ATM Card Shimming

I have one atm card. Use it a handful of times a year, and only at the local bank itself (inside). Otherwise credit cards all the way.

Don't care much for text alerts, but do prefer email notifications. They're set up on all the cards for any transaction over $1.

But, I'm sorry to hear you had that experience but glad you were notified and I hope your financial institution covered the loss..

The same thing happened to me. The thief had cloned my debit card without ever having it, and he knew the PIN. Do you know the PIN rides around on the chip on the card?

I called the bank and cancelled the debit card. $500- was stolen. They told me to make a police report. Later, the bank credited my account. The bank took the hit because their security was not good enough.

the alert was from one of my credit card saying card was used outside of states when I was sitting watching TV. I hit NO to have it denied.

The more they make things easier for us 'electronically' the easier it gets for thieves to rob us blind without ever leaving their room.

Exactly the reason we stopped using the ATM/Debit card except at the bank's ATM.

My daughter has had this happen to her twice. But she still uses it and does not use credit cards online. I keep telling her to just put all her money outside on the steps and hang a sign saying "come get it".

Things I do when I withdraw from ATM:
- cover the keypads with my left hand + wallet
- touch all the keys (in case there's a hidden infrared cam watching the keypads)

However, if what you say is true and my card gets skimmed, what I did above is completely useless if thieves can just read the PIN from the skimmed card.

Since the start of pandemic, my spending habit has changed from 99% cash to 99% credit card transactions. I don't want to deal with cash change.

The thief cloned the debit card even though I had never used the card anywhere except the bank's ATM, which is located inside the bank. The debit card was never in or near any other card reader.

I've never before used a ATM or debit card as I never saw a need for them. For most everything I use a credit card as I receive a rebate of 2% on everything and as high as 3-4% on a few things.

One change I've noticed in the past few weeks and I didn't sign up for it are e-mail notices from my credit union of withdrawals and deposits of greater than $100. The e-mails just recently started showing up. I think the e-mail notices are useful so I left the notices in place.

Just today I was notified of my state income tax refund deposit. A couple of weeks ago I was notified of a Federal Income Tax withdrawal that I had authorized on my 2021 tax filing.

I find these new notifications serve a useful purpose.

Does your card have a RFID chip on it? There are readers that can read your card from a foot away. In someones's pocket they only have to get close to you.

at some point the odds are you'll get a gas pump, cash machine or other process point that has a skimmer. Monitor your accounts via email, text alerts or via phone or internet. The bank should reimburse your account for unlawful charges but you usually have to fill out some forms and/or file a police report.

There is a lot of info/video on this topic. Here's a couple..
https://www.youtube.com/watch?v=M-c9IU11KmY

https://www.youtube.com/watch?v=AF6gkCPHk38

Yes, my debit card has an RFID chip. It was billed as a security upgrade from the magnetic stripe.

I was previously aware of the possibility of skimming the chip with a nearby device. The two cards in my wallet are protected with RFID blocking cards, probably not as good as a Faraday Cage.

It is part of my routine "daily computing" process every morning to visit my three credit cards' recent transaction lists. Usually this is quite boring, but once I learned I had just made a $700+ purchase from a hunting dog supply house several states away. It was not hard to figure out that was a problem.

In that case, the perpetrator had managed to convince my credit card processor he was I, and got the address for the card changed. Fortunately the hunting dog supply house smelled something wrong, and had not yet shipped the order when I contacted them.

Good post as a reminder to everyone. I tried a gas station ATM once and the part where you slide your card was a little loose. I wasn't sure if there it was a skimmer, but I didn't use it anyway. I also reported it to the attendant.

That's not entirely correct. I've had fraudulent charges on my credit card. Didn't have to fill out anything or a file police report. All I did was calling the financial institution. They took off the fraudulent charge right away.

I have never used debit card to pay for anything.

