And skimming is on the rise. Last year, analytics firm FICO found, there was a 10 percent increase in the United States in payment cards that were compromised at ATMs and merchant card readers — following a 70 percent rise in 2016. Between 2014 and 2015, FICO reported a 546 percent increase in ATMs that were compromised by criminals.
While the trained eye may be able to detect some skimmers (they can be attached to a cash machine or reader and may move if you wiggle them) others are all but invisible, consisting of a wafer-thin reader that fits inside the actual card slot. Skimmers can be placed anywhere you would swipe or insert a credit card: video-rental machines, ATMs, grocery-store checkouts, postage-stamp dispensers. The list goes on.
Brian Krebs, who is an investigative journalist (formerly with The Washington Post) and author of the site KrebsonSecurity, which reports on cybercrime and Internet security, said that the thieves, who are often involved in organized crime and gangs, are growing bolder.
“This is all part of an arms race. It never ends,” he said. “The good guys try to put up roadblocks, the bad guys try to get over, around or under them. It keeps getting more sophisticated.”
There are a few simple things people can do on the road (and at home) to minimize the risk of being scammed. Krebs shared what he has learned.
Be selective in how you pay: “I don’t use debit cards,” Krebs said. That card is a pot of gold for thieves because they can get immediate cash. While banks protect from fraud, the institution might not catch the transaction or transactions immediately. If your account is emptied, checks could bounce, and cash may be unavailable as the bank investigates. Krebs recommends sticking with credit cards or using a mobile payment app with your phone. “The merchant never sees your credit-card number,” Krebs said.
Shield your PIN: Your card numbers are not the only thing thieves are after. Krebs said what they really want is your PIN, which, again, is their ticket to a quick payday. Often, he said, thieves will hide a camera on the ATM to record the number you type in. So the skimmer will grab your numbers when your card is swiped and the PIN is also captured. “When you’re entering your PIN, cover the PIN pad with your hand. It’s very simple,” Krebs said. Another alarming fact? Krebs said it is not just the ATM you have to worry about with skimmers. They have also been found within card readers that unlock the doors of bank vestibules.
Hit cash machines on weekdays: Need cash? Get it during the week, Krebs said. “Your chances of getting skimmed go up astronomically when the weekend starts,” he said. That is because the thieves know ATMs are inspected regularly during the week by the companies that manage them but not on weekends. “They want to maximize the time the skimmer is on the machine,” he said, “so they tend to go Friday night, Saturday morning.” And, he adds, “They absolutely love long holiday weekends.”
Use ATMs that are a fixture in banks: Avoid using free-standing ATMs on streets and in bars, restaurants, clubs, convenience stores and other businesses. Because the machines are so exposed, Krebs said, it is easier for someone to get access to the computer and hard drive of the ATM and rip off financial data. Instead, opt for ATMs that are permanent fixtures within the walls of banks. “It’s definitely safer to use the machines that are physically installed somewhere,” he said.
Choose a gas pump wisely: Krebs studied a year’s worth of data tracking gas-pump-skimming incidents in Arizona. He mapped out the locations of each gas pump involved in an incident and found there is a pattern: Skimmers were more frequently found on pumps that did not have security tape and security cameras. And the placement of the machine matters. “They generally favor pumps that are close to a major highway,” Krebs said. “For obvious reasons: A getaway.” When choosing a pump, he said to opt for the one that is closest to the station and the attendant.
Watch your accounts: “Keep an eye on your statements,” Krebs said. “Whether it’s regular credit card fraud or online credit card fraud or skimming-related fraud, you’re not liable for fraudulent withdrawals or charges, but you are responsible for reporting them.” Sometimes your financial institution will detect these, but not always. Krebs recommends signing up for text alerts (if your institution offers them free) so you get notified each time a transaction goes through.
Most of all, Krebs said, use common sense. If an ATM or merchant device looks wonky, do not use it. If someone’s looking over your shoulder to see your PIN, protect it. “Just watch your back,” Krebs said.
Silver is a writer based in Chicago. Find her on Twitter: @K8Silver.