I am sure this video is aiming to educate its viewers on how they can protect themselves against card skimming fraud, which is commendable. The video claims skimming fraud is costing Financial Institutions and Consumers around a $1Billion per year, which compounded since the early days of Chip Cards – 20-odd years – is a substantial amount of cash!

It looks like the scams discussed in this video are limited to the USA, because it’s unlikely they would work anywhere else.

Analysis of the Skimmer Scam

Follow the video and read the story – draw your own conclusions.
We begin by setting the scene – a short TV presentation about scammers draining your accounts without ever touching your card.
 
And then the presenter talks about a silent but growing threat that could be costing you all of your hard-earned money, and then we learn that credit card skimmers are costing Financial Institutions and Consumers around $1 billion per year.

Skimmer Placement

These devices are appearing everywhere, and to all intents and purposes they represent silent and invisible threats to payment security.

They are turning up in Gas Stations, ATMs, Grocery and Retail Stores; they are on the increase, but they are not new!

The clips in the YouTube video give the impression that card skimming fraud is inevitable.

ATM Skimmer being inserted

Law Enforcement Counter Measures

We then see one of the SKIM SCAN devices that are able to check a card slot for unwanted additional hardware, giving a green light if the slot is good to go and a red light if there is an issue.
 
It’s not clear what the device is testing for. There is no apparent chip on the card, so a contact-based check is ruled out, and if the card was testing contactless, it wouldn’t be necessary to insert it into the slot, but from what I can see, there are no contactless readers in sight … and I can’t see a magstripe.
 
Interested in the information stored on a Payment Card? Have a look at the Payment Monkey Introduction to Payment Cards.

Smarter and Faster Criminals

The criminals are getting smarter and faster, and harder to catch. They can install a skimming device in less than a minute, and you might not even know that you have been hit until it’s too late.
 
The narrator tells you that by the end of the video, you will be armed with the knowledge to protect yourself, spot these devices and understand what the authorities are doing to fight back.
 
It will also become clear, as you listen to the Payment Monkey, that skimming fraud is preventable, and it always has been! The ability to skim is a direct consequence of decisions that were made in the US at the turn of the century, and twenty five years later, the US consumer is still paying the price.

Skimmers – a US phenomenon

Skimmers do not show up everywhere. They show up in the United States because that’s where the easy pickings are. They don’t show up much in the UK, for example, because the systems in the UK don’t support skimming. 
 
Of course, you can extract the data from a chip in the UK just as easily as you could in the US – the data is meant to be easily accessible, that’s just how it works! The same is also true for the data encoded in the magstripe, although this is much easier to extract. 
 
However, in the UK, you can’t do anything with the data, because that’s just how the UK (and the rest of the world) have implemented their card payment systems. The US could do the same but has chosen an alternative approach.

PIN Stuff

Now, this PIN stuff. Yes, they do install tiny cameras and yes, they do install fake PIN Pads, and yes, they may even be peering over your shoulder, but the PIN is only a small element of chip security.
 
Since it is not possible to clone a card using the data that can be collected from a chip, the PIN argument becomes irrelevant – unless it’s a magstripe clone.
 
If it’s a simple magstripe clone, then it will only work in a device that is not capable of processing chip transactions – these devices still exist in the US, contributing to the FBI’s calculated $1 billion annual fraud hit! 
 
The PIN argument is used by the banks as a deflection mechanism, passing transaction responsibility to the cardholder when it should sit with the issuer. Of course, this doesn’t apply if you lose your card and it has your PIN written on it – that is your fault! 
 
And just for good measure, the PIN can be anything between 4-digits and 12-digits long. See how long is a PIN? for more. 
a halifax debit card with a 12 digit PIN
It’s a massive organised crime wave and reports are pouring in from all over the United States – but not so much from the Rest of the World.

Accountability

We learn that this is truly a region-wide crime wave, but surely it must also be about accountability – this fraud is preventable!

We use the same card technologies, but this fraud does not happen in the UK. It used to, but we very quickly learned the lesson. 
 
I designed one of the first Chip and PIN issuing services in the UK, in 2002, and we issued 12.5 million cards. We got everything right, nearly! We (I) initially made an EMV implementation schoolboy error, along with most of the other UK issuers, because we hadn’t implement the Card Verification Values properly. In our defence – and the design was reviewed and the mistake was missed – we were essentially first in the world, so the odd error could be expected. The schoolboy error allowed magstripe clones to be created using data extracted from the chip, which I believe is what we are seeing in the US, 23 years later. We fixed this unfortunate feature quickly, before too much damage had been done. 
 
The ability to clone a magstripe card from chip darta is caused by a configuration error on the part of the issuing bank. It’s been known about since 2003 and it’s very easy to fix.

Sound Advice – on the whole

ALWAYS DO A QUICK INSPECTION
It shouldn’t be necessary but it is. Since the risk of card skimming exists, it makes sense to check for card skimmers and hidden cameras, mismatched and missing parts, and bits that aren’t quite secure.
 
If the fraud wasn’t viable, the fraudsters wouldn’t try.
 
DO NOT USE YOUR PIN
This is the issuing bank deflecting responsibility for the transactions. The PIN is only of value if the scammer is able to create a usable card, and that’s the responsibility of the issuer.
 
However, it is sensible to keep it shielded.
 
SKIP THE SWIPE AND THE CHIP – INSTEAD USE TAP TO PAY
If the cards are implemented and personalised properly, it really makes no difference, but it is becoming increasingly apparent that the cards are not implemented properly. 
 
USE CREDIT CARDS OVER DEBIT CARDS
Credit cards generally offer a greater degree of legislative consumer protection than that offered by debit cards, making disputes and fraudulent transaction s easier raise and manage.  
 
AVOID SKETCHY OR ISOLATED ATMS
Another example of deflection. If the cards were issued according to the appropriate card standards, it does not matter how shabby the ATM might look. The integrity of the transaction lies in the transaction data.
 
SET UP REAL TIME TRANSACTION ALERTS
Sensible, but again the recommendation is a deflection technique. A properly implemented card system would not suffer this avoidable fraud activity, and it shouldn’t be the responsibility of the cardholder to monitor the bank’s operations. 
 
Can’t hurt though as it might also help you cut down your own spending.

This is preventable

We learn that Law Enforcement Agencies across the region are stepping up their game, investing in technologies that can sniff out skimmers and I assume shimmers also. The fight against skimmers is a constant battle, but it’s not a new battle!

There is a Police Department in Florida that is using skimmer seeking devices to check and then dismantle compromised payment devices. A blue light means it’s on, a green light means the reader is ok, a red light indicates a skimmer – it looks like the devices can detect both shimmers and skimmers.

The cost of skimmer fraud, according to the FBI, is in the region of $1 billion every year. Over 25 years, that’s a lot of money, which would have paid for chip card upgrades to a whole load of devices over the years.

Card Skimming is a serious threat, but if chip cards are implemented properly across a region, then the ability to skim goes away – the prevention of fraud pays for itself.

The scammers are stepping up their game. The banks should too! 

Explore the Future of Payments

The global payment ecosystems continues to evolve with technologies like AI, tokenisation, and real-time payments.

Stay ahead of the game by diving deeper into the world of payment processing.

Subscribe for Updates

Have questions or need expert insights?  Contact us.