I am one of the folks who check my balances daily, now, I used to check once a week. One day my credit card had a couple dozen small charges from Uber. I've never been in an Uber, or Lyft, so I called the fraud protection unit of my card company. We handled everything over the phone, verifying any changes that were mine and those that weren't, mostly Uber but a couple fast food type places too.

Here's the kicker, while I was on the phone with the fraud dept they were still using my numbers. The company closed my card and issued me a new one while we were on the phone, and the idiots were now charging the new card, this happened to two more newly issued cards (numbers).

Turns out that it was supposed to be a feature, that if you lost your card you could still use the numbers and any charges would be forwarded to the new card, until you got the new number and card, some feature. And get this, the only way I was able to stop it was by putting a permanent block on any more Uber charges.

I had to make a couple more calls about the incident but it was finally able to straighten over a few days and calls.

Like I said before, life today has made it so much easier to get robbed. The thieves no longer have to look you in the eye, or knock you over the head from behind. A keyboard and an internet connection is all they need, well that and some high tech thieving devices.

That's the most bizarre credit card scam story I've ever heard. Thankfully it has only happened to me twice in 30+ years having credit cards in my possession. I didn't have to pay any of those fraudulent charges.

The last scam was close $1000 spent somewhere at Christian Dior in NY. I live in Los Angeles and I don't travel often. My card has just gotten a chip that's supposed to make it difficult to "steal". I used it once at a parking meter in Beverly Hills.

I just remembered what the "feature" was for, if you had any recurring charges to your card, for example a subscription or monthly auto bill payment, the charge would forward to the new number so it wouldn't bounce giving you time to give those places your new number.

Good advice!

In addition to text alerts, I have my ATM card linked to a separate bank account with a small balance.

I wouldn't use an ATM card at all except it's handy to have when travelling. It's safer than carrying a lot of cash and cheaper than the credit card cash advance fees.

And to top it off, we can put all these wonderful financial tools into our electronic wallets on our phones!

Ain't technology grand?

I need my debit card to get cash for my almost six months stay in Mexico. But i only use the ATM at a bank branch.

But in my travels I’ve seen “ATM” machines in various stores etc. That’s all it said on the machine “ATM” no bank info, nothing. I don’t want to be callous, but if you use one don’t go crying you’ve been ripped off.

a few years ago.

NJ has full serve gas and you hand the attendant a credit card. Normally it's there in the pump. At Costco, leave it to them to have good policies, they hand it back immediately, it's not left at the pump.

One time it took maybe 15 minutes and I saw the guy with my CC in his hands, and there were cars in every direction waiting to pull up to a pump, dark, at night. Just seemed unusual.

A couple days pass and there is a charge for over $3k made in Sri Lanka.

Credit union asked if I'm sure I didn't make the charges, and I guess being a credit union I had to sign an affidavit and have it notarized.

This same credit union gives us 5% cash back on gas no limits permanently--it's deducted every month automatically. So we don't have to bother with rotating categories. We had a groceries 5% for a year that's since expired, so we play rotating categories with food.

Last Dec. I got an email, sign up for paperless and autopay, get $150. Hmmm not bad sure, will I really get it though? Yep, 45 days later $150 statement credit.

Sometimes imho credit unions offer value. Although they don't have the same rules as a commercial bank.

Usually happens when you dine out. Criminals pay restaurant workers to skim your card. Other than that I've seen skimmers on gas pumps and atm machines. Always grab and shake the face where the card goes in to see if it comes off (probably a skim device). If it does alert one of the bank / store worker of what you found.

I do this, thankfully I've never found one, but have been places where one was reported to have been.

On to topic of security, any of you use virtual account numbers?

Citibank and capital one offer this. I'm 100% sure of citibank as I have accounts with them. The system allows you to generate a number with an assigned dollar amount and/or expiration date. It takes a few seconds to do so, but the benefit is main number is never shared with anyone.

Of course this only works for phone/online orders, not physical stores. I would imagine a restaurant should have an option to bring a terminal to the table for you to swipe.

