IT Security

Skimming & Digital Skimming

What is Skimming and Digital Skimming?

Skimming. A skimming attack refers to an attack where a third-party gains unauthorized access to your financial information through an ATM, fuel pump, or POS terminal. Skimming devices typically record the personal identification number (PIN) of the cardholder and store it on an attached microchip or magnetically on a strip of tape. The PIN can be later used to withdraw money from the account. Fuel pump skimmers are usually attached in the internal wiring of the machine and are not visible to the customer. ATM and POS skimmer devices usually fit over the original card reader and can include pinhole cameras or keypad overlays to record PINs. Tips to protect from skimming attacks1:

  • Choose a fuel pump that is closer to the store and in direct view of the attendant. These pumps are less likely to be targets for skimmers.
  • Run your debit card as a credit card. If that’s not an option, cover the keypad when you enter your PIN.
  • Consider paying inside with the attendant, not outside at the pump.
  • Inspect ATMs, POS terminals, and other card readers before using. Look for anything loose, crooked, damaged, or scratched. Don’t use any card reader if you notice anything unusual.
  • Pull at the edges of the keypad before entering your PIN. Then, cover the keypad when you enter your PIN to prevent cameras from recording your entry.
  • Use ATMs in a well-lit, indoor location, which are less vulnerable targets.
  • Be alert for skimming devices in tourist areas, which are popular targets.
  • Use debit and credit cards with chip technology. In the U.S., there are fewer devices that steal chip data versus magnetic strip data.
  • Avoid using your debit card when you have linked accounts. Use a credit card instead.
  • Contact your financial institution if the ATM doesn’t return your card after you end or cancel a transaction.

Digital skimming. A digital skimming (also known as e-skimming or online card skimming) attack refers to an attack that infects e-commerce sites with ‘sniffers’, malicious codes that can also be referred to as JavaScript (JS) sniffers. Similar to physical skimming attacks, digital skimmers skim payment data from input fields on existing payment forms on e-commerce websites or hijack users, sending them to fake checkout pages. In digital skimming attacks, cyberattackers exploit security weaknesses in website shadow code, including third-party JavaScript and open-source libraries, as well as misconfigured permissions on Amazon S3 buckets and GitHub repositories. Digital skimmers inject malicious code into the third-party scripts on the website, where they can then steal credit card data. Tips to protect your site from digital skimming attacks:

  • Scan for vulnerabilities regularly
  • Take inventory of your attack surface
  • Follow web-app security best practices
  • Conduct penetration tests

1 FBI, 2022, “Skimming”