How do skimmers work and how are they detected? (Skimmer design, their installation on ATMs/POS terminals, protection methods)

[Student]

Skimmers are devices used in carding (bank card fraud) to steal card details and PINs for subsequent use in illegal transactions. In the context of carding, skimmers are one of the key tools that allow attackers to collect data to create card clones, make online purchases, or sell information on the darknet. Below is a detailed analysis of how skimmers work, their installation, detection methods, and protection, with an emphasis on educational aspects and their connection to carding.

What is carding and the role of skimmers​

Carding is a type of fraud in which criminals use stolen bank card information for financial gain. This may include:

• Direct purchases online or in stores.
• Cash withdrawal from ATMs.
• Selling stolen data (dumps) on shadow forums.
• Create physical duplicates of cards for use in offline transactions.

Skimmers play a key role in carding, as they allow collecting card data (number, owner's name, expiration date, CVV code) and, if necessary, a PIN code to access the account. This data is either used directly or sold on the darknet on specialized sites.

How do skimmers work?​

Skimmers are electronic devices that read data from bank cards when they are used at ATMs, POS terminals, or other devices. They come in different types and levels of sophistication, from simple overlays to high-tech devices that can interact with EMV chips.

1. Reading card data​

• Magnetic stripe: Most skimmers are designed to read data from the magnetic stripe (track 1 and track 2), which contains information about the card number, owner's name and expiration date. This is achieved using a miniature magnetic reader built into the skimmer.
• Chip cards (EMV): Modern skimmers may use a method called "shimming" - installing a thin insert into the card slot that interacts with the chip. Shimmers are more difficult to manufacture and install, but allow you to bypass EMV protection.
• Data storage: Skimmers store data in built-in memory (e.g. microSD card) or transmit it in real time via Bluetooth, Wi-Fi or GSM module.

2. Capture PIN code​

To use the stolen data at ATMs or to withdraw cash, a PIN code is required. Fraudsters use the following methods:

• Overlay keyboards: Installed over the original keyboard and record the sequence of keystrokes.
• Miniature cameras: Hidden in false panels, light fixtures or even fake flyer holders, the cameras record PIN code entries.
• Heat Traces: In rare cases, scammers use thermal imaging cameras to analyze the residual heat on the keys after the PIN is entered.

3. Data transfer​

• Physical Extraction: The fraudster returns to the skimmer to retrieve the device and extract data from the memory.
• Wireless transmission: Modern skimmers use Bluetooth, Wi-Fi or GSM to transmit data in real time. This allows carders to receive information without having to return to the device.
• Darknet: The resulting data (dumps) are sold on dark forums such as Genesis Market or Joker's Stash (before they were shut down). Dumps may include magnetic stripe data (track 1/2), CVV, PINs, and other information.

4. Use of data​

• Card Clones: Carders write stolen data onto blank plastic cards with a magnetic stripe (such as gift cards) using devices such as an MSR (Magnetic Stripe Reader/Writer).
• Online transactions: Data is used for online purchases, especially on sites with low verification levels (without 3D-Secure).
• Cash withdrawals: With a cloned card and PIN, carders withdraw money from ATMs, often in countries with low levels of controls.

Installing skimmers​

Skimmers are installed quickly and discreetly to avoid detection. The process depends on the type of device and the purpose.

1. To ATMs​

• Overhead skimmers:
  • This is the most common type. The device is made to look like the original ATM card reader. It is attached using double-sided tape, magnets or latches.
  • Installation takes 10-30 seconds and is often done at night or in low surveillance areas.
  • Example: A skimmer may be disguised as a green card reader panel on an NCR or Diebold ATM.
• Internal skimmers:
  • Installed inside the card slot, which requires physical access to the ATM. Fraudsters can use counterfeit keys, hacked locks, or even bribed staff.
  • Such devices are more difficult to detect as they are not visible from the outside.
• Cameras and keyboards:
  • The cameras are disguised as ATM elements (e.g. leaflet holders, lighting panels).
  • Overlay keyboards are made of plastic or silicone and exactly replicate the shape of the original keyboard.

