Sage Advice - Cybersecurity Blog

Credit Card Skimming Attacks

Credit-Card-SkimningCyberattacks against organizations are still on the rise, and unfortunately, they are only getting harder to detect. Hackers know how to break through traditional defenses to get what they want. But it’s not just web-based attacks that you need to be aware of, physical skimming attacks that could affect you financially should also be on your radar.

We’ll cover the basics of credit card skimming attacks below, so you can keep your wallet more secure.

What is credit card skimming?

Credit card skimming attacks are typically a blend of physical and cyber compromises, making them a particularly interesting and unique type of attack. For the purposes of this article, we’ll discuss the physical version of credit card skimming. However, the objective of physical credit card skimming, and e-skimming is always the same: to collect payment information at the point of sale (POS).

In a physical credit card skimming attack, the cybercriminal will go to the POS and physically add a malicious device to that POS location. These devices can be hard to spot, but they usually look slightly different than the real thing. There are traditional skimming devices that only work by swiping credit cards and newer skimmers that cater to the chip credit cards.

These attacks usually happen at self-service locations, like ATMs, gas stations, or car washes. Any place where people are interacting with and running their credit cards in a machine that doesn’t have constant human supervision could be at risk for getting a malicious device added to it. It would be harder for a criminal to commit a physical credit card skimming attack when there’s a cashier or an employee standing by the machine, which is why these attacks usually happen in more remote areas.

This type of attack is sneaky, and people can easily be fooled. Once the criminal has installed the malicious device, the transaction is processed normally, and the device collects the payment information. In that transaction, the criminals are not directly stealing funds though, they are collecting your credit card information. By remaining hidden, the device can collect the data from many potential victims – not just the first person unlucky enough to use that card reader.

Attackers not only have to place the device, but they also must come back and collect it later. The devices themselves are usually simple – the information likely isn’t getting wirelessly transmitted – and the data is stored right on the malicious card reader. On the plus side, this gives defenders more time to spot the malicious attack, so they can potentially collect the device themselves before the hacker comes back to collect it.

Cybersecurity analysts have found that these physical credit card skimming attacks have been on the decline in the last year. Rightfully so, the decrease has likely been the product of the pandemic. People’s spending and travel habits have changed significantly, and many are getting gas less frequently. Don’t be fooled, though! Cybersecurity experts predict that physical credit card skimming attacks will be on the rise again in the coming months as federal and state governments start to open things up and allow people to travel freely post-pandemic.

How can you defend against credit card skimming attacks?

The first step in defending yourself (and your wallet) against credit card skimming is to look at the card reader before inserting or swiping your card. Look for anything strange or out of place, such as colors that don’t match the aesthetic of the machine. For example, if you are at your bank’s ATM and know that it’s branded with a green color scheme, but there’s a lot or orange around the reader, it might be a red flag. Another clue to pay attention to is the materials used on the reader. If you notice that they are different than the overall make-up of the machine, it can be a sign that something malicious has been installed on top of the intended device. Always keep an eye out for subtle aesthetic changes!

If you think something is out of place, you should walk around and look at other machines of the same type in the area you’re in. If you’re at a gas station, it would be a good idea to go look at some of the other pumps to see if the card readers look the same as the one at your pump. If there are any discrepancies, that might be a sign that someone has modified one or more of the readers in your area.

Finally, even if something odd doesn’t immediately jump out, but you have a feeling something’s going on, you can always give the card reader a wiggle before inserting your credit card. If when you grab it, something shakes loose – and if anything pops off unexpectedly – it may be a malicious device. Of course, don’t put so much pressure on it that you break a legitimate device, but if you have a feeling it isn’t legitimate, it can be worth it to try this method.

By simply paying attention to your surroundings, you can help defend against credit card skimming and potentially save yourself from monetary loss, stolen personal information, and the hassle of canceling your credit card.

What should you do if you spot a credit card skimming device?

If you notice anything out of the ordinary, don’t use your credit card on that reader or any other readers in that location. If you found one malicious device, there’s a good chance that others in the area may be compromised. So, instead of using your credit card there, you should alert the owner of the device or a gas station employee and let them handle the removal.

To take it further, you can also contact your local authorities to let them know what you found, and that the device has been stealing people’s information. Most of the time, though, that’s not your responsibility unless your organization owns the device.

As the world starts to open again post-pandemic, it’ll be important for you to be extra cautious when at a gas station, ATM, or any other self-service machine in order to keep your credit card information secure.

Topics: Cybersecurity, Cybersecurity Tips, Cyber Defense

The Tyler Cybersecurity Lifecycle

Cybersecurity isn’t a destination.

Cybersecurity Lifecycle

There is no single, straight path that will get you to the point where you can say, “We did it! We’re 100% cyber-secure.”

A more realistic destination is cyber resiliency – the ability to prepare for and adapt to changing conditions, so you can withstand and recover rapidly from disruptions. Achieving cyber resilience depends on what we like to call the cybersecurity lifecycle – an ongoing cycle of interconnected elements that compliment and reinforce one another.

Learn More