FDIC Consumer News - Winter 2018
Beware of ATM, Debit and Credit Card ‘Skimming’ Schemes
How to help protect yourself from high-tech thieves who steal account information
You may have heard in the news that automated teller machines (ATMs) are being targeted by criminals who secretly attach high-tech devices to the machines in order to record consumers' keystrokes and steal or, as it is sometimes called, "skim" personal identification numbers (PINs) along with credit or debit card account numbers. In addition, criminals are known to add similar devices to credit or debit card readers at checkout registers, especially at gas stations, convenience stores or other merchants where customers may be in a hurry and not notice or take the time to report something suspicious.
"Security experts and law enforcement officials warn that card skimming is present in many communities," said Michael Benardo, manager of the FDIC's Cyber Fraud and Financial Crimes Section. "With the information that can be skimmed, a thief can go on an online shopping spree or sell that valuable data to other con artists."
And how do thieves retrieve the data they gather? Some return to the scene of the crime to remove their devices, while others can communicate electronically with their hardware using a laptop or mobile phone and wireless connections.
Through the years, FDIC Consumer News has warned readers to be on the lookout for keystroke-recording devices on ATMs or checkout registers.
Here's a reminder of the different kinds of skimming devices and what to look for:
Card-reader overlays: The most common ATM skimmer, and perhaps the easiest device to detect, is the card-reader overlay. It is made of plastic and fits over the slot where you insert your card. As you insert your card, the device reads the data from your card and stores it. How can you tell if there's an overlay hiding an illegal card reader? "Before inserting your card, look at the card reader for signs it has been altered," said Amber Holmes, a financial crimes information specialist with the FDIC. "Be suspicious if your card doesn't easily go into the machine or if the card reader appears loose, crooked or damaged, or if you notice scratches, glue, adhesive tape or other possible signs of tampering."
Hidden cameras: While banks typically have security cameras near their ATMs to keep an eye on the area, thieves sometimes hide tiny cameras on or around ATMs. "If positioned correctly, a brochure holder on an ATM is the perfect place to hide a mini-camera that can record PIN numbers as customers type them," warned Benardo. "Also check for tiny holes in the ATM housing or in something else that looks like it was hastily stuck onto the ATM to cover a small camera."
PIN-capture overlays: Criminals have been known to attach dummy keypads over an ATM's real keypad to record and capture PIN numbers as they are entered. The keypad might be fake if it looks too thick or different from what you're used to seeing.
Fake ATM faceplates: Some thieves go as far as placing a fake ATM cover that could contain card-reader overlays, hidden cameras and PIN-capture overlays over some or all of a real, fully operating machine. "The best way to determine if an ATM has a false cover is to look for flaws like loose wires, seams that are not flush and slots or keypads that look out of place," said Holmes.
What should you do if you believe your debit or credit card account has been compromised?
There are consumer protection regulations that can help. For example, the Electronic Funds Transfer Act (EFTA) and the Consumer Financial Protection Bureau's (CFPB's) "Regulation E" limit a consumer's liability for losses from unauthorized transactions using his or her ATM or debit card or card numbers. If your debit card or the card number is used to make an unauthorized withdrawal from a checking or savings account, you can minimize your losses by contacting your bank as soon as possible. Your maximum liability under the EFTA is $50 if you notify your bank within two business days after learning of the loss. If you wait longer, you could lose more, according to the law. If it's your credit card number that is used without your authorization, your liability is normally capped by the Truth in Lending Act (TILA) and the CFPB's "Regulation Z" at $50 for all unauthorized transactions, and remaining credit card losses are typically absorbed by the card issuer.
"Even consumers who know the telltale signs of a skimming device may inadvertently use an ATM or a sales terminal that has been tampered with. That's why it's great to know that there are consumer protections available," said Tracie Greenway Morris, an FDIC senior community affairs specialist.
Some other worthwhile precautions you can take include:
- Do not use an ATM or a credit or debit card reader if anything looks suspicious, such as loose or extra parts. Alert the machine owner or the police immediately.
- Avoid ATMs in remote places, especially if the area is not well lit or not visible to security cameras and the general public. "ATMs in secluded locations are more likely to be altered," Benardo said.
- Go elsewhere if you see a sign directing you to only one of multiple ATMs in a location. It could be the machine that was tampered with by a crook.
- Shield the keypad with your hand when typing your PIN at the ATM or a retailer's checkout area. Doing so won't protect you from skimmers who use keypad overlays, but it will block the view of a hidden camera.
- Regularly check your bank and credit card accounts for unauthorized transactions, even small transactions that you think might not be worth reporting to your bank. "Thieves might make low-dollar withdrawals or charges as a way to test a counterfeit debit or credit card before they use it for big-dollar transactions," Holmes explained. "If you spot a potential problem, notify your bank as quickly as possible."
See additional tips in our Summer 2015 article on 10 ways to minimize fees and maximize security at the ATM. Also, the Federal Trade Commission has tips and information on what to do if your debit, credit or ATM card is lost or stolen.