Penetration testing, also referred to as pen testing, is a simulation of a cyber attack that organizations conduct to identify security vulnerabilities within their systems. By
Updated on October 28, 2024.
A credit card skimmer is a device that is attached to an actual card reader by a threat actor. Skimmers are commonly used by cybercriminals at non-bank ATMs and at gas station fuel pumps. Most skimmers installed at fuel pumps are placed outside of the view of the station administrator. Threat actors use skimmers to scan the information on a victim’s debit or credit card so they can commit credit card fraud or create counterfeit cards to sell on the dark web.
One of the ways to test for credit card skimmers is by pulling on the credit card slot. Typically, the skimmer will easily pop off. If you remove a skimmer, it should be reported to law enforcement and turned over to them.
Continue reading to learn how credit card skimmers work and how you can spot them to avoid having your credit card information stolen.
Credit card skimmer vs shimmer: What’s the difference?
The main difference between a credit card skimmer and a credit card shimmer is that skimmers are placed on top of actual card readers and only read the magstripe (the black strip on the back of the credit card) when you swipe your card. Shimmers are placed inside of card readers. Shimmers are very thin devices compared to skimmers and cannot be seen from the outside. Unlike skimmers, shimmers only work when a person inserts their card into a card reader since it works by scanning the chip of a debit or credit card to steal its information.
While skimmers and shimmers work differently, their goal is the same – to scan and steal a person’s debit or credit card information so a threat actor can use it for malicious purposes.
How credit card skimmers work
Credit card skimmers work by a threat actor attaching the skimming device to a card reader. When a victim slides their card into a card reader to make a purchase, the skimmer scans their card at the same time as the merchant. The victim’s transaction goes through as normal, so they may not even notice their card has been skimmed until it’s too late.
When the skimmer scans a victim’s credit card, it steals the following information:
- Cardholder name
- Card number
- Expiration date
- Card Verification Code (CVC)
Once this information is skimmed, it’s sent to the threat actor via Bluetooth. The threat actor can then do anything they want with the stolen card information.
What happens if my credit or debit card is skimmed?
If your credit or debit card is skimmed, the information stolen could be used to commit credit or debit card fraud, steal your identity or create counterfeit cards.
Your card could be used to commit credit or debit card fraud
Credit and debit card fraud is when an unauthorized individual uses your debit or credit card information to make purchases without your permission. If you don’t notice credit card fraud right away, the threat actor could max out your credit card which can affect your credit score and impact what you can purchase in the future. Similarly, if you don’t notice debit card fraud right away, the threat actor could drain all the funds in your checkings account, leaving you with a zero or negative account balance.
You could have your identity stolen
Credit card fraud could just be the beginning. Now that a threat actor has your full name, they could look for more information about you. If a threat actor gathers enough information about you, you could be at risk of having your identity stolen. It can take a long time to recover from identity theft, depending on how much damage the threat actor causes.
Counterfeit copies of your debit or credit card could be created
Some threat actors may use your card’s skimmed information to create counterfeit cards. A counterfeit card is when threat actors create copies of your card using the card information that was stolen. This is possible because when a card is skimmed, threat actors can copy the data on the magnetic strip of the card and replicate it on another card.
Counterfeit cards allow threat actors to make purchases using your card information, both online and in person. Some threat actors even go as far as selling copies of your card to other individuals on the dark web to make a profit.
How to spot a credit card skimmer
Here are four ways you can spot credit card skimmers.
1. Check for a tampered security seal
Many gas stations now place security seals on the panel of gas pumps. When this seal is tampered with, the seal will read “void.” If you notice that a gas pump’s security seal looks tampered with, avoid using it. The Federal Trade Commission (FTC) has a picture showing what a tampered security label looks like. You can tell that a security label has been tampered with if it’s ripped in the middle or shows the word “void” on it.
2. Check for misalignments
Credit card skimmers are placed over actual card readers, so they may be noticeable if you look closely. If the card reader or terminal looks misaligned, it could be because it has a skimmer attached to it and is making the card reader look out of place. If you notice any kind of misalignment issues on a card reader or terminal, it’s best to avoid using it until you’ve investigated further.
3. Wiggle the card reader
A card reader at an ATM or gas station should never move when it’s wiggled, if it does move it could be because there’s a skimmer attached to it. Before inserting or swiping your card into a card reader, wiggle it to check if it’s safe. If the card reader moves, avoid it and use a different gas pump or ATM instead.
4. Compare it to other card readers
If you’re at a gas station, you should compare the card readers at different gas pumps before you insert or swipe your card at the pump you’re planning to use. This can help you determine if one of the card readers looks different from the others so you can avoid using the card reader at that gas pump.
How to avoid credit card skimmers
The best way to avoid credit card skimmers is to use your debit and credit card’s “tap to pay” feature. Most debit and credit cards now have an available feature called tap to pay that enables the user to tap their card when making purchases, rather than inserting or swiping their card.
You can also avoid paying with your physical card and use Google Pay or Apple Pay to make purchases online or in person. These options allow you to make purchases without exposing your card’s information, and as with tap to pay, all you have to do is tap your phone when paying.
Making purchases with tap to pay using your card or phone only works at merchants that support it, so you’ll still need to be able to spot a credit card skimmer in case a merchant you buy from doesn’t support the “tap to pay” feature.
Be wary of credit card skimmers and shimmers
Credit card skimmers and shimmers can place you at risk of various types of identity theft, but mainly credit card fraud. You must learn to spot skimmers to keep your money and your identity safe from theft.
If you believe you’ve been a victim of credit card fraud due to a skimmer, learn the steps you should take immediately to protect yourself and your credit.