Science

Don’t Ruin Your Fourth of July by Getting Your Bank Card Skimmed by Hackers

The holidays are prime card-skimming season.

by Matthew Phelan
 Rafael Castillo / Flickr

Independence Day is prime time for spending money in unfamiliar locales: at a beach community gas station, or a highway rest stop ATM, or a digital slot machine inside a sleazy Reno convenience store (What a life you lead!).

Regardless of where your celebrations take you, it would behoove you to keep in mind some simple advice to avoid card-skimming devices secretly installed by cybercriminals. 2016 alone saw a 70 percent spike in the number of payment cards that were compromised at ATMs, according to a report from FICO. Most of the time (60 percent), these hacks occur at non-bank ATMs.

So whether you’re being enlisted in a last-minute beer run or jogging back into town to grab some extra cash, take a quick look at these tips courtesy of the San Antonio Police Department, Kaspersky Lab and the insurance industry (which really cares about not having to pay for these mistakes).

Remember that Scammers Like to Install Card Skimmers Before Holidays and Weekends

By this point, hackers have figured out that they’ll have a longer lead time to actually get away with your credit card or bank information, and thus your money, if they install their card skimmers at the start of a long weekend or holiday period when banks tend to be closed.

Judging from reports in the insurance industry trade publications like Claims Journal, spikes around holiday periods have become a consistent new phenomena. So — without ruining your celebration of America’s birth — it would be an extra good idea to be vigilant this week than on any ordinary work week.

Some gas station pump card-readers have anti-skimming security stickers worth looking out for, like this example from Blaine, Minnesota.

 Tony Webster / Flickr

Use Credit Cards Instead of Debit Cards, If and When You Can

It’s far better to have a scammer steal you credit card issuer’s money than it is to steal your own money, and the legal protections for credit card consumers are much stronger. Even if you don’t report your credit card’s theft right away, your liability is capped at $50 under the Fair Credit Billing Act. On an ATM card, if you wait more than two business days that liability soars to $500, according to the FTC

But sometimes, you need that cold hard cash, in which case it’s particularly important to keep an eye out for the whole subset of false skins that card-skimmers use to acquire not just information off your card’s magnetic strip but also your 4-digit pin number as well. Two men, for example, managed to steal $400,000 from their victims’ bank accounts before being caught, thanks to thin false keypads placed over actual keypads at Murphy’s gas stations in Texas-, Arkansas- and Oklahoma-area Walmart parking lots, according to the U.S. Attorney’s office in Muskogee.

Newer card readers at gas station pumps are designed to be more secure, according to Lt. Marcus Booth, the financial crimes unit director for the San Antonio Police Department who spoke last week with cybersecurity researcher Brian Krebs. They tend to be noticeable by the fact that they have a raised metallic keypad for entering your pin, like an old payphone, unlike the flat, membrane-like older models; their card readers are also horizontal whereas the older gas station pumps have a vertical reader.

“Pretty much all these full travel metallic keypads are encrypted, and if you disconnect them they disable themselves and can only be re-enabled by technician,” according to Lt. Booth’s interview with KrebsOnSecurity. “If the pump is opened improperly, it disables itself. These two specific items: The card reader or the pad, if you pull power to them they’re dead, and then they can only be re-enabled by an authorized technician.”

Check for Loose or Broken Parts

As Kaspersky Lab security researcher Stefan Tanase put it to PC Mag, ATMs and card-readers are generally designed to be solid and don’t have loose parts.

This sounds straightforward, but most people don’t take the time to wiggle the plastic interface of a card reader to see if it’s been tampered with. To install the second “read head” — your basic card skimmer used to pull information off of a card’s magnetic strip — you have to fabricate a plausible new exterior to the card readers by surreptitiously opening it up or installing one internally — two tactics that are liable to leave some sort of visible traces of disturbance.

So, yeah, don’t be afraid to kick the tires on ATM machines. Wiggle protruding bits that seem off to you, or even ones that don’t.

Related Tags