Despite physical and electronic security measures, criminals search for vulnerabilities and opportunities to steal data in “skimming” and “shimming” scams that impact ATMs and point-of-sale (POS) terminals. Below, we will outline how these scams work, and equip you with the knowledge—both as a branch or business, and as an individual consumer—about how to recognize and deter this from happening to you and ensure branch security.
What are “skimming” and “shimming”?
Per Lexington Law, “Both skimming and shimming require the fraudster to attach or insert a mechanism into a card reader in order to gather the information. These can be tricky to spot for unsuspecting consumers, but understanding how they work will help you be more aware the next time you insert your credit or debit card.”
In its simplest terms, ATM skimming is payment card fraud. Not only can this happen at banks and credit unions, but it can occur at gas pumps and other POS terminals in which cards are frequently swiped. Criminals often shy away from high-traffic areas, targeting more remote target high-traffic areas or tourist spots, with the intention that their installation is less likely to be noticed.
When a skimming scheme is fully executed, the culprit collects card and PIN numbers, later using that information to create fraudulent cards and subsequently make purchases. In the United States, the punishment for those caught skimming varies by state; however, in all cases, the penalty includes a hefty fine (into the hundreds of thousands of dollars) and jail or prison time, depending upon the magnitude of the infraction.
Bankrate offers figures around the impact of skimming, “It’s a scam that costs consumers and U.S. financial institutions more than $1 billion each year.” They add, “[Cybersecurity exective Nathan Wenzler] notes that advancements in 3-D printers that can replicate an ATM’s card reader are making skimming cheaper, easier and more accessible to less sophisticated criminals.”
The FBI explains how criminals typically accomplish skimming. Check for these signs to ensure your ATMs or ITMs, and subsequently your customers, do not fall victim:
- ATM skimmer devices usually fit over the original card reader.
- Some ATM skimmers are inserted in the card reader, placed in the terminal, or situated along exposed cables.
- Pinhole cameras installed on ATMs record a customer entering their PIN. Pinhole camera placement varies widely.
- In some cases, keypad overlays are used instead of pinhole cameras to records PINs. Keypad overlays record a customer’s keystrokes.
- Skimming devices store data to be downloaded or wirelessly transferred later.
The Lexington Law resource further defines shimming, explaining how this process has adapted from magnetic stripes to chips. “Credit card shimming works by inserting a small device called a ‘shim’ into a card reader. Unlike skimmers—which were typically bulky and easily detectable if you knew what to look for—shims are small and subtle.
Whenever a chip-enabled card is inserted into the reader, the shim collects its data. Then, the scammer collects this data by inserting what looks like a regular card into the reader. This makes it difficult to spot suspicious activity, as it appears the scammer is making a regular transaction.” While the chip cannot be replicated, the data collected can be turned into a fraudulent card with a magnetic stripe.
How do I prevent skimming and shimming and ensure branch security?
As an individual consumer, you can prevent falling prey to these scams by touching the card slot to ensure it doesn’t move, checking the keypad for consistency in material and color, and regularly monitoring your account transactions online. ATM Marketplace also suggests using cardless technology such as phones and smartwatches to transact at your local ATM, ITM, or point of sale: “Cardless ATMs are increasingly popular, largely because the technology makes it much more difficult for fraudsters to steal data, as there is nothing to read. Over 50% of respondents in the ATM Marketplace study said they will support cardless transactions and single use PINs in the coming years.” Lastly, if you do use a card, ensure that the machine returns it upon completion of your transaction.
As a financial institution, your responsibility becomes greater to protect your clients. It is necessary to observe and protect your ATM or ITM fleet to ensure that they remain untampered, and your customers remain secure. You can regularly check for the above signs to ensure that no skimming or shimming devices have been installed. In addition, we propose the following products for the optimal transactional and branch security:
- ATMs or ITMs with anti-skimming and anti-shimming technology. Wittenbach recommends the Hyosung 8300-series , whose modern design can detect a malicious installation. Typically, anti-skimming and anti-shimming technology means that a machine emits an electromagnetic pulse that prevents unwanted devices from reading magnetic stripe or chip data. Current available models include the MX8300D drive-up ITM, the MX8300I island-format ITM, and the MX8300T through-the-wall unit.
- Network Video Recorder (NVR) surveillance systems. When potential criminals notice cameras inside and outside your building, they are less likely to tamper with your ATM or ITM, or POS system. Systems such as the Verint EdgeVR can also serve to catch perpetrators, as they employ facial recognition technology that can scan against facial databases, and back up data to the cloud so you can view it from any device, anywhere.
Criminal technology is always evolving, and the understanding of how to protect your financial institution and your customers from it must proportionally evolve. Wittenbach can outfit your branches with an ATM or ITM fleet that is fortified against skimming and shimming scams; contact us today to discuss your branch security needs!