ShareThis Page
Experts: Card skimmers growing more sophisticated, harder to detect |

Experts: Card skimmers growing more sophisticated, harder to detect

| Tuesday, March 27, 2018 12:51 p.m.

Credit-card skimmers like the one found at a GetGo gas pump in Ross this week are increasingly sophisticated, and might not always be revealed by a quick inspection or broken seal, security experts say.

One of the devices to lift credit- and debit-card information was discovered inside a pump at the gas station on McKnight Road on March 19, and might have been there since as early as Oct. 1, officials said Monday .

Some card-skimming devices on gas pumps, ATMs and cash registers fit over the legitimate card reader and copy a user’s card number, name and expiration date when the user swipes for a purchase. More sophisticated devices can have hidden cameras or a fake keypad that can also capture a user’s PIN as it’s entered, giving them enough information to copy and use debit cards.

A spokesman for GetGo parent company Giant Eagle said the skimmer used at the McKnight Road gas station may have gone undetected so long because the criminals installed it inside the pump, using a side door.

Det. Brian Kohlhepp of the Ross Police Department said he had no photos of the device that he could share, because it had been logged as evidence and locked up. Police had not found any additional skimmer devices in the township as of Tuesday, but there have been others discovered around the region over the last few months, he said.

“A number of agencies in our area have found skimmers throughout the year,” he said. “Every week or two, I’m getting emails from another department that’s found one.”

San Jose-based analytics company FICO reported there had been a 10 percent increase in compromised debit cards in 2017, and 8 percent more card readers at U.S. ATMs, restaurants and merchants — not including online credit card fraud.

“The number of compromises and the number of card members impacted set a new record last year,” said TJ Horan, vice president of fraud solutions at FICO, in a March 7 statement announcing the company’s findings. “While most devices are safe, fraudsters are developing new technology and methods for hacking ATMs.”

Security blogger Brian Krebs wrote in January that criminals are hiding harder-to-detect skimming devices inside legitimate card readers, especially as more banks and credit cards use more secure chip-embedded cards instead of just magnetic strips. Some devices, known as “shimmers,” fit completely inside the card reader’s slot to grab chip data, though they can only be used to clone another magnetic-stripe-only card, and would rely on banks not properly using security features in the chip, Krebs wrote.

Skeptical customers are always advised to look carefully at card readers and keypads on ATMs, gas pumps and registers to see if anything looks out of the ordinary, like a card reader or keypad that’s loose or made of a different material than the rest of the device, according to a guide at . Other signs could include unexpected resistance when inserting and removing one’s card, or security seals that are broken. Even just cupping a free hand over the hand entering a PIN could protect that information from hidden cameras. Kohlhepp also advised keeping a close eye on your bank records to spot fraudulent transactions if your card data has been compromised.

Gas stations have until 2020 to transition to chip-card readers , meaning they could remain more vulnerable to skimming attacks. Giant Eagle said it would accelerate efforts to improve security technology on its gas pumps in response to the Ross skimmer’s discovery.

Matthew Santoni is a Tribune-Review staff writer. Reach him at 724 836 6660, or via Twitter @msantoni.

TribLIVE commenting policy

You are solely responsible for your comments and by using you agree to our Terms of Service.

We moderate comments. Our goal is to provide substantive commentary for a general readership. By screening submissions, we provide a space where readers can share intelligent and informed commentary that enhances the quality of our news and information.

While most comments will be posted if they are on-topic and not abusive, moderating decisions are subjective. We will make them as carefully and consistently as we can. Because of the volume of reader comments, we cannot review individual moderation decisions with readers.

We value thoughtful comments representing a range of views that make their point quickly and politely. We make an effort to protect discussions from repeated comments either by the same reader or different readers

We follow the same standards for taste as the daily newspaper. A few things we won't tolerate: personal attacks, obscenity, vulgarity, profanity (including expletives and letters followed by dashes), commercial promotion, impersonations, incoherence, proselytizing and SHOUTING. Don't include URLs to Web sites.

We do not edit comments. They are either approved or deleted. We reserve the right to edit a comment that is quoted or excerpted in an article. In this case, we may fix spelling and punctuation.

We welcome strong opinions and criticism of our work, but we don't want comments to become bogged down with discussions of our policies and we will moderate accordingly.

We appreciate it when readers and people quoted in articles or blog posts point out errors of fact or emphasis and will investigate all assertions. But these suggestions should be sent via e-mail. To avoid distracting other readers, we won't publish comments that suggest a correction. Instead, corrections will be made in a blog post or in an article.