(Credit:Zain bin Awais/PCMag Composite;Aleksandra Konoplia/Talaj/FactoryTh/via Getty Images)
Ever stopped to think about how woefully insecure credit and debit cards are? After all, the chances are good that you have at least one payment card in your wallet right now with a visible account number, expiration date, or verification code. Anyone with a smartphone camera could take a photo of it while you swipe at the register, or when you hand over your card to staff at a restaurant.
That rarely happens, though, right? Instead, credit and debit card numbers are often swiped using less detectable, and in some cases, totally digital methods. For example, criminals use tiny "skimmers" attached to ATMs and payment terminals to pilfer your data from the card's magnetic strip, or magstripe. Even smaller "shimmers" are wedged into card readers to attack the chips on newer cards. There's also wireless skimming, which uses Bluetooth technology to send your credit card details to criminals.
The first step in defending yourself from these scammers is to understand more about their methods. Read on for a complete rundown of the ways the bad guys attempt to steal your data—and your money.
What Are Skimmers?
Skimmers come in all different shapes and sizes, and as noted above, they are notoriously difficult to detect with the naked eye. Below is a non-exhaustive list of skimmer types, followed by advice for detecting the devices (where possible).
Fake Card Readers
Some criminals are pretty brazen and will remove a legit card reader from a bank machine or a gas pump and install an identical-looking reader that isn't connected to the machine. Instead, the device sends your card information to the scammer. In a 2024 blog post, NordVPN advised readers on how to find these types of skimmers by physically touching the card reader. If it wiggles a bit and doesn't seem to be fully connected to the ATM, or the reader is a different color or shape than the readers on other nearby machines, don't use that one.
Internal Skimmers
These little devices are malicious card readers, hidden within legitimate card readers, that harvest data from every person who swipes their cards. After letting the hardware sip data for some time, a thief will stop by the compromised machine to pick up the file containing all the stolen data. With that information, they can create cloned cards or just commit fraud. Perhaps the scariest part is that skimmers often don't prevent the ATM or credit card reader from functioning properly, making them that much harder to detect.
Keypad Overlays
Criminals may also place overlays on top of an ATM's keypad. These devices log customers' PIN codes as they enter them on the ATM. So if a machine looks well-worn, but the keypad appears to be brand-new, consider using a different ATM.
Overlay Skimmers
Getting inside ATMs is difficult, so ATM skimmers are sometimes fitted over existing card readers. Most of the time, the attackers also place a hidden camera somewhere in the vicinity in order to record personal identification numbers, or PINs, used to access accounts. The camera may be in the card reader, mounted at the top of the ATM, or even in the ceiling.
This picture is of a real-life overlay skimmer in use on an ATM. Do you see that weird, bulky yellow bit? That's the skimmer. This one is easy to spot because it's a different color and material from the rest of the machine, but there are other telltale signs. Below the slot where you insert your card are raised arrows on the machine's plastic housing. You can see how the gray arrows are very close to the yellow reader housing, almost overlapping. That is a sign that a skimmer was installed over the existing reader, since the real card reader would have some space between the card slot and the arrows.
Wireless Skimmers
You'll need to look around the ATM to find this type of skimmer. These wireless devices are placed on the ground near an ATM and use Bluetooth technology to scoop up your banking information when you enter your PIN. Criminals don't have to be near the device in order to get the data, making them harder to track down.
The good news is that ATM manufacturers haven't taken this kind of fraud lying down. Newer ATMs boast robust defenses against tampering, sometimes including radar systems intended to detect objects inserted or attached to the ATM.
Card Shimmers
In addition to skimmers, which sit on top of the magstripe readers, criminals also use shimmers, which are inside the card readers. These are very, very thin devices and cannot be seen from the outside. When you slide your card in, the shimmer reads the data from the chip on your card, much the same way a skimmer reads the data on your card's magstripe.
The shimmer pictured below was found in Canada and reported to the RCMP. It's little more than an integrated circuit printed on a thin plastic sheet.
Stay Aware to Stop Credit Card Scammers
Even if you do everything right and go over every inch of every payment machine you encounter (much to the chagrin of the people behind you in line), you can be the target of fraud. But take heart: As long as you report the theft to your credit card issuer or bank as soon as possible, you will not be held liable. Your money will be returned. Business customers, on the other hand, don't have the same legal protection and may have a harder time getting their money back.
Check out PCMag's guide to stopping ATM scammers in their tracks, but if you take away anything from this article, I hope it's a reminder to pay attention. Read your credit card statements and act quickly if you find charges you don't recognize. If something doesn't feel right about an ATM or a credit card reader, don't use it. Whenever you can, use the chip instead of the strip on your card. Your bank account will thank you.
Fahmida Y. Rashid and Max Eddy contributed to this story.