When dining in Europe I don't think my CC was ever taken out of my sight. Waiters brought handheld CC readers (with a printer) to the table. This was pervasive, not just in fancy joints.

^^Wonder what happens if someone requests that at a US restaurant. No terminal to bring to the table. No problem. I will accompany you to the register.

Is that if they can't provide a receipt with your signature on it you can dispute any of the charges. PERIOD.

Now I remember in Ft Lauderdale 2005. Unrecognized charges and the cc was only used 1X in a restaurant. Same thing, but that was one of the big cc cos, no affidavit needed, charges removed in a few days.

In this day and age, there is really little reason for a cc to leave one's possession.

We are behind. I remember traveling to Canada maybe 2016 or so. All readers were chip enabled and many of my CCs either didn't have a chip, or they weren't used yet. Never able to transact without a human override. Then, not today.

rare miss too at Costco gas Canada. Maybe 2017. They accepted amex in Canada, we Visa. Membership card is on Visa. Put it in pump, rejected. tons of people gassing up in Mississauga self serve, now the American is holding up everyone cuz his membership is on an American Visa. Wasn't the case in 2019 so resolved.

As I type a flaw in their process for self serve gas. If you tap to pay with the Costco Visa? It reads the membership and you're on the hook to pay with the Costco Visa. Why I don't want to? It only does 4% reward when I have a permanent 5% cash reward for gas Visa.

So the only way to do it is to slide the Costco Visa in, for the membership, and then choose other payment method, and now tap or slide the 5% cash Visa. That's not well thought out, esp if their pumps are lined up. UPS trucks have no doors, ms matter, both in networking, and life.

I haven't used a credit card at a costco pump in ages. Buy giftcards whenever one of the CC's has a 5% offer (paypal, warehouseclub, etc.). Buy upwards of $1K worth. Lasts a while.

I have not been to the US Since 2019. But the last time I went. I remember how creepy it was to be required to hand my card to other people. That does not happen in Canada. The card never leaves my hand when paying. In Canada I insert it in the machine and type in the pin or for small amounts it's tap and go. Also found it so unbelievable that gas pumps, in the US, still used magnetic strips to pay. Not the chip. The information on the magnetic strip is not encrypted. That is the information that is skimmed. Not from the chip.

The pin is not stored in the card. If it is in the US, that would be incredibly dumb. It is stored at your financial institution. When a transaction is submitted for approval. Their servers compare your pin with the one typed in the terminal. There is no reason for the pin to be on the card.

When using tap and go feature. The payment amount is limited. Some small stores can't do it at all. But the rest have a limit of $200. The chip on your card makes a rolling code and that code can only be used once. So if your chip was successfully scanned by a criminal. The max it could be used is once for $200.

My bank debit card is only used at the bank. I know it it is safer now that it is chip and pin. Still only use credit card.

I change my cards pins about once a year. It only takes 10 or 15 minutes, 3 financial institutions, 4 cards.

I always use a credit card and never a debit card. With a credit card you are protected, with a debit card you are pretty much on your own.

I had to use debt card at Iceland gas station when it asked for my credit card PIN which I did not have it set up then. It is advised to have PIN ready for the card you plan to use internationally. I did not have issue using chipped CC in other places.

In the mid '80s I went to a dog & pony show put on by the NIST demonstrating "stuff of interest" and some of their research directions. They had a strip reader and I passed my card thru and besides what you'd expect there was a PIN! The biggest reason that I was surprised was that I didn't even know I had a PIN. Remember,,, this was the mid '80s.

If you think about it, the PIN had to be on the card for the reader to function during a communication failure. Remember, this is all about maximizing profits. As long as an occasional loss was smaller than the profits that would have been missed during an outage all was OK. Your feelings of insecurity or mine are irrelevant. Even I understand this this is no longer the mid '80s and things may have changed. I have to ask how he reader can work during a communication failure without some kind of local PIN access.

