How your chip-and-PIN bank card gets skimmed and your money stolen

While chip-and-PIN technology is meant to protect bank cards from card skimming, criminals have found ways to work around the chip’s protection.

That’s according to Nathan Desfontaines, who spoke at a recent meeting of the South African chapter of the International Association of Privacy Professionals.

Desfontaines said that although the chip on your bank card protects you from fraud by requiring a PIN for transactions, legacy support for swiping means that cards are still vulnerable.

Floor limits

Skimmers also exploit floor limits that banks afford to clients.

A floor limit is a set transaction value, below which the card machine does not authenticate a transaction with the bank.

Instead, the details of the transaction are held and processed in a batch at the end of an agreed period (daily, weekly, or monthly).

Floor limits are useful in places that deal with large volumes of customers, where the risk of authenticating a transaction later is worth the extra speed. Toll gates are an example.

Swiping without getting a PIN prompt

In South Africa, when you swipe a debit or credit card without putting in the chip first, it tells you to insert the chip part of the card.

This function is controlled by the card’s service code, said Desfontaines.

However, since the service code is stored on the card, skimmers can manipulate it to make the card behave as if it was not secured by a chip and PIN.

Luis Padilla from Universidad Complutense de Madrid published a specification of the data stored on the magnetic stripes of financial cards, including the service codes.

Examples of service codes may be found in a Visa newsletter on mitigating fraud risk through card data verification.

The infographic and photos below of a card skimming demo illustrate how track data is stored and what different service codes mean.

Magnetic stripe data and service code “hacking”

How criminals steal your money after skimming your card

Card skimming demo

IAPP card skimming demo setup

Card data reader and writer

IAPP card skimming demo card reader

Example card with bank-issued service code

IAPP card skimming demo before hack

“Cloned” card with no-PIN service code

IAPP card skimming demo after hack

Nathan Desfontaines

IAPP card skimming demo Nathan Desfontaines

Standard Bank was hacked in R300 million fraud hit: report

How ATM card skimmers work

How to spot a card skimmer at a restaurant

Standard Bank building system to beat SIM-swap fraud

Cape Town barman and waiter arrested for card skimming

Latest news

Partner Content

Show comments


Share this article
How your chip-and-PIN bank card gets skimmed and your money stolen