Card skimming and counterfeit card fraud remains a big problem in South Africa, with criminals using increasingly sophisticated technologies to catch unsuspecting victims.
The South African Banking Risk Information Centre’s (Sabric) recent Card Fraud report showed that 1,377 handheld skimming devices were recovered by either the SAPS or bank investigators over the last decade.
During 2014, the majority of handheld skimming devices were recovered in Gauteng (38), KwaZulu-Natal (13), and the Western Cape (9).
Card skimming also happens at ATMs or at points of sale. Between 2007 and 2014, 237 ATM-mounted skimming devices were recovered.
Over the last year ATM-mounted skimming devices were found in four provinces. Gauteng had the highest number retrieved (32), followed by the Western Cape (13), Mpumalanga (3), and Free State (1).
Card skimming technology getting smaller
Krebs on Security recently released information about a new card skimmer, which is so thin that it can fit into a card slot on any ATM.
The device is powered by a lithium coin battery, and is shown below.
These devices are typically used in conjunction with a small camera to capture a user’s PIN, which gives criminals the ability to clone a card and withdraw cash at will.
Stealing your PIN using thermal technology
Armed with a smartphone and a thermal imaging attachment, criminals can easily steal your PIN.
Because you leave behind a thermal signature when you press buttons, criminals can use a smartphone with a FLIR ONE thermal imaging attachment to figure out your PIN.
Because there is a time lapse between the time you press the first and last buttons, it is easy to figure out what your PIN is.
The image below shows an example of how easy it is to see what a person’s PIN is using this technology.
Luckily there is a way to stop criminals from stealing your PIN using this method – just lightly touch some other keys on the keypad.
The following video show how the technology works, and how to avoid falling victim to this PIN theft attack.
Handheld card skimming devices
Handheld card skimming devices are widely used by criminals to steal bank card information from victims at ATMs.
Criminals typically use social engineering – like telling a victim they are from a bank – to convince victims to swipe their cards through a skimming device.
An accomplice who is loitering around the ATM then “shoulder surfs” to steal the victim’s PIN.
The stolen card information is used to manufacture a counterfeit card, which, when matched with the PIN, is used to make fraudulent transactions.
The images below show some examples of handheld skimming devices which you should watch out for.
ATM-mounted card skimming devices
ATM-mounted card skimming devices work similarly to handheld card skimming devices, but are fitted on an ATM.
These devices are difficult to recognise as they are manufactured to match the look of the ATM it is installed on.
Before you withdraw money at an ATM, you should always inspect the machine and cover the number pad with your free hand when entering your PIN.
Here are some commonly-used ATM-mounted card skimming devices.
Stealing your PIN at an ATM
There are many ways through which criminals can steal your PIN at an ATM – looking over your shoulder, installing a small camera, and even installing a fake keypad.
The first two are widely used in South Africa, but according to Sabric they have only recorded one incident where a fake keypad was recovered off an ATM.
However, just like with card skimming devices, anyone withdrawing money from an ATM should be on the lookout for shoulder surfers, small cameras, and fake keypads.
Card skimming at retail points of payment
The skimming of cards can also take place at a merchant point of payment, using devices which have been tampered with.
Personnel working at retail outlets such as waiters and cashiers are often provided with handheld skimming devices by card fraud perpetrators.
The PIN is either stolen by peaking when the victim enters it, or by using thermal technology.
Advice from First Calgary Financial is simple: if you cannot insert your chip card with your thumb pointed at the device and have your thumb remain fully on your card, do not enter your PIN.