I live in a small town and have experienced it several times. If the communications go down, the credit and debt cards don't work.

Yup.. and beleive it or not, it was stored on a part of the mag stripe that was 75 BPI !

If you could get some magnasee, ( Its a hydrocarbon solution with magaitized ferrite powder ), some 1 inch wide scotch tape, a microfiche viewer and a thin peice of clear plastic and you knew where!and how to decipher the pin, it was easy to figure out the pin! Had to prove it to a comp-sci professor!

Yup.. and beleive it or not, it was stored on a part of the mag stripe that was 75 BPI !

If you could get some magnasee, ( Its a hydrocarbon solution with magaitized ferrite powder ), some 1 inch wide scotch tape, a microfiche viewer and a thin peice of clear plastic and you knew where!and how to decipher the pin, it was easy to figure out the pin! Had to prove it to a comp-sci professor!

Yes. Federal Law (US) protects credit card users much, debit cards not so much. Might be called the Fair Credit Act (FCA).

So far, the 2X we've bought tires, Chase Visa had a 5% rewards.

My buddy scoffs at it, says he only uses cash, follows Dave Ramsey.

I just cashed in our two Chase rewards from two cards, and it was over $700. One of them was 5% groceries for a year, now expired, so we don't use it anymore (Freedom Unlimited). We have as mentioned, a permanent 5% cash on gas, so no need for gas revolving categories.

The key? We tend to use the credit cards for necessities, not frivolous purchases. Pay off every month. I tell my buddy I won't leave it on the table, but he sticks to his Dave Ramsey saying credit is bad cut it up.

p.s. had a buddy say when a supermarket opened, they sold $1,000 gift cards for $800. He bought 2! I wasn't as brave. I'd be afraid they go oob or something. Just a local 2 location supermarket.

That is incorrect. Federal Reserve Regulation E protects you against debit card fraud, as long as you report it in a timely manner.

With a debit card, your liability depends on how long it takes you to report the fraud.

Most credit cards are safer:

https://www.nerdwallet.com/article/credit-cards/credit-card-....

That's part of the problem with the RFID chips. I keep my cards inside a wallet that is claimed to provide shielding that prevents this issue. I have no proof that it works as claimed, but so far none of my cards has been cloned.

I also have my accounts set up to notify me by e-mail when they are used. This is not a guarantee of protection, but it does provide an extra level of security.

- Tom -

Interesting article. I was lucky that my credit union gave me $0 liability for the transactions. Without text or e-mail notifications one would need to be pretty diligent in checking account balances to detect the fraud within two days. You can bet that the perpetrators will attempt to get as much money out as possible before the fraud is detected.
Mark

Every bank, financial institution or credit/debit card issuer is different and it depends on the charge, who detected the charge, (the banks fraud dept. or you did), how it was done (phone or in person) and where. Usually was meant to mean usually, not every time. You should check with your card issuer as to what their specific procedure is.

I have this as well, won't stop your card from being used but you'll be able to stop it quicker from creating more of a headache.

The contactless chip IS far more secure than the magnetic stripe, but unfortunately your card also has a magnetic stripe, which is the weak spot.
Even if the contactless chip is read by a crook, the crook can only make one transaction, since the chip has to regenerate a new internal code for each transaction.

It's not as common with US issued cards, but some credit/debit cards DO have the PIN stored on the card ("offline PIN"). It is always stored encrypted so there is strong assurance it can't be obtained even by someone who technical expertise and physical control of the card. This allows purchases (to a limit) to be made at kiosks that are not connected to phone/network. These kiosks are more common in Europe, at train stations, gas stations, etc. Changing an offline PIN requires the chip to be read, either at an ATM, a POS, or on a computer with a smart card reader. Diners Club and the United Nations Credit Union offer cards with offline PIN in the USA

Changing an "online" (not stored on the card) PIN for a Bank of America credit card requires US mail and a stamp. Go figure.

It's not a matter of if your debit or credit card will get scammed, it's a matter of when.