On the Money

Card Sharks: ATM skimming grows more sophisticated

Key Points
  • Card skimming is getting more common and sophisticated, costing more than $2 billion a year in fraudulent charges.
  • Areas of the Internet known as the "dark web" offer technology and instructions on how to use the machines.
Card sharks

Do you know if a criminal stole your card information when you swiped at the ATM, or even a gas pump?

ATM skimming, or using a device to steal debit information, is on the rise and getting more sophisticated. Authorities discovered three ATM skimmers in gas stations in Ohio and one in a bank in Florida in the past month.

"ATM skimming is an over $2 billion problem globally," said Martin Bally, vice president and chief security office at Diebold Nixdorf, an ATM manufacturer.

Criminals are trying to cash in before more place switch over to chip cards, which skimmers currently do not work on. Right now, 45-50 percent of U.S. credit and debit transaction use the more secure chips instead of magnetic strips, according to the U.S. Payments Forum.

While older devices were relatively easy to spot, new devices are stashed deep inside.

"Now there's a skimmer that is literally as thin as…a credit card. And it slides into the slot and down. It's not even detectable," said Chris Hadnagy, the CEO of Social-Engineer, a cybersecurity training company. Hadnagy trains clients and law enforcement on the latest threats.

This skimmer, found for sale on the dark web, is as thin as a credit card and invisible from the outside of the machine.
Source: CNBC

Hadnagy showed CNBC a skimmer he found for sale on the dark web, an area of the Internet that is anonymous and sometimes used for illicit activities. The device has Bluetooth capabilities.

"If you can get it in there [the ATM] and not be seen or found, you can walk up to the device later on, turn your phone on, connect to the Bluetooth wireless, download all the cards, act like you're pumping some gas and leave, and they would never know that it was you," he said.

An even more sophisticated skimming device lets criminals avoid going back to the ATM. These skimmers include SIM cards, which are used in cell phones.

"It calls to a server and downloads all the numbers to a file for them to obtain," Hadnagy said.

Even more concerning, Hadnagy says the new devices take very little effort to install. He showed CNBC websites on the dark web which post instructions.

'An ongoing battle'

The new Diebold Nixdorf ATM takes the card sideways to try to defeat skimmers.
Source: CNBC

The proliferation of skimmers has put the ATM industry on alert.

"Skimming has historically been the number one fraud issue for the ATM channel, so it's always been, on top of mind for our folks. The financial institutions generally do quite a bit in the way of countermeasures for skimming," said David Tente, executive director in the U.S. for ATMIA, the ATM industry trade group.

"The ATM operators …are doing as much as they can to try to fight this… It's an ongoing battle," Tente added.

ATM manufacturers are working on new solutions. Diebold Nixdorf came out with a machine which has you insert your card lengthwise instead of width wide.

"The way we approach it is by changing the direction and way and how we read the magnetic strip on the card. And that simple change has been able to defeat all static skimming devices," Diebold Nixdorf's Bally said.

There are currently 7,000 ATMs using the technology around the globe. At this time skimmers only work on cards inserted the normal way. However, Bally admits nothing is 100 percent.

Here is how to protect yourself:

  • Check your bank statements regularly. Consumers have limited time to report unauthorized activity. "If you report it within two days of that unauthorized activity, then the bank will reimburse you for anything over $50," said attorney Dyan Finguerra-Ducharm, a partner at Pryor Cashman. " But if you wait… for your statement to come, then the law gives you 60 days in which to report. But because you've delayed and waited, you are responsible for the first $500 of the withdrawal."
  • Watch for signs the ATM of gas pump may have been altered. Hadnagy suggests checking if gas pump security tape is at all altered. "Turn on your Bluetooth when you're next to an ATM. or a gas pump and see if you see any weird networks that are popping up," he said. Also, try to wiggle the card slot, if it moves at all you should use a different machine. If you use the same ATM regularly, "be observant and try to notice whether or not there's anything different about the ATM on that particular visit," Tente said.
  • Cover your pin number when entering it. It may seem old fashioned, but criminals cannot access your bank account unless they have the pin and often still use cameras aimed at the keypad.

On the Money airs on CNBC Saturday at 5:30 am ET, or check listings for air times in local markets.