How does ATM skimming work?


Money Scam Pictures In ATM skimming, thieves use hidden electronics to steal your personal information -- then your hard-earned cash. See more pictures of money scams.
©iStockphoto.com/Getty

In 2008, more than $1 billion was stolen in ATM-related crimes [source: ADT]. Sure, some thieves take the old-fashioned route and crack them right open, but there's a much quieter, high-tech form of theft targeting ATMs. It's called skimming.

ATM skimming is like identity theft for debit cards: Thieves use hidden electronics to steal the personal information stored on your card and record your PIN number to access all that hard-earned cash in your account. That's why skimming takes two separate components to work. The first part is the skimmer itself, a card reader placed over the ATM's real card slot [source: Krebs]. When you slide your card into the ATM, you're unwittingly sliding it through the counterfeit reader, which scans and stores all the information on the magnetic strip.

However, to gain full access to your bank account on an ATM, the thieves still need your PIN number. That's where cameras come in -- hidden on or near the ATMs, tiny spy cameras are positioned to get a clear view of the keypad and record all the ATM's PIN action [source: Walters]. Always pay attention to objects mounted on the ATM or located close by. A pinhole or off-color piece of plastic could give away the camera's hiding place. Cameras could even be hidden in brochure racks [source: Krebs].

Some ATM skimming schemes employ fake keypads in lieu of cameras to capture PIN numbers. Just like the card skimmers fit over the ATM's true card slot, skimming keypads are designed to mimic the keypad's design and fit over it like a glove. If you notice that the keypad on your ATM seems to protrude oddly from the surface around it, or if you spy an odd color change between the pad and the rest of the ATM, it could be a fake.

Unfortunately, there are even more ways for thieves to access your bank account via an ATM --and some of them don't even require skimming.

 

ATM Hacking and Data Theft

Can you guess what kind of credentials it takes to purchase an automated teller machine online? If you guessed "none whatsoever," you're right! All it takes is a quick look on eBay to see ATMs for sale that anyone could buy. If the seller is irresponsible, the ATM could even retain a list of users along with their personal data [source: Siciliano]. Security flaws have been discovered in some older ATM models, and if they're not updated, it's possible to access their sensitive data with a default administrator password [source: Poulsen].

If hackers or skimmers gain access to the information stored on your debit card's magnetic strip, they may be able to make purchases without bothering to discover your PIN. ATM withdrawals require the PIN number, but online retailers don't need it -- and some of them don't ask for the debit/credit card security codes, either [source: Schwartz]. Skimmers who successfully obtain both your PIN number and debit information will transfer your data to a blank debit gift card, then use it at an ATM to make withdrawals [source: Schultz].

No matter how you look at it, ATM skimming is a serious problem. Between April and May 2009, a skimming operation targeted four Bank of America locations in Long Island, New York, stealing a grand total of $217,000 from 100 to 200 accounts [source: Gardiner]. And while it's important to be wary of skimming, keep in mind that banks like Bank of America will reimburse customers who find their accounts wiped out by thieves wielding skimmers and cloned debit cards.

If ATM skimming is so serious and high-tech now, what dangers do we face with our debit and credit cards in the future? The next evolution for credit cards revolves around RFID tags -- and those can be skimmed, too.

Skimming RFID Credit Cards

RFID cards allow users to "tap and go" when they pay because the information is transmitted wirelessly.
RFID cards allow users to "tap and go" when they pay because the information is transmitted wirelessly.
Getty/Thomas Cooper

In 2006, a team of Massachusetts researchers built a simple device to read the data on RFID-equipped credit cards. RFID cards allow for a "tap and go" style of payment because the information is transmitted wirelessly. The worry, of course, is that data transmitted wirelessly can be intercepted or easily accessed from an outside source. The Massachusetts researchers were able to skim a name, card number and expiration date off an RFID credit card with their device, which they built with about $150 worth of readily available electronics [source: Schwartz].

