Blog: What’s What with Skimming and How to Defend Against It

Across the globe inflation is on the rise, driven by a combination of factors. In the United States, for example, estimates suggest that inflation for 2022 will be around 7.68% overall. This price increase is driven especially by the cost for energy and food and beverages – essential goods whose rising costs hit lower income groups who are already struggling the hardest. 

This situation is already challenging, but to make matters worse, over the course of the last several months, skimming losses reported by recipients of state-issued prepaid debit cards within the Supplemental Nutrition Assistance Program (SNAP) have risen rapidly in several U.S. states. This program uses Electronic Benefits Transfers (EBT) to support struggling citizens. Like a regular debit card, EBT cards are used along with a personal identification number (PIN) to either pay for goods at participating stores or withdraw cash from an ATM. However, they are often more vulnerable to skimming attacks since most states do not equip them with smart chip technology. Instead, they are equipped with the more vulnerable magnetic stripe. 

While this is just one example of how skimming attacks can impact a specific group of consumers, the threat continues to be an ongoing security risk for all consumers. Our goal is to prevent all kinds of skimming attacks from succeeding. So, let’s have a look at the different attack scenarios and how financial institutions (FIs) can detect and prevent them. 

Generally, in a skimming attack, criminals attach one device to get the PIN (this can be either a camera or an overlay on the PIN pad) and another to collect the data from the card. Both devices are usually collected after having gathered data from several users over a certain period. The device to collect the card data can be attached in different positions. Depending on where it is installed, different countermeasures can be helpful to detect and prevent attacks. 

1. The first possibility is an overlay skimmer that is installed externally on the fascia and/or over the entrance to the card reader. Using external skimmer recognition, you can detect this type of device using internal sensors. If the sensors detect suspicious activity, a maintenance request is sent out to check if an illegal device has been attached and takes itself out of service in the meantime. Alternatively, to avoid the ATM being taken out of service, multi-signal jamming defense can prevent the skimmer from copying cardholder data. This enables the ATM to continue to run securely despite a skimmer being present while maintenance is being dispatched. 

2. The second type of skimmer is a throat inlay skimmer where the read head of the illegal device is in the card reader throat in front of the shutter. Again, both external skimmer recognition and multi-signal jamming can help protect cardholder data, but there is another way to prevent this kind of attack: Internal space defense minimizes the space within the card reader to make the installation of this type of skimmer very difficult. 

3. The third type of skimmer is an internal or deep insert skimmer where the read head of the device is located behind the shutter inside the card reader. These devices can be extremely thin. In a recently discovered case in New York, the insert skimmers were only approximately .68 millimeters tall. While the construction of such an extremely thin device may appear difficult for would-be criminals, they are unfortunately not hard to get on the dark net. However, even with these tiny devices, internal space defense can effectively prevent skimming attacks, but should be combined with additional protections: advanced internal skimming recognition can detect the presence of objects other than cards within the card reader and then –as with external skimmer recognition – send an alert and take the ATM out of service. 

To reliably defend against skimming attacks, all three scenarios should be taken into consideration. That is why modern card readers are equipped with several protections against skimming attacks. However, some offer only a basic level of security against attacks instead of securing the transaction on several layers should one fail – as criminals never rest and continue to develop new kinds of attacks. 

With its Security Pack 3 and ActivEdge® card reader, Diebold Nixdorf offers the only premium solutions on the market that include all the above protective measures for the best possible all-round security. 

A reliable defense requires protection from all sides. Aside from a more secure card reader to protect against skimming you should also take into consideration to eliminate the mag-stripe and migrate to EMV chip cards and implement geo blocking. Additional measures could – among others – also include real-time monitoring, PIN pad protection, awareness campaigns or visual inspections of the terminals.

Would you like to learn more about how you can protect your customers? Our DN Series family of ATMs offer the most comprehensive base layer of security in the industry. Our ATMs can be customized to meet your organization’s needs with several innovative add-on options to thwart attacks from all directions: physical, data and cyber-attacks. Explore our atm security solutions or contact us to start a conversation.