Skimming and Shimming: Fraud at the ATM and Gas Pump

Recently we had someone give us a call for help about a weird charge that showed up on their bank statement. After asking some questions about where they went physically, or virtually, to use their debit card, out of everything they told us, our hunch was they were a victim of a skimming attack at a gas station. With that said, we think it’s best to shine a light on skimming, as well as shimming.

Credit/debit card skimmers have been around for at least a decade, where as shimming devices started popping up roughly four or five years ago. Both devices accomplish the same thing; collecting the data off of your credit or debit card. Once this data is collected it can be used by a malicious actor to make fraudulent purchases. The data from the card can also be sold on market places, not just to make unauthorized purchases, but for use in identity theft. The main difference between the two devices is that skimmers go over objects such as the card reader, or the key pad, for an ATM or gas pump. A shimming device, on the other hand, is inserted into the card reader of an ATM or gas pump and is incredibly difficult to detect.

The following image shows skimming devices [Source: FBI].

The following images are of shimming devices [Photo credit: Coquitlam RCMP]

So, what proactive steps can you take to help reduce the likelihood of falling victim to a skimming/shimming attack?

Skimmers:

• Don’t use ATMs that are in a very remote location and in places where there is really poor lighting.
• When approaching an ATM, or gas pump, tug/pull on the card reader and keypad before you even take your debit/credit card out. What you are looking for is to see if something pops off the card reader slot or the key pad. If something does, it may be indicative of a skimming device. If that happens, call the police and also notify the owner of the ATM, or if at a gas station, let someone who works there know what’s going on.
• When entering your PIN, use your free hand to cover the one punching in the numbers. This is to help prevent pin hole cameras placed around the ATM/gas pump from recording your key strokes.
• If you are at the gas pump and they have a contactless payment option where you can tap your card at the gas pump, which is a safer way.
• Another option is to go inside a bank, or gas station, to conduct your transaction.

Shims:

• These devices are incredibly difficult to see and detect. If you have a tap-and-go type payment card, use that instead of sliding it into the card reading slot.
• If you do slide the card in, after you’ve checked for skimming devices, and it feels really tight, or there’s resistance, stop the transaction if possible and notify someone at the gas station or, if it’s an ATM, the owner of the machine. It would also be a good idea to notify local law enforcement.

Overall, other things you should keep an eye out for are any signs of tampering at the ATM or gas pump. That includes broken security tape or physical damage to the machine. Since some of these devices also use Bluetooth to transmit the stolen data, you can enable Bluetooth on your phone to see what enabled devices are around.

[Source of information on skimmers and shims: https://www.wect.com/2019/03/06/debit-card-skimming-vs-shimming-everything-you-need-know-stay-safe/ ]

If you are, or suspect you are, caught up in a skimming/shimming attack:

Contact your bank or credit card issuer immediately to report the incident. If you do so you may not be responsible for any losses. If you wait to report, depending on how long you delay, you may be responsible for $50 – $500 in losses. If you do not report, you will be responsible for an unlimited amount of losses that results from the thief using your card. [Source: https://www.thebalance.com/stolen-debit-card-risk-315319]

In general, if you have a choice between using a debit or credit card to make a transaction, use the credit card. By using a credit card, you are not putting your bank account directly at risk. And if you don’t feel comfortable, as we stated above, you can always go inside the bank, or gas station, to conduct your business.

We hope this is helpful for you and that you keep vigilante when using your debit/credit card. One thing we do offer is identity theft protection, so if someone gets a hold of your credit/debit card, you’ll be notified. We also do reviews of your online presence so that you are more proactive protecting yourself. Click/tap here to see our services. Contact us to learn more and protect yourself now.