Play Video

5 tips—and a new device—to keep your credit card safe

(Credit: armydre2008/Flickr)

Researchers have teamed up with the New York City Police Department’s Financial Crimes Task Force to deploy the “Skim Reaper,” a device that instantly detects the presence of a credit card skimmer, allowing law enforcement and merchants to take action before the theft of card’s data.

Credit card skimmers are electronic devices criminals stick on ATMs and gas pumps to secretly suck up your sensitive financial information. With “Skim Reaper,” they may have finally met their match.

Real-world trials are already underway—researchers built five detectors for NYPD, which is deploying them in all five New York City boroughs for field testing. Preliminary tests show the device can detect skimmers with high reliability.

Consumers may be able to get their hands on one in six to nine months, and it may be small enough to fit in your wallet.

skim reaper
Skim Reaper. (Credit: U. Florida)

“Payment card skimming remains a popular crime, and attackers can easily get into the business using a few inexpensive parts purchased over the internet,” says Patrick Traynor, co-director of the Florida Institute for Cybersecurity (FICS) Research at the University of Florida’s Herbert Wertheim College of Engineering. Traynor helped develop the skimmer detector.

Lt. Gregory Besson with the NYPD Financial Crimes Task Force says card skimmers are a rapidly growing problem.

“In New York City, we saw a surge in ATM skimming in the past few years, as evidenced by the increase in devices recovered by our agency, the NYPD,” he says. “In 2015, we recovered 48 devices, and two years later that number had doubled to almost a hundred devices in 2017. Correspondingly, our arrests more than doubled for the same period, from 48 skimming-related arrests in 2015 to 134 skimming arrests in 2017.

“The big takeaway is that we’re always seeking new innovative ways to tackle this growing crime type, and we welcome trying new tools that would aid us towards that goal.”

Criminals can attach an overlay skimmer to an ATM, gas pump, or in-store payment terminal in seconds.

Card skimming costs more than $2 billion a year globally in fraudulent charges, according to the website ATM Marketplace. Credit card skimmers come in two varieties: those that are placed inside a legitimate card reader—think of those security stickers on gas pumps showing they’ve been inspected and are clear of internal skimmers—and those that have their own card reader, known as overlay/insert skimmers.

Criminals can attach an overlay skimmer to an ATM, gas pump, or in-store payment terminal in seconds, park nearby, and collect data via Bluetooth as customers to use their cards. They often return a few hours later, retrieve the skimmer and leave unnoticed.

Overlay skimmers are far more common than the internal type because they’re easy for criminals to install and difficult to detect. It’s those overlay skimmers that the new detection device is designed to snag.

The skimmer detector prototype works like this: A plastic card the same size of a credit or debit card goes into the card reader. The detector inspects the card slot and alerts the user if the reader in unsafe.

Cyber thieves can make $2 million off 50 credit cards

In the real world, a consumer could simply insert the detector into the reader before using his or her own credit or debit card. The detector would immediately notify them if something was wrong.

“While more-secure chip cards are becoming more common, their universal use, especially in ATMs and gas pumps, is likely years away,” Traynor says. “That means those old-fashioned swipe cards with the magnetic strips on the back will be around for the foreseeable future—along with their vulnerabilities.”

Until the skimmer detector is available to the public, law enforcement officials offer these tips for consumers to protect themselves:

  1. Wiggle the card reader before you insert your card. If it feels loose, don’t use it.
  2. Cover your hand while entering your PIN, even if you think no one is watching.
  3. If the security seal on a gas pump card reader is broken or has been tampered with, don’t use it.
  4. Use gas pumps close to the building and in view of the cashier.
  5. Use a credit card, not a debit card.

“Vendors and law enforcement need better tools to protect this payment channel,” says Nolen Scaife, a doctoral researcher who worked on developing the skimmer detector. “That’s precisely what this research has set out to accomplish, and we believe that this tool will go a long way in the fight against card skimmers while allowing payment terminal operators to continue leveraging their existing equipment.”

Source: University of Florida