Anatomy of an ATM Skimmer Scam

Skimmers could steal your financial information at the ATM—or even at your local supermarket. Here's how to protect yourself.

You may already know that its important to protect your financial information when you shop online. But a high-tech threat can steal your credit card information when youre out shopping around town. Scammers can steal your ATM or credit card information without your even noticing, and the technology behind their tricks is getting more and more advanced.

The crime called credit card skimming has become increasingly common in the past few years. In fact, authorities recently uncovered a large, sophisticated skimming operation where scammers attached their devices onto the self-checkout machines at 24 Lucky supermarkets in Northern California. The scam caught hundreds of customers who used the self-checkout machines in October and November 2011 and had their account information stolen.

Obviously, skimmers are a serious security threat. But how exactly do these devices work, and how do you protect yourself from them?

How a Skimmer Operates

Credit card skimmers are essentially devices that thieves place over the actual card readers on an ATM or credit card terminal to collect your financial information for fraudulent use. As your card passes through it, that skimmer reads your cards magnetic strip, thereby collecting your cards information. Beyond that, though, a surprising amount of variation exists in the hardware and exact methodology behind these scams.

The hardware itself can range from small, cheap skimmers that can be spotted fairly easily to elaborate 3D-printed rigs that are almost indistinguishable from an actual ATM.

Skimmers also vary wildly in exactly how they collect your information. Just collecting your card number isnt enough, so most skimmers also include some way to capture and store your PIN and your cards security code (typically a three-digit code thats found on the back of your card). Some skimmers include a false keypad thats placed atop the actual keypad that collects your PIN, but newer devices utilize harder-to-detect pinhole cameras mounted above the keypad--cameras that collect images of you entering your personal information.

The skimming devices can store the information locally and be physically picked up by criminals, but more and more of these devices transmit information to their owners. Some skimmers simply connect to a phone line, but skimmers that send information wirelessly are becoming more common. Some will even transmit data information to the scammers cell phone via Bluetooth.

Steps to Protect Yourself

With all these tools at criminals disposal, it can seem impossible to protect yourself from an skimming operation. Fortunately, you can take a few simple steps to avoid falling prey to skimmer scams. The first and most obvious is to take a careful look at an ATM before you use it. It takes an expert to spot the most sophisticated skimmers, but those are the exception and not the rule.

Be suspicious if something looks like its sticking out too far or if it doesnt match with the rest of the machines design. Many skimmers are fairly shoddy pieces of equipment that are weakly tacked onto to the card reader. Kevin Haley, director of Symantecs Security Technology & Response Team, says you shouldnt be afraid to get physical. I wouldnt hesitate to pull on something if it looks like it doesnt belong, he told PCWorld. Before you insert or swipe your card, give the reader a good tug, or jostle your card around the slot to see if anything is loosely attached.Even if you dont think an ATM or credit card terminal has a skimmer attached to it, you should take some basic security precautions. Pinhole cameras can be almost impossible to detect, but theyre also fairly easy to thwart. The next time youre entering your PIN just use your free hand to block the view of you entering your PIN. That way, a camera mounted above the PIN pad cant tell what youre entering, which will help prevent criminals from being able to access your bank account.

Other warning signs you should watch for may not involve the device itself. Beth Givens, the director of the Privacy Rights Clearinghouse, says you should also be on the lookout for anybody hanging around your ATM for long periods of time--some skimmers need someone nearby to collect captured information. Also, avoid using ATMs in isolated locations that dont seem to be part of a store or financial institution. Scammers have been known to set up entire false ATMs on occasion. (In 2009, attendees at the Defcon hacker conference in Las Vegas spotted a fake ATM at a hotel.)

As always, pay close attention to your credit card bill and bank statements--fraudulent charges or unauthorized cash withdrawals are often the first indication that your account information has been stolen. If you see such unauthorized charges or withdrawals on a statement, contact your bank or financial institution as soon as possible. By keeping a vigilant eye on your ATM and on your credit card bill, even the most sophisticated credit card scam shouldnt be able to cause you too much grief.

Copyright © 2012 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)