Credit card skimming is a major threat to credit and debit card users. Here's what you need to know about this increasingly common form of financial fraud.

Credit card fraud is a common problem these days. If it hasn't happened to you, we guarantee you know someone who has been a victim.

Usually, you're never aware its happening until your card gets declined when you should have an account full of money, or your bank calls to check that it's definitely you racking up some serious purchases on your card.

Skimming, a form of high-tech financial fraud, is on the rise worldwide. It relies on sophisticated data-reading electronics to copy the magnetic stripe information from your credit card or debit card. It can capture both your credit card number and your PIN. And it's happening not just at restaurants and bars, but petrol pumps and ATM machines.

Credit card fraud: High-tech theft

Today a criminal merely has to slip an electronic magnetic strip reader over the existing card slot at an ATM, or replace a card reader at the tills in a shop. When you slide your plastic in, the skimming device reads it first, and then the actual card reader does - at which point the transaction proceeds as expected. But now a crook has an exact copy of your card data without your even realising it.

Older card-skimming devices required criminals to return and collect the information periodically, exposing them to risk of discovery. But newer skimmers can broadcast the card data to the thieves either by Bluetooth (which has a short range) or by GSM cellular. This enables the thieves, who may be sitting in a car nearby or in a building on the other side of the planet, to capture the account numbers live as the account holder makes a purchase or a withdrawal.

Credit card fraud: Pay at the pump

Petrol stations may be the most vulnerable locations, especially since more and more are offering automated (an unmanned) pay at the pump services, giving criminals plenty of opportunity to embed skimming devices in them late at night. In the US, skimming attacks became so prevalent in Arizona in 2009 that the governor ordered police forces to inspect petrol stations along major roads.

Credit card fraud: ATMs problematic, too

ATMs are vulnerable for the same reasons that petrol pumps are: They're exposed and unattended. Criminal organisations have targeted ATMs throughout Europe. In a presentation at Black Hat USA 2008, security researchers Nitesh Dhanjani_and Billy Rios showed pictures of a warehouse full of ATM card readers and keyboards, in moulded plastic of every colour to match any ATM on the market today.

Responding to the threat, South Africa's Absa bank experimented with adding pepper spray anti-tampering systems at 11 of its most commonly skimmed ATMs; unfortunately, maintenance crews attempting to service the machines have sometimes triggered the spray.


  1. Protect your cards from skimmers
  2. Elusive PINs
  3. Protect yourself

Credit card skimming is a major threat to credit and debit card users. Here's what you need to know about this increasingly common form of financial fraud.

Credit card fraud: Elusive PINs

Collecting credit card data is a relatively simple matter of capturing the account number. But debit cards are even more desirable to thieves because the bad guys can plunder a bank account quickly and completely without the account holder realising what's happening. The card networks monitor credit card usage, and they have rigorous risk- and fraud-prevention policies in place. In contrast, debit cards are linked directly to a bank account, though obtaining the PIN associated with a debit card is somewhat more difficult.

The most common high-tech ways to steal PINs are with tiny cameras mounted within a fish-eye mirror and with an electronic mesh overlaid on the keyboard. Criminals are often caught while mounting or removing such cameras, but recently they've figured out less obvious ways to steal PINs.

PINs are usually four digits long. When you key in your PIN, software at the ATM or point of sale automatically converts it into a one-way algorithm called a hash. Then, if someone captures the data steam, they'll see only the resulting hash value, not the original four or six digits. By itself, a hashed PIN is a useless string of numbers. You can't type in the hashed PIN as it appears on your debit card or within a database inside a bank network, because those digits will be converted into yet another value. Instead, you have to find a way to generate that hash value, and until recently that wasn't practical.

In 2008 the FBI disclosed that attackers had used the PINs of US Citibank account holders during a crime spree in New York. According to the FBI documents, attackers had located the PIN data in a data breach, analysed and decrypted the algorithm used, and then generated a table of all the possible four- and six-digit PIN codes that that algorithm might produce - what's called a Rainbow Table in cryptography. The criminals didn't have to match an accountholder's PIN exactly; they only needed the four digits that would produce the same hash value.

Credit card fraud: Royal Bank of Scotland

Even if criminals can reproduce the encrypted hash value, they cannot withdraw more than certain amount during a single transaction or within a certain period - unless someone inside the bank's network adjusts those values. That happened on November 8, 2008, when a gang of criminals robbed the US payment processing arm of The Royal Bank of Scotland group, RBS Worldpay, from both the inside and the outside. Within a 12 hour window they withdrew an estimated $9.4m from ATMs in 230 cities across the globe. Meanwhile, someone else on the inside increased the daily withdrawal limits on individual accounts - in one instance to half a million dollars.

An Estonian suspect was extradited to the US in August 2010. Another suspect, 28-year old Victor Pleshchuk, received four years' probation from a Russian court the following month. A third, unnamed suspect remains at large.

NEXT PAGE: Protect yourself

  1. Protect your cards from skimmers
  2. Elusive PINs
  3. Protect yourself

Credit card skimming is a major threat to credit and debit card users. Here's what you need to know about this increasingly common form of financial fraud.

Credit card fraud: Protect yourself at an ATM

Since the 2008 attacks, banks and credit card networks have improved their back-end security systems considerably. ATM manufacturers now offer better data protection through updated technology. For instance, privacy filters cause ATM screens to blur when viewed at an angle, to prevent over-the-shoulder eavesdropping. Some ATMs sink the keyboard to prevent spy cameras from seeing your PIN, and jiggle inserted cards to prevent skimmers from reading them.

Even so, when standing at an ATM, if you have any reason to suspect that the machine may be compromised, don't use the machine. You may want to run your finger along the card slot to see whether anything comes loose or feels mismatched. If so, report it to the bank and find another ATM to handle your transaction.

Credit card fraud: Safety at the point of sale

Compromises at point-of-sale terminals are much harder to detect, especially at petrol pumps. Your safest course is use a credit card instead of a debit card when paying for petrol, since the card networks will detect and stop fraud quickly. Credit card consumers are often covered by zero liability programs; but with debit cards, that may not be the case, depending on your bank.

Skimming is just the latest scam. As word gets out - nd as the payment and ATM industry gets wiser--the criminals will move on. Until then, it's caveat emptor: Let the buyer - or card user - beware.

See also: Brits lose £697 each in online fraud

  1. Protect your cards from skimmers
  2. Elusive PINs
  3. Protect yourself