How Anti-Fraud Systems Detect Skimmers

[Mutt]

Anti-fraud systems such as Stripe Radar, Adyen RevenueProtect, Sift or banking platforms play a key role in detecting skimmers – devices or programs used to steal bank card data (magnetic stripe or EMV chip) for carding purposes. Skimmers are usually installed on ATMs, POS terminals or embedded in online stores (web skimmers) to intercept data such as the card number (PAN), expiration date, CVV, or even PIN. For educational purposes, I will describe in detail how anti-fraud systems detect skimmers, including technical methods, technologies used, examples and their impact on carding. I will also explain why these systems are effective in preventing fraud.

1. What are skimmers and how do they work?​

Skimmers are devices or software designed to steal bank card data:

• Physical skimmers:
  • Installed on ATMs or POS terminals to read magnetic stripe or EMV chip data (via contact or NFC interfaces).
  • Often accompanied by hidden cameras or keyboard overlays to intercept PIN codes.
• Web Skimmers (Magecart Attacks):
  • Malicious JavaScript code is injected into online shopping sites to intercept card data entered by users.
  • Example: The script intercepts payment form data and sends it to the attacker's server.

The purpose of carding: The obtained data (PAN, CVV, expiration date) is used to clone cards or transactions in stores without 3D-Secure (3DS), especially with Non-VBV or Auto-VBV bins.

Why skimmers are dangerous: They allow carders to collect data directly from devices or websites, but anti-fraud systems are designed to detect such attempts at the transaction, device and network level.

2. How antifraud systems detect skimmers​

Anti-fraud systems use a multi-layered approach, analyzing transaction data, devices, networks, and user behavior to identify signs of skimming. Key methods include:

a) Analysis of transaction patterns​

• Mechanism:
  • Anti-fraud systems monitor transaction anomalies that indicate the use of data obtained through skimmers:
    • Multiple attempts: Repeated transactions from the same card for small amounts ($1–$5) are a typical sign of card testing.
    • Geolocation Mismatch: Transactions from an IP address that does not match the map region (e.g. map from the US, IP from Russia).
    • High chargeback rate: Cards used in skimming are often associated with chargebacks or complaints.
• How to detect:
  • Systems like Stripe Radar use machine learning to analyze transactions in real time.
  • Example: Card (Non-VBV, BIN 479126) is used for 5 transactions of $1 within 10 minutes from IP in Nigeria. Radar marks the card as compromised.
• Technical details:
  • Anti-fraud systems integrate with GeoIP databases (MaxMind, IP2Location) to check the IP region.
  • The algorithms calculate the risk score (0–100) based on the parameters:
    

    {
    "transaction_id": "txn_123",
    "ip": "104.28.12.45",
    "country_code": "NG",
    "card_bin": "479126",
    "attempts": 5,
    "risk_score": 95
    }

• Impact on carding:
  • Carders using skimmed data are quickly identified through card testing patterns or IP mismatches.

b) Device Fingerprinting​

• Mechanism:
  • Anti-fraud systems collect unique device characteristics (browser, OS, screen resolution, fonts, plugins) via JavaScript SDK (for example, stripe.js).
  • The devices used for transactions with skimmed data are often different from the cardholder's usual devices.
• How to detect:
  • If the transaction is made from a new device (e.g. virtual machine, Tor Browser), this increases the risk rate.
  • Example: The card was used from an iPhone (iOS 18, Safari) in the US, but the new transaction is from a Windows VM via VPN. Radar flags it as suspicious.
• Technical details:
  • Device fingerprint:
    

    {
    "device_id": "device_123456",
    "browser": "Chrome 120",
    "os": "Windows 10",
    "screen_resolution": "1920x1080",
    "timezone": "UTC+3",
    "ip": "104.28.12.45"
    }

  • A discrepancy with the owner's history fingerprint raises a flag.
• Impact on carding:
  • Carders using skimmed Non-VBV bin data often use VPNs or virtual machines, which can be detected using Device Fingerprinting.

c) GeoIP and IP analysis​

• Mechanism:
  • Anti-fraud systems use GeoIP databases (MaxMind GeoIP2, IPinfo) to check IP addresses for VPN, Tor or high-risk regions.
  • Skimmed data is often used from IPs that do not match the map region.
• How to detect:
  • IPs marked as VPN (eg NordVPN, ASN AS208877) or Tor exit nodes automatically increase the risk score.
  • Example: A skimmed card (BIN 440393, Auto-VBV) is used with IP 104.28.12.45 (Cloudflare). GeoIP2 marks the IP as VPN and Radar initiates 3DS.
• Technical details:
  • API request to GeoIP:
    

    GET https://geoip.maxmind.com/geoip/v2.1/city/104.28.12.45

    Answer:
    

    {
    "ip_address": "104.28.12.45",
    "country_code": "US",
    "organization": "Cloudflare, Inc.",
    "proxy_type": "VPN",
    "risk_score": 85
    }

• Impact on carding:
  • Carders using skimmed data from VPN are detected by GeoIP, which blocks transactions or requires OTP.

d) Behavioural analysis​

• Mechanism:
  • Anti-fraud systems analyze user behavior:
    • Direct access to payment: No navigation on the site (catalog, shopping cart).
    • Typing speed: Bots type data faster than humans.
    • Multiple Cards: Use multiple cards from one IP/device.
• How to detect:
  • Skimmed data is often used by bots for mass testing (card testing).
  • Example: Carder uses skimmed data for 10 transactions of $1 from one IP. Radar detects the pattern and blocks the device.
• Technical details:
  • JavaScript SDK collects data about input time, clicks, scrolling.
  • Machine learning algorithms compare behavior to a normal profile.
• Impact on carding:
  • Carders using bots to test skimmed Non-MCSC bins are identified due to unnatural behavior.

