CSO Senior Writer,
In the security industry, a skimmer has traditionally referred to any hardware device designed to steal information stored on payment cards when consumers perform transactions at ATMs, gas pumps and other payment terminals. More recently, the use of the term has been extended to include malicious software or code that achieves the same goal on e-commerce websites by targeting payment card data inputted during online purchases.
Whether hardware- or software-based, skimmers are tools that enable fraud. The data they capture is used to either clone physical payment cards or to perform fraudulent card-not-present transactions online.
Physical skimmers are designed to fit specific models of ATMs, self-checkout machines or other payment terminals in a way that is hard to detect by users. Because of this, they come in different shapes and sizes and have several components.
There is always a card-reading component that consists of a small integrated circuit powered by batteries. It is usually contained in a plastic or metal casing that mimics and fits over the real card reader of the targeted ATM or other device. This component allows criminals to get a copy of the information encoded on a card’s magnetic strip without blocking the real transaction the user is trying to perform.
A second component is usually a small camera attached to the ATM or a fake PIN pad that covers the real one. The purpose of this component is to steal the user’s PIN, which, along with the data stolen from the magnetic strip can enable criminals to clone the card and perform unauthorized transactions in countries where swipe-based transactions are still widely used.
However, as many countries around the world have moved to chip-enabled cards, criminals have adapted, too, and there are now more sophisticated skimmer variations. Some skimming devices are slim enough to insert into the card reading slot — this is known as “deep insert.” Devices called “shimmers” are inserted into the card reading slot and are designed to read data from the chips of chip-enabled cards, though this is effective only against incorrect implementations of the Europy, Mastercard and Visa (EMV) standard.
Skimmers can also be installed completely inside ATMs, typically by corrupt technicians or by drilling or cutting holes into the ATM cover and covering them with stickers that appear to be part of the intended design. A Visa report shows pictures of several types of physical skimmers found on ATMs around the world as well as modified standalone point-of-sale (POS) terminals sold on the underground market that can be used to steal card data.
Because of the large variety of skimming devices, there isn’t any single way that consumers can avoid becoming a victim. Recommendations include:
Software-based skimmers target the software component of payment systems and platforms, whether that’s the operating system of POS terminals or the checkout page of an e-commerce website. Any software that handles unencrypted payment card details can be targeted by data skimming malware.
POS malware, also known as RAM scraping malware, has been used to perpetrate some of the largest credit card data thefts in history, including the 2013 and 2014 breaches at Target and Home Depot that resulted in tens of millions of cards being compromised.
POS terminals have specialized peripherals such as card readers attached to them, but otherwise are not very different from other computers. Many use Windows and run cash-register-type applications that record transactions.
Hackers gain access to such systems through stolen credentials or by exploiting vulnerabilities and deploy malware programs on them that scan their memory for patterns matching payment card information — hence the RAM scraping name. Card data, except for the PIN, is generally not encrypted when passed from the card reader to the application running locally, so it can be easily copied once identified in memory.
In recent years, POS vendors have started to implement and deploy point-to-point encryption (P2PE) to secure the connection between the card reader and the payment processor, so many criminals have shifted their attention to a different weak spot: the checkout process on e-commerce websites.
Web skimming has affected hundreds of thousands of websites to date, including high-profile brands such as British Airways, Macy’s, NewEgg and Ticketmaster.
Consumers can’t do much to directly prevent such compromises because they don’t control the affected software, whether that’s the software in POS terminals or code present on e-commerce websites. It’s the responsibility of the merchants and their technology vendors to provide a safe shopping experience, but consumers can take some actions to reduce the risk their own cards will be exposed or to limit the impact if a compromise does happen:
More on payment card fraud:
This story, “Credit card skimmers explained: How they work and how to protect yourself” was originally published by
Lucian Constantin is a senior writer at CSO, covering information security, privacy, and data protection.
Copyright © 2020 IDG Communications, Inc.