Skimmers and Shimmers
Progress in the fight against identity fraud: the Department of Justice concluded several high profile skimmer/shimmer card fraud in the last several months, and as a result put away both international criminals as well as several domestic fraudsters for their part in the crimes. Speaking about one case in particular targeting gas pump card readers, Michael J. Driscoll, Special Agent in Charge of the FBI’s Philadelphia Division, said “The victims of this scheme never imagined that filling up their gas tanks could empty out their bank accounts. The FBI will continue to work with our partners to identify, track down, and take down criminal groups siphoning off other people’s money and personal information.”
Every time one of these criminal operations is exposed, we learn more about how they function and what techniques they use. From carefully crafted skimming devices to slick shimmer inserts, there is no doubt that the criminals are still one step ahead of us.
This month, we're sharing some news and information that can help your account holders be better informed about types of devices they might encounter when using card readers. We are also offering tips to identify situations where there might be at risk, and the best way to mitigate the impact should a credit or debit card become compromised.
Beware of Skimmers and Shimmers
You've probably heard about it on your local news over the last few years; criminals caught with equipment that allowed them to capture credit and debit card activity of unsuspecting consumers fueling up at the local gas station or using their cards at other outdoor accessible transaction terminals. These criminals are typically found with cash, devices, and hundreds of fake cards manufactured from the data they stole. Even more terrifying is that these seemingly local intrusions are almost always part of a larger international criminal enterprise.
In 2021, two cases involving international crime organizations using skimming devices were brought to a successful conclusion by the United States Department of Justice, one case involving ATM skimmers, and the other case involving skimmers installed on gas station pumps.
In each of these cases, the individuals involved had the technology, equipment, and techniques that allowed them to steal thousands of card numbers from unsuspecting consumers. Taking these criminals off the street is helpful, but busting them also led investigators to understand the real depth of this type of crime and the ever-evolving techniques the criminals are using to go undetected. Now it's time for all of us to get a little smarter to help stop this criminal activity.
Skimmers and Shimmers. What's the Difference?
According to the FBI skimming costs consumers and financial institutions over $1 billion annually. Skimmers are typically devices that are attached on top of the card reader of ATM machines, gas pumps, or outdoor drive-in fast food point of sale terminals and vending machines, and are sometimes indistinguishable from the real thing. These devices capture the information on the card's magnetic stripe as it passes through the skimmer on its way into the card reader. For ATMs, a hidden camera near the machine also captures keystrokes to identify the user's PIN. Instead of a camera, a more recent criminal innovation is the use of a touch-sensitive keypad overlay that may look like the keys themselves or a simple weatherproof covering. With the information gathered from a skimmer, criminals can replicate your card to sell to other fraudsters or use for fraud themselves.
As card security has become more sophisticated, so have the techniques of criminals. When most cards in the United States changed from magnetic stripe to EMV chip (Europay, MasterCard® and Visa®) criminals were challenged with a much higher level of security. However, fraudsters found that by carefully positioning, or shimming, an ultra-thin electronic component inside the card reader it would allow their device to record the information from the EMV chip on the card; thus, the "shimming" technique was born. Even though the criminal hasn't defeated the security features of the EMV chip, they are able to gather the same information that is on the magnetic stripe in a manner that is much more difficult to detect.
How to Detect a Skimmer or Shimmer Device
While owners of vulnerable transaction terminals try to secure their devices, and law enforcement continues to shut down these criminal enterprises, you can also play a part in stopping card fraud and identity theft. Follow these steps to detect when a card terminal may be at risk, and if you see something, say something!
Outdoor point of sale terminals, such as gas pumps, drive-in fast food purchase, vending machines, and ATMs are particularly vulnerable. One thing you can count on is that these devices are built to be sturdy. Before inserting your card, give the reader a tug. If there are any ill-fitting parts on the machine, don't insert your card. Report the terminal to the business owner immediately.
When you are at the gas pump or at the drive-in restaurant, look around at the other card readers. Fraudsters will often only have one or two skimmers that they will use at one time. If the card reader you are about to use looks different than the rest, consider using cash or paying with your card inside the business instead.
Gas stations and other businesses will use a security seal over the opening of the cabinet panel to show that the machine has not been tampered with since the last inspection. If the machine's panel has been opened, the label will read "void". If you see a machine with a voided security seal, or the panel is bent, loose, or open, report it to the business owner.
When using a vulnerable ATM, especially one that is located away from a bank building, consider the risk. If you can avoid using these machines you should.
Since skimmers and shimmers can be very hard to detect, the best defense is to check your account balance regularly to spot suspicious card transactions. If you think your card with <FINANCIAL_INSTITUTION> has been compromised <INSERT FRAUD REPORTING PROCESS HERE>.
Working together to create more secure interactions is critical. We’ll continue to improve card security while you remain vigilant in protecting your personal information.
Keep in mind, if you suspect identity theft at any time, you have access to an Identity Theft Recovery Advocate as a no-cost benefit of your <EMBEDDED ACCOUNT>. If you suspect identity theft has occurred, a professional is standing by to help you identify and reverse the damage to get your life back on track quickly. You can count on us.
Social Media Content
Use the following social posts below during the month of October to educate your account holders about skimmers and shimmers. This awareness may prevent one of your valued customers from becoming a victim of card fraud, and in the process limit the losses to your institution.
Post #1: Do you know how to detect a skimmer or shimmer? Or do you even know what they are? When using your credit or debit card at outdoor purchase terminals, these illegal devices can capture your card information for the purpose of fraud. Don't hesitate to give that card reader a tug to see if there is a false front, which may be a skimmer designed to collect your personal information. Criminals will also hide devices inside card readers, whether shimmed into the slot or inserted from inside the cabinet. Look for the security seal and if it says "Void" don't use it! #YourProtectionPartner
Post #2: Card skimmers may be in your local neighborhood right now. Be sure to check your transactions regularly via online banking or statements. The sooner you find out you've been a victim of card fraud, the sooner we can help. #YourProtectionPartner
Post #3: It's up to all of us to stay protected against identity theft, particularly in the case of payment card fraud. But if a criminal gets your payment card, they may not stop there. If you feel you may be a victim of identity theft we have professionals standing by to help you get your life back on track. #YourProtectionPartner