with the help of gas station attendants or convenience store employees who have been offered a cut of the proceeds — have poisoned the site with card skimmers, purpose-built devices that sit quietly inside the card slot of ATMs or the swiping track on the side of point-of-sale terminals.
Those devices may be accompanied by small cameras, or even transparent keypad overlays, that capture your PIN as you enter it. Some devices even have built-in Bluetooth, so criminals can download the latest data without getting out of their cars.
Once they download the data from the device, criminals either sell the details online or use special equipment to write the details onto credit card blanks. They might test the cards with a few low-value transactions first — buying a few packs of gum from a local shop, for example — before quickly moving on to high-value equipment, such as TVs, that can be fenced for cash.
Despite growing awareness of the problem, criminals are proving to be extraordinarily good at finding new ways to steal and exploit card details: recent Federal Trade Commission data showed that 23,011 cases of “existing account fraud” were reported during the first half of 2024, on pace to exceed the 44,855 cases reported during all of 2023.
Fraud prevention firm FICO has seen even larger numbers, recently reporting that the number of known skimmed cards surged by 96 percent from 2022 to 2023 — when more than 315,000 impacted cards were identified in nearly 1,600 skimming incidents.
California, Texas, Colorado, New Jersey, and Pennsylvania were the top five states targeted by skimming criminals, collectively accounting for nearly half of all incidents; add in New York, Ohio, Virginia, Florida and Illinois, and you’ve accounted for 70 percent of all known incidents.
The real numbers are likely to be even higher than that, not only because many victims are too focused on recovering their funds to report the crime — but because many shop owners quietly choose not to tell authorities when it’s discovered that their gas pumps, ATMs, or point of sale terminals have been compromised.
“Oftentimes they’ll just unplug the skimmer and throw it in a box behind the gas station,” explained Scott Schober, CEO of wireless testing and security specialist firm Berkeley Varitronics Systems (BVS), which has been innovating to help business owners and law-enforcement agencies keep up with card-stealing criminals.
“They don’t have a vested interest in getting the skimmer out of there because they’re still making money either way,” Schober explained.
“They don’t report it to local law enforcement because [skimming is] a federal crime. If it’s reported to the feds, they come in and often shut down the pump or the gas station. And if the media hears about it, they report that a skimmer was found — and business stops.”
In this cat-and-mouse game, you’re the cheese
Based on the number of card-skimming investigations being managed by the FBI, it’s clear that the problem isn’t going away — with many skimming schemes run by gangs that target one area intensively, then move on.
A Romanian national was recently sentenced to 18 months in prison and fined $75,000 for using counterfeit debit cards and skimming devices, while another Romanian national was sentenced to 75 months in federal prison for running an ATM skimmer group.
After another recent investigation that unified the FBI, Secret Service, and US Attorney for the Eastern District of New York, authorities charged five New York City defendants who hid skimmers in ATMs and compromised over 600 victims’ accounts between May 2022 and Feb. 2023.
“The defendants’ concerted efforts to conceal this fraudulent activity allowed the scam to plague the community for almost a year,” James Smith, FBI assistant director in charge, said as the arrests were reported.
That scam involved the use of “deep insert skimmers” that sit completely inside a card slot, and the agency said in warning that “advanced skimming devices and pinhole cameras installed on ATMs, like those used by the defendants, may well be disguised and undetected by the ATM user.”
Deep insert skimmers have upped the ante considerably compared with earlier card skimmers, which were plastic overlays designed to fit snugly around an ATM’s card slot — adding a second read head that, without interfering with the device’s normal operation, reads your card details from the magnetic stripe on the back of the card.
Banks responded by adding physical protections against the skimmers, such as narrowing the width of the card slot so that nothing but a card will fit inside, or adding physical solenoids that physically block access to the slot unless a valid card is detected.
“The problem is that all the bad guys do is to go buy an ATM and buy the physical barrier, then say ‘let’s design a skimmer that will avoid this technique,’” Schober said. “After banks had upgraded all their machines and spent countless millions of dollars, they discovered that hundreds of them have had skimmers placed in them in the middle of the night.”
“Thieves are smart: they’ll look for whatever roadblocks you put up, and they’ll find a backdoor to work around it.”
For authorities, this means the fight to detect skimmers, then trace them back to the criminals operating them, can be a painstaking and long-term effort — but for consumers, it means that the pain caused by card skimmers isn’t going anywhere soon.
After all, there will always be another gas pump, convenience store, or ATM to hit — and as criminals refine their techniques, some of the scams being uncovered are truly mind-boggling.