Theoretically, a skimmer could build such a device and walk through a crowd, lifting information from nearby credit cards with RFID tags. But here's the good news -- the cards tested in Massachusetts were old, first-generation models with little or no security protection. Newer cards use encryption or transmit "dummy numbers" that are only good for a single transaction [source: Schwartz]. To date, there are no reports of RFID tag skimming. Of course, as RFIDs become more and more prevalent in credit cards, who knows what inventive skimming methods hackers will develop. Read on for more information on how ATM machines and how to protect yourself from identity theft.

Related HowStuffWorks Articles

More Great Links

Sources

  • ADT. "ADT Anti-Skim™ ATM Security Solutions." (Oct. 6, 2010).http://www.adt.com/medium_large_business/security_solutions/solutions_by_industry?wgc=financial_institutions/anti-skim
  • ClarkHoward.com. "ATM skimmer scam back with increased sophistication." July 27, 2010. (Oct. 13, 2010).http://clarkhoward.com/liveweb/shownotes/2010/07/27/18931/
  • Gammon, Katharine. "ATMs by the Numbers." August 24 2009. (Oct. 6, 2010). http://www.wired.com/culture/culturereviews/magazine/17-09/st_atms
  • Gardiner, Sean. "$217,000 'Skimmed' From ATMs." June 9, 2010. (Oct. 5, 2010).http://online.wsj.com/article/SB10001424052748703302604575295082741170878.html
  • Krebs, Brian. "ATM Skimmers, Part II." February 2, 2010. (Oct. 5, 2010). http://krebsonsecurity.com/2010/02/atm-skimmers-part-ii/
  • Krebs, Brian. "Fun with ATM Skimmers, Part III. May 7 2010. (Oct. 5, 2010).http://krebsonsecurity.com/2010/05/fun-with-atm-skimmers-part-iii/
  • Krebs, Brian. "Would You Have Spotted the Fraud?" Jan. 15, 2010. (Oct. 5, 2010).http://krebsonsecurity.com/2010/01/would-you-have-spotted-the-fraud/
  • McCullagh, Declan. "Security researcher demonstrates ATM hacking." July 28, 2010. (Oct. 4, 2010)http://news.cnet.com/8301-1009_3-20012019-83.html
  • Patton, Phil. "The Bucklands Boys and Other Tales of the ATM." (Oct. 6, 2010).http://www.wired.com/wired/archive/1.05/atm_pr.html
  • Poulsen, Kevin. "Former Con Man Helps Feds Thwart Alleged ATM Hacking Spree." May 4, 2010. (Oct. 4, 2010).http://www.wired.com/threatlevel/2010/05/thor/
  • Schultz, Jennifer Saranow. "How to Spot an A.T.M. Skimming Device." June 9, 2010. (Oct. 5, 2010).http://bucks.blogs.nytimes.com/2010/06/09/how-to-spot-an-a-t-m-skimming-device/
  • Schwartz, John. "Researchers See Privacy Pitfalls in No-Swipe Credit Cards." Oct. 23, 2006. (Oct. 6, 2010). http://www.nytimes.com/2006/10/23/business/23card.html?_r=2
  • Siciliano, Robert. "ATM Skimming Identity Theft Reaches $1 Billion in Losses." Sept. 9, 2009. (Oct. 6, 2010).http://www.huffingtonpost.com/robert-siciliano/atm-skimming-identity-the_b_280100.html
  • Siciliano, Robert. "NY ATMs Get Whacked: How Secure Are You and That ATM Transaction?" June 10, 2010. (Oct. 6, 2010).http://www.huffingtonpost.com/robert-siciliano/ny-atms-get-whacked-how-s_b_606019.html
  • Walters, Chris. "Here's What A Card Skimmer Looks Like On An ATM." April 19, 2009. (Oct. 5, 2010).http://consumerist.com/2009/04/heres-what-a-card-skimmer-looks-like-on-an-atm.html
  • Zetter, Kim. "Video: Bank Customers Foil ATM Skimmer." Sept. 24, 2010. (Oct. 6, 2010).http://www.wired.com/threatlevel/2010/09/skimming-video/