Understanding credit card skimming: how it works and why it’s a threat.
Self-checkout registers are all the rage in today’s commercial landscape, with grocery stores, gas stations, and big box conglomerates adopting the technology to meet consumer demand. But with this extra convenience comes the spread of a lurking danger: credit card skimmers.
Credit card skimmers involve malicious tools designed to illegally capture and record private information, including account numbers and PINs. Some skimmers use hardware installed discreetly on ATMs, gas pumps, and point-of-sale terminals, while others deploy malicious software to infiltrate e-commerce sites and try to steal passwords.
This silent threat has been around for years, with spikes typically reported around the holiday season. But the sophistication of card skimming is spreading, and as criminals continue to devise new ways to intercept sensitive data, these tactics are moving from traditional areas of usage to newly emergent self-pay kiosks. This serves as a stark reminder of the need for cybersecurity vigilance and proactive protection.
The rise of digital theft.
Between 2021 and 2022, incidents of credit card skimming grew more than 300%, according to the data analytics company FICO. More than 3,000 unique financial institutions and 160,000 individual credit cards were impacted in 2023 when reports emerged that Big Y, a major supermarket chain in New England, had fallen victim to a widespread credit card skimming operation that compromised thousands of customer accounts.
The skimmers, discreetly attached to point-of-sale terminals, went undetected for months, resulting in substantial financial losses and irreparable damage to the company’s reputation. In the first few months of 2024, similar types of skimmers have been found at grocery stores in New York, Washington, D.C., New Hampshire, and other Eastern Seaboard states.
This matches a steady increase over the years in online skimmers, which focus on the theft of both credit card numbers and passwords. Hackers employ a variety of techniques, including customized pop-ups, keylogging malware, and brute-force attacks, to try and obtain login credentials and access sensitive information. Smaller online merchants are particularly vulnerable, as outdated content management systems (CMS) and their associated plugins can be easily exploited.
Protecting against online predators.
While the threat of credit card skimmers and password theft may seem daunting, practical steps can be taken to mitigate risk and safeguard sensitive information for both businesses and consumers. Here are a few strategies that CMIT Solutions recommends:
- Stay alert to physical threats. Paying attention to ATMs, gas pumps, and self-pay kiosks can pay off—in fact, a shopper at a Safeway in Washington, D.C., alerted store employees to a skimming operation when he noticed that a keypad on a credit card machine looked newer and slightly different than the ones around it. Any time you notice signs of tampering, loose components, or unusual attachments, alert store employees and do not use your card on that terminal.
- Use secure payment methods. If possible, avoid inserting your credit card into older card readers, instead opting for chip-enabled or mobile payment options. These offer enhanced security features such as tokenization and allow you to avoid entering your PIN in public or shared environments.
- Monitor financial accounts for suspicious activity. Keep a close eye on bank transactions and credit card statements so you can quickly spot unauthorized transactions or suspicious activity. Promptly report any discrepancies to your financial institution and take immediate steps (like changing your login credentials) to secure your accounts.
- Implement multi-factor authentication (MFA). Enable MFA wherever it’s available to add an extra layer of security to your online accounts. MFA requires users to verify their identity using a combination of factors, such as passwords, biometrics, and one-time codes, making it significantly more difficult for hackers to gain unauthorized access if they manage to steal an individual password or credit card number.
- Update software regularly. Keep your operating system, antivirus software, and applications up to date with the latest security patches and updates. Software vulnerabilities are often exploited by hackers to install malware or steal sensitive information, so timely updates are crucial in maintaining a secure digital environment.
- Deploy advanced protection. Trusted IT providers offer further layers of cybersecurity protection that can make a big difference. These include automated monitoring that can detect malicious code embedded into websites, antivirus products that scan for malicious domains and IP addresses, and traffic analysis that can warn users before they enter info into illicit forms.
- Educate employees. Provide comprehensive training to staff members on cybersecurity best practices, including how to identify phishing attempts, how to spot skimming operations, and how to avoid falling victim to social engineering scams. When employees are empowered with updated information and consistent training, they can often serve as the first line of cybersecurity defense.
Credit card skimmers and password theft pose significant risks to both businesses and consumers. But by following the steps outlined above, individuals and organizations can fortify their defenses against these silent threats.
At CMIT Solutions, we understand the risks and benefits of digital commerce and payment convenience. We also know how to spot threats like credit card skimmers and protect both businesses and consumers from this growing threat.
We keep up with the evolving cyber landscape and position our clients for continued success, no matter what payment method or e-commerce tools they use. If you need help enhancing your cybersecurity or better understanding today’s issues, contact CMIT Solutions today.