Consumers

What is skimming?
Skimming is any attempt to acquire the data from a credit or debit card transaction. Thieves use this information to create counterfeit cards or to make web based purchases. Skimming most often involves placing a small electronic device over a terminal that the criminal later collects to download card data. In some cases, thieves will open a dispenser to place the skimming device(s) inside and transmit the information over Bluetooth or text messages.

Help! I found a skimmer, what should I do?
Customers should immediately report it to someone at the store. The store, in turn should:

  • First and foremost, stop the criminal activity, and take the dispenser offline to discontinue transactions.
  • Have a technician identify the device, but do not remove or touch it.
  • Call the police. Remember, this is a crime scene and the perpetrators are probably doing the same thing to other retailers in the general area. Also, the Secret Service and FBI are frequently involved in large cases; let the police handle this. After the investigation, ask for a dated police report.
  • At this stage, it is unknown if any of the cards used at the potentially affected dispenser(s) have been compromised, so don’t assume they have been.

Types of skimming devices
There are two basic types of skimming devices: internal and external.  External skimmers are placed on the outside on top of the credit card slot. Internal skimmers are placed inside the dispenser and are more difficult to detect. Internal devices are installed by opening the dispenser door and inserting a skimmer.

External Skimmers

  • Credit Card Reader
    • Check the card reader opening by jiggling/pulling on the card reader itself. It should be solid and not move. Most skimmers are temporarily installed with double- sided tape and will come off easily if pulled. Look inside the card slot to see if any device has been placed within the normal space, or if anything looks “different” in the size or shape of the card slot.
  • Keypad
    • External skimmers are installed over an existing keypad. There are some tell-tale signs that an external skimmer has been installed:
    • Check to see if the keypad is raised by running your fingernail along the edge. A skimmer is also likely to be loosely installed and will wiggle.
    • Look for weathering on the keypad. Most fuel dispensers get weathered because of the elements and a new keypad on a weathered dispenser should be a warning sign.

Internal Skimmers

  • Look to see if the dispenser door appears to have been forced open. In some cases, the door does not align properly or has unusual scraping or wear around the edges.
  • Check for broken security seals around the cabinet door

Can I use my cell phone’s Bluetooth to detect a skimmer?
Using a smartphone’s Bluetooth is not an accurate or reliable way to detect the presence of a skimmer. A cell phone Bluetooth range can pick up signals from nearby vehicles or bystanders up to 30 feet away which can create false positive readings.

Additionally, Bluetooth naming is not regulated — while a random string of numbers and letters on a device list might appear suspicious, that does not mean the signal is being emitted from a skimmer on the pump.

Ultimately, relying on a Bluetooth signal to detect a skimmer can cause a pump to be shut down – often for several weeks – which can negatively impact a convenience store, the owners, employees, and customers.

Advice for consumers

  • Use payment terminals and ATMs at established retail or banking locations, where access to the device is controlled by on-site personnel.
  • Use a PIN whenever you can; it significantly reduces your risk of compromise and leads to lower retail prices.
  • Place reasonable limits on the daily or weekly withdrawals from ATMs.

There are no reliable statistics on the extent of skimming, since it is a local crime and not centrally tracked, but experts say it is on the rise. How big is the risk? According to the National Association for Convenience Stores:

  • 37 million Americans refuel every day.
  • Of them, 29 million pay for fuel with a credit or debit card.
  • When skimming occurs at a gas station, it usually takes place at only one pump.
  • A single compromised pump can capture data from 30 to 100 cards per day.