e) Monitoring of ATMs and POS terminals​

• Mechanism:
  • Banks and ATM operators use technologies to detect physical skimmers:
    • Anti-skimming devices: Jitter technology (vibration of the card slot) disrupts the operation of skimmers.
    • Sensors: Detect foreign devices on the ATM (magnetic or NFC skimmers).
    • Transaction Monitoring: Anomalies in transactions from a single ATM (e.g. multiple failures) indicate a skimmer.
• How to detect:
  • If an ATM shows an unusually high rate of refusals or chargebacks, it is checked for a skimmer.
  • Example: An ATM registers 50 rejected transactions in an hour. The bank sends technicians to check the machine.
• Technical details:
  • Anti-skimming systems (such as the Diebold Nixdorf Anti-Skimming Module) use IR sensors to detect foreign devices.
  • Banks analyze data through platforms such as VisaNet to identify suspicious ATMs.
• Impact on carding:
  • Physical skimmers are quickly identified and skimmed cards are blocked after the first attempts.

f) Web skimmer detection (Magecart)​

• Mechanism:
  • Anti-fraud systems scan store websites for malicious JavaScript code.
  • Used by:
    • Security scanners: Snyk, Sucuri, or custom solutions for analyzing page code.
    • Traffic Monitoring: Detect suspicious requests to third-party servers.
    • Behavioural analysis: Unusual forms of data entry (e.g. hidden fields).
• How to detect:
  • A script that sends payment form data to a third-party server (e.g. malicious.com) is flagged as a web skimmer.
  • Example: Stripe Radar detects that card data is being sent to IP 192.168.1.1, which is not associated with the store. The site is marked as compromised.
• Technical details:
  • Scanners check the DOM (Document Object Model) for suspicious scripts:
    

    <script src="https://malicious.com/skim.js"></script>

  • Content Security Policy (CSP) blocks unauthorized scripts.
• Impact on carding:
  • Web skimmers used to collect Non-VBV bin data are detected before the carder can use the data.

g) Blacklists and data exchange​

• Mechanism:
  • Banks and payment systems (Visa TC40, MasterCard SAFE) exchange data on skimmed cards, IP and devices.
  • Cards associated with suspicious activity are added to blacklists.
• How to detect:
  • If a skimmed card is used, the bank checks it through TC40 and blocks it.
  • Example: Card (BIN 523236, Non-MCSC) is used in 3 stores after skimming. Visa TC40 notifies the bank and the card is blocked.
• Technical details:
  • Banks use APIs to check cards in real time:
    

    {
    "card_pan": "1234567890123456",
    "status": "blacklisted",
    "reason": "suspected skimming"
    }

• Impact on carding:
  • Skimmed data quickly becomes useless due to blacklists.

3. Practical examples​

• Scenario 1: Physical Skimmer on ATM:
  • The carder installs the skimmer on the ATM, reads the magnetic stripe data (Non-VBV bin) and PIN through the camera.
  • Uses data to withdraw cash.
  • Result: The bank detects an anomaly (multiple transactions from one ATM) and blocks the card via TC40.
• Scenario 2: Web skimmer on site:
  • The carder injects a JavaScript skimmer into the store and intercepts Auto-VBV card data.
  • Tries to use online data, but Radar detects a suspicious IP (GeoIP: Tor) and initiates 3DS.
  • Result: Transaction is rejected due to missing OTP.
• Scenario 3: Skimmed card at POS terminal:
  • The carder uses a cloned card (Non-MCSC) in a store with an outdated terminal.
  • The anti-fraud system detects an IP (GeoIP) mismatch and blocks the transaction.
  • Result: The card is added to the blacklist.

4. Limitations of antifraud systems​

• Delay in detection:
  • New skimmers (especially web skimmers) can remain undetected for several days before being detected by scanners.
• False positives:
  • Legitimate users with VPN or traveling may be flagged as suspicious.
• Physical skimmers:
  • Physical verification of ATMs is required, which may take time.
• Residential proxies:
  • Skimmed data used with residential proxies is harder to detect, but Device Fingerprinting and behavioral analysis make up for it.

5. Protective measures for banks and shops​

• Anti-skimming devices:
  • Jitter technology and sensors on ATMs prevent the installation of skimmers.
• EMV chips:
  • Dynamic cryptography makes cloning of chips impossible.
• 3D-Secure:
  • Requires OTP or biometrics, which are not available to carders.
• Web skimmer scanners:
  • Sucuri, Snyk and CSP block malicious scripts.
• Monitoring:
  • Banks monitor transactions in real time to identify skimmed cards.
• User training:
  • Users are informed about signs of skimmers (for example, suspicious devices on ATMs).

6. Conclusion​

Anti-fraud systems detect skimmers through transaction pattern analysis, Device Fingerprinting, GeoIP, behavioral analysis, ATM/POS monitoring, web skimmer scanning, and blacklisting. These methods effectively prevent the use of skimmed data because:

• GeoIP detects VPN and region mismatch.
• Device Fingerprinting detects suspicious devices.
• 3DS requires OTP, which is not available to carders.
• Monitoring and blacklisting block compromised cards.

Modern measures (EMV, 3DS, anti-skimming devices) make skimming expensive and risky, reducing its effectiveness for carding. If you want to dive deeper into a specific aspect, such as how Jitter technology works or how to set up rules in Stripe Radar to detect skimmers, let me know!