This article was written during a challenge organised with several HEC students to write articles about cybersecurity. So it has been written by our guest author, El Farouk EL AZIZI, student from HEC Business School.

What is credit card skimming ?

Skimming is the crime of getting private information about someone else’s credit card in an otherwise normal transaction. The thief can procure a victim’s card number using basic methods such as photocopying receipts or more advanced methods such as using a small electronic device (Skimmer) to swipe and store hundred of victims’ card numbers.

When a Credit or Debit Card is swiped through a skimmer, it stores all the information stored in the card’s magnetic stripe. This last one contains the credit card’s numbers and expiration date and all other details related to it. Credit card skimmers are often placed over the card swipe mechanism on almost any type of credit card reader (ATM, gas station, etc.).

For ATMs for example, the thief installs a device that fits over the real ATM card-reader slot. Consequently, ATM users (bank & customers) do not know that their information is being intercepted as their card is inserted into a false reader. While using the ATM, the skimmer duplicates the data stored in the card. Sometimes, it is paired with a camera that records the user entering his PIN code. Another technique used is a keypad overlay that matches up with the buttons of the legitimate keypad below it and presses them while operated, but records or remotely transmits the keylog of the PIN entered.

Once the victim’s credit card information is stolen, thieves can either create a cloned card to proceed to purchases in stores or sell the credit card information on the Darknet. Victims are generally unaware of the theft until they notice unauthorized charges on their account and as thieves are generally hard to track down. But for a large part of them, it is possible for card issuers to detect them. The issuer collects every customer’s claims related to fraudulent transactions, and then uses data mining (regression) to discover insights, the relationship among them and the associated merchants. For example if a large amount of abused customers use a particular merchant, this last one will be investigated. Other sophisticated algorithms can also search for patterns of fraud.

Credit card skimming has expanded and takes place nowadays in every corner of the world. This practice is present from Europe to South Africa and is expected to grow in developing countries, as credit cards users are growing.

How to protect from credit card skimming ?

According the Fair Isaac Corporation (FICO), the number of compromised ATMs and points of sales in USA jumped 21 percent during the first six months of 2017. That comes on the heels of a 70% increase between 2015 and 2016. There are no statistics regarding Gas Pump Skimming since it’s a local crime and not centrally tracked. However the risk of theft is quite significant : according to the National Association for Convenience Stores, 29 Million Americans refuel every day using their credit card, a single compromised pump can capture data from 30 to 100 cards per day. And when skimming occurs at a gas station, it is usually limited to one pump which makes it more difficult to spot.

Credit Card skimming is becoming a serious and real threat of the modern digitalized world and governments are becoming aware of this. Many ATMs worldwide are now equipped with a guide to help people identify whether the ATM is compromised or not. Banks may also not process suspicious charges until the identity of the one who initiated the transaction is verified. However progress is still needed. In US for instance, gas pumps received a three-year extension on EMV transition in 2017, meaning that fuel pumps will continue to be field for fraudsters with skimmers until October 2020. Therefore, we should all be cautious and adapt our behaviour to avoid and/or counter skimmers. Firstly, everyone must watch where they shop with their credit card. Secondly, people should check the ATM before using it. Skimmers are generally produced using a 3D printer, there should be therefore some noticeable differences. Finally, we should act in a responsible manner, for example we should never fall to those “credit card cleaning“ scams where thieves claim to clean the magnetic strip on your credit card to help it work better (whereas he plugs it into a skimmer) or we can rely on apps that helps detects skimmers such as “Skimmer Scanner” a free skimmer scanner Android app released in September 2017 .