2. On POS terminals​

• External skimmers: Installed on a card slot or connected via a port (for example, USB or headphone port in older terminal models).
• Internal skimmers: These are built into the terminal, requiring access to the device. This is common in restaurants where terminals are handed over, or at gas stations.
• Software skimmers: In rare cases, fraudsters infect the terminal with malware that intercepts card data during a transaction.

3. Time and place of installation​

• Skimmers are often installed in low-security locations: street ATMs, terminals at gas stations, small shops or restaurants.
• Installation is carried out quickly to minimise the risk of detection. Fraudsters can disguise themselves as technicians using fake uniforms or stickers with bank logos.

How Skimmers Are Detected​

Detecting skimmers requires vigilance and, in some cases, special technology. Carders strive to make their devices as invisible as possible, so it is important to know the signs of their presence.

1. Visual and physical signs​

• Cartridges:
  • Check to see if the card reader is protruding or is a different color, texture or material than the rest of the ATM.
  • Try pulling the card reader slightly. The original components are firmly attached, while skimmers are often held in place by glue or magnets.
• Keyboard:
  • If your keyboard feels thicker than usual or the keys feel different when you press them, it may be a pad.
  • Check for additional layers of plastic or silicone.
• Suspicious elements:
  • Look for small holes (for cameras), extra wires, fake panels, or non-standard items such as fake flyer holders.
• Card slot:
  • Shine a flashlight into the slot to check for shimmers (thin inserts for chip cards).
  • If the card is difficult to insert or gets stuck, this may be a sign of a skimmer.

2. Technological methods​

• Anti-skimming devices:
  • Modern ATMs are equipped with modules that create electromagnetic interference for skimmers (jamming technology).
  • Sensors detect foreign devices in the card slot or on the keyboard.
• RFID/Bluetooth detectors:
  • Special devices can detect wireless signals emitted by skimmers. For example, a smartphone app with Bluetooth scanning can identify suspicious devices nearby.
• Transaction Monitoring:
  • Banks use anti-fraud systems that analyze transactions for anomalies (for example, multiple withdrawals in different countries).
• Equipment testing:
  • Banks and retail outlets regularly check ATMs and terminals for foreign devices using technicians or specialized tools.

3. Device behavior​

• If your ATM or terminal is behaving unusually (e.g. asking for your PIN multiple times, your card getting stuck, the screen flashing), it may indicate a skimmer or malware.
• In rare cases, skimmers can cause malfunctions in the device, which is noticeable when trying to make a transaction.

Methods of protection against skimming in the context of carding​

Protection against skimming is important for both users and banks and retail outlets. Carders are constantly improving their methods, so protection must be multi-level.

1. For users​

• Selecting secure devices:
  • Use ATMs in bank branches or places with video surveillance. Avoid street ATMs in poorly lit areas.
  • In restaurants or stores, check POS terminals before using them.
• Physical protection:
  • Cover the keyboard with your hand when entering your PIN to protect yourself from cameras.
  • Check the card reader and keyboard for any lining or suspicious elements.
• Technological measures:
  • Use cards with an EMV chip, which are harder to skim than cards with a magnetic stripe.
  • Prefer contactless payments (NFC) or mobile apps (Apple Pay, Google Pay) that use tokenization and do not reveal card details.
  • Set up SMS or push notifications for transactions to monitor for unauthorized transactions.
• Account Monitoring:
  • Check your account statements regularly through online banking.
  • If you notice suspicious transactions, block your card immediately and notify your bank.
• Caution when traveling:
  • Carders often install skimmers in tourist areas where users are less careful. Be especially careful when traveling abroad.

