Criminals have the technology to make high-profile bank robberies obsolete.
One of the most devious ways thieves have for stealing credit cards and other data is with point-of-sale (POS) "skimmers" — devices that grab your info as you swipe at a store or ATM. And unfortunately, they've gotten much more sophisticated in recent years.
Here's how they work.
Skimming usually works in one of two ways. In a place like a restaurant, an employee might take a credit card out of sight and run it through a skimmer to capture the info before running it through the normal sales system. But in places like a gas station or ATM, criminals can place devices right over a real terminal to grab the data and run the transaction at the exact same time.
This is what one skimmer looks like:
As you can see, the skimmer is virtually indistinguishable from the real thing. Criminals can place a device like this over the top and leave it.
Usually, there's a memory bank inside that saves transaction information, card numbers, keystrokes, and whatever else. Then later, the thieves can come back to reclaim the skimmer and go home and download the data. Or in some cases, they can set up a skimmer that transmits the data back to them wirelessly — no need to return to the scene of the crime.
Security researcher Brian Krebs has an entire series on the many different types of skimmers, showcasing everything from small devices that intercepted transactions at Nordstrom to ATM skimmers that send a text message with card info to the attacker's cell phone.
Though there are many types, skimmers are increasingly being found on the "dark web." On some underground market sites, the devices can run anywhere from a few hundred to several thousand dollars, depending on their level of sophistication.
Interestingly, some of these devices are installed at retail outlets not by criminals, but by the businesses themselves. "Such was the case that made the news this August," a report from Trend Micro said. "A company reportedly sold the modified devices to a number of small restaurants and hotels. Investigators found 1,100 sets of stolen card information stored in the company's servers."
It's a relatively new scam that Chinese cybercriminals have used to great effect, as the Trend Micro report showed.
So how do you protect yourself?
While skimmers get more sophisticated, there are still ways you can keep your data safe from criminals. Many of them boil down to common sense.
Before you swipe your card, do a check on the machine you are using: Are there loose parts or tape on the sides? This may be a sign the device has been tampered with.
"If you're looking at the ATM and it looks a little loose, or you see scratches or sticky tape residue," Steven Weisman, an expert on scams and identity theft, told CreditCards.com. "I kind of pick around with my fingernail at the keypad to make sure there is not another keypad on top of it."
Some ATM skimmers use tiny pinhole cameras that look down at the keypad to record PIN numbers. Though the cameras can be tough to spot, the easiest way to beat them is to cover your fingers as you type in your four-digit number.
"I was surprised to see that out of the dozens of customers that used the compromised cash machines," wrote Brian Krebs of video footage he watched from one these cameras. "Only one bothered to take the simple but effective security precaution of covering his hand when entering his 4-digit code."
You'll want to be extra cautious at unfamiliar or outdoor ATMs, since these are easier targets. Having to go inside a bank with cameras all around makes indoor ATMs a little bit safer from thieves. But besides the physical prevention steps, you can also stay a step ahead by keeping an eye on your credit report and bank statements, and opting for credit purchases instead of debit when possible.
"Whether going to an ATM machine or making purchases in a store, use a credit card" Mike Prusinski, senior vice president for LifeLock, told CreditCards.com. "That's the bank's money, so you're not liable for it. If somebody went and rang up $2,000 worth of charges, once you proved they weren't you, really all you are out is the time of proving it wasn't you."