Having worked closely with law enforcement authorities investigating such crimes, Schober has seen his share of scams: one criminal gang, for example, was skimming customers’ card details from a gas station, then using the cards to fill up a large tank installed in the back of a pickup truck.
That truck would drive around the corner, pump the gas into a larger gas tanker and repeat the process until it was full — at which point, the tanker would sell the gas to the station owner, unaware that they were buying their own gas back from the criminals.
Finding skimmers wherever they’re hiding
Authorities offer consumers a standard and well-worn list of tips to avoid card skimmers — watch out for physical overlays; cover your hand while entering your PIN; avoid ATMs in dark and outdoor spaces, or in tourist areas; monitor your bank statements closely; and use cards’ built-in chip technology rather than swiping your card’s magstripe.
Yet ever more-resourceful criminals never fail to find ways to trick their victims — and after Schober’s own card was skimmed several years ago, he began brainstorming ways that he could help authorities turn the tables on criminals.
Working with his team, BVS ultimately developed Skim Scan — a thin device that could be inserted into a fuel pump or ATM card slot, would scan for the presence of a skimmer, and instantly display a red or green light to let the user know whether their machine had been compromised.
It was a revelation for authorities and business owners, who Schober said have bought the $430 device in its thousands — “as fast as we’re building them, we’re shipping them,” he said – and often been stunned to realize they had been compromised for years.
One owner of a small mom-and-pop gas station checked her 12 gas pumps, Schober recalled, and found that everyone had a skimmer — meaning that their customers “were getting their cards skimmed, day in and day out, probably for about two years.”
The success of that product drove Schober’s team to consider how to adapt the technique for magstripe readers on point-of-sale terminals, which are also regularly targeted by criminals who install slim-lined skimmers that add a second magnetic read head to the devices.
Is it really safe to swipe your card?
While many banks have sought to reduce skimmer losses by encouraging customers to use cards with encrypted data chips, resourceful criminals have figured out many ways around this — from posting simple signs indicating that a device’s chip capabilities are out of order, to physically drilling a tiny hole into a POS machine’s chip reader to disable it.
Once criminals have disabled all of your alternative payment options, Schober said, even vigilant customers can be caught unawares.
Criminals do this “by employing social engineering techniques, often when there’s a sense of urgency,” he explained. “You want that hotdog and soda because your kids are crying in the car and the dog is barking, and you’re not going to fumble around and go back to the car to look for cash.”
“Chances are that you’re not even going to be thinking that there’s a skimmer,” he said, and you’re going to take your card and swipe it. It happens every single day.”
Little wonder that BVS’s latest invention, Skim Swipe, has seen strong interest since its introduction earlier this year — with hundreds of units sold and strong feedback from a community that finally feels it has a weapon to fight back against being exploited by criminals.
“We’re getting thank-you calls from the law enforcement community, retail petroleum industry, and banking industry saying that they’re finding skimmers,” he said. “It makes you feel good that you’re combating the problem — and that we’re starting to take back victory against some of the cyber criminals.”
Magstripes are a particularly American payment solution that has continued to be commonplace even as most other countries rapidly switch to more secure chip payments: just 89.13 percent of U.S. payments were completed using EMV chip cards in the year to June 2023, according to industry figures that found chip card usage was much higher in Europe Zone 1 (99.75 percent); Europe Zone 2 (95.18 percent); Canada, Latin America and the Caribbean (98.57 percent); and Africa and the Middle East (99.42 percent).
Although 69.25 percent of issued credit cards have EMV capabilities worldwide, card issuers are steadily increasing this: Mastercard, for one, no longer requires banks to include magnetic stripes on cards they issue and has laid out a plan to phase them out completely by 2033.
Even then, however, magstripe cards will still be commonplace in the U.S. and elsewhere, since makers of ATMs and other devices are still working out the logistics of modifying or replacing millions of machines so they no longer rely on magnetic stripes.
Until then, skimming is guaranteed to continue — and broader use of devices like Skim Scan and Skim Swipe will give well-intentioned merchants a way to fight back against criminal gangs and protect their customers from exploitation.
“Our hope is that by working with law enforcement and various establishments,” Schober said, “they’re going to protect the consumer and check to make sure nobody’s putting something inside of their machine — because it can be challenging for a consumer to spot.”
“In the meantime, if you’re ever forced to swipe your card, stop and use caution — because there’s a high probability that there’s actually a skimmer in there.”
– David Braue is an award-winning technology writer based in Melbourne, Australia.
Go here to read all of David’s Cybercrime Magazine articles.