2. For banks and retail outlets​

• Anti-skimming technologies:
  • Install modules that interfere with skimmers (for example, electromagnetic or ultrasonic).
  • Use sensors to detect foreign devices in the card slot or on the keyboard.
• Physical protection:
  • Check ATMs and terminals regularly for skimmers. This may include daily inspections by technicians.
  • Install video surveillance and panic buttons in ATM locations.
• Encryption and tokenization:
  • Encrypt card data at all stages of transaction processing.
  • Use tokenization to replace card data with temporary tokens that are useless to carders.
• Staff training:
  • Train employees to recognize skimmers and suspicious behavior (such as people lingering near an ATM for long periods of time).
  • Provide cybersecurity training to employees who work with POS terminals.
• Software protection:
  • Install antivirus software and malware detection systems on POS terminals.
  • Update the firmware of your ATMs and terminals regularly.

3. Systemic measures​

• EMV и 3D-Secure:
  • The widespread adoption of chip cards (EMV) reduces the effectiveness of magnetic stripe skimming.
  • Using 3D-Secure (additional authentication for online payments) makes stolen data less valuable.
• Biometrics:
  • The introduction of biometric methods (fingerprints, facial recognition) instead of PIN codes reduces the risk of compromise.
• Antifraud systems:
  • Banks use machine learning algorithms to analyze transactions in real time. For example, systems can block transactions if a card is used in an unusual location or for abnormally large amounts.
• International cooperation:
  • Banks and law enforcement are collaborating to track down carding networks and shut down darknet sites where dumps are sold.

Technical details of skimmers​

For educational purposes, let's look at how skimmers work from a technical point of view:

1. Hardware:
   • Magnetic reader: Reads data from a magnetic stripe. Typically a compact head similar to those used in legitimate devices.
   • Shimmers: Thin boards that fit into the chip card slot. They intercept data transmitted between the chip and the terminal.
   • Microcontrollers: Control the operation of the skimmer, record data into memory or transmit it wirelessly.
   • Memory: MicroSD cards or flash memory for data storage.
   • Wireless modules: Bluetooth, Wi-Fi or GSM modems for data transmission.
   • Battery: Compact lithium batteries provide autonomous operation of the skimmer for several days or weeks.
2. Software part:
   • Skimmers use simple built-in software to process data and transmit it.
   • POS malware can be written in languages like C or Python and is introduced through vulnerabilities in the terminal firmware.
3. Manufacturing:
   • Skimmers are often handcrafted or made in small workshops. Carders use 3D printers to create plastic covers that precisely match the shape of the card reader.
   • Shimmers require more complex manufacturing as they must be thin (less than 0.5mm) and compatible with EMV chips.

Carding and Skimmers: The Scale of the Problem​

• Volumes: According to various sources, annual losses from skimming and carding amount to billions of dollars. For example, in 2020, losses from skimming in the US were estimated at $1 billion.
• Geography: Skimmers are most common in countries with a large number of ATMs and weak controls (e.g. the US, Latin America, Eastern Europe). However, with the introduction of EMV in Europe and the US, their effectiveness is declining.
• Darknet: Dumps are sold for $10 to $100 depending on the card type, region, and whether or not a PIN is available. Carders also offer skimmer installation services or rentals of ready-made devices.

Conclusion​

Skimmers are a powerful tool in the carder’s arsenal, allowing them to collect card data for subsequent fraud. They have evolved from simple overlays to sophisticated devices capable of bypassing chip card protection. Detecting skimmers requires vigilance, physical inspection, and technological solutions such as anti-skimming modules and monitoring systems. Users can protect themselves by using contactless payments, checking devices, and monitoring transactions. Banks and merchants should implement multi-layered protection, including encryption, biometrics, and regular equipment checks.

For educational purposes, it is important to understand that skimming is only part of the carding ecosystem, which also includes phishing, malware, and social engineering. Combating this type of fraud requires a joint effort by users, banks, and law enforcement.

If you want to dive deeper into a specific aspect (e.g. the technical design of shimmers, case examples, or methods for combating carding), let me know and I will prepare additional information!