Of all the ways to get a person's banking credentials, the simplest is to copy the digital information on the card's magnetic stripe and visually or digitally obtain the PIN when a debit card is used. Why is that? There are a few reasons.
First, there is minimal contact with the victim. No phishing or social engineering is required. Second, debit and credit cards have what's called the Card Verification Value (CVV) or the Card Verification Data (CVD). CVV/CVD is a security code generated by the issuing bank and stored on the magnetic stripe. This means the card owner has no idea what the code is. So the only way to obtain that information is to copy all the data on the magnetic stripe. To do that, criminals initially focused on ATMs. As they gained expertise, the bad guys branched out into other self-service devices, like self-service gas pumps.
To get an understanding of how skimming works, refer to this Snopes.com article. It does a great job explaining what we're up against. Thankfully, there are things we can do to protect ourselves. Here are the top five suggestions from the experts.
1: Be familiar with the ATM's physical construction
I use the same ATM unless it's absolutely necessary to use another one. That way, I'm familiar with how it looks and I will be able to tell if something is out of place. Brian Krebs has done extensive research on ATM skimmers, and his posts have images of several working ones.
2: Make sure security cameras are trained on the ATM
Many ATMs have a low-resolution camera built in. Typically, it can't record an ATM skimmer being set up. Look for CCTV cameras trained on the ATM. That way, any motion-sensing activation can be coordinated with the ATM's camera to see if the person had a legitimate reason for being there.
3: Opt for inside ATMs
It sounds obvious, but inside ATMs are less likely to have installed skimmers. It takes some work to set up an ATM for skimming. Employees and customers would notice. Since inside ATMs may be less convenient -- and because many people are unaware of ATM skimmers -- this tip is often overlooked.
4: When it comes to self-service, look for operations that are always open
Surprisingly, installing skimmers in gas pumps is not that difficult. That said, having people and or employees around all the time is still a huge deterrent. That's why criminals would rather install skimmers in gas pumps of closed service stations.
5: Keep an eye on your debit/credit card when others have it
It may be hard to do, but try to keep an eye on your debit/credit card when the clerk or waiter takes it. My friend thought I was nuts until I showed him this Wired post describing how four restaurant servers managed to steal $750,000 US using hand skimmers.
Extra tip: If you use debit cards, know your liability constraints
With credit cards, liability is limited to $50 US. Debit cards are different, so find out what your bank subscribes to. Normally, liability depends on when the theft is reported. It can vary from $50 US if reported within two days to the full amount if not reported within 60 days after receiving a statement.
Now that most banks are checking for their security code on the card's magnetic stripe, skimming is the only viable way to get all the required information. So when using your debit/credit card, be cautious about anything out of the ordinary.
Michael Kassner is currently a systems manager for an international company. Together with his son, he runs MKassner Net, a small IT publication consultancy.