How to avoid your bank card getting cloned and money stolen

South Africans should be aware of the various techniques used by criminals to skim or steal their bank cards, which can include elaborate social engineering tricks and posing as bank employees, SABRIC CEO Nischal Mewalall has said.

According to the South African Banking Risk Information Centre (SABRIC), victims of reported counterfeit credit card fraud lost a combined R37.2 million in 2019, whereas losses from debit card cloning stood at R50.3 million.

Counterfeit card fraud, or card cloning, starts with the stealing of information from a bank card’s magnetic strip using a skimming machine.

This device can capture details including the card number, card holders’ name, and the card’s expiry date. This data is then used to illegally manufacture a card that can perform transactions using the genuine card’s details.

While this type of crime has declined in recent years, in part thanks to the rise in NFC-based contactless “tap-and-go” payments, it still remains a big problem in South Africa.

SABRIC CEO Nischal Mewalall warned bank customers to firstly be wary of clever social engineering tactics which are used by criminals to manipulate victims into handing over their cards or swiping them through skimming devices.

“It is important to note that criminals who purport to be banking officials often look very professional and are insistent on offering ‘assistance’ in a fictitious scenario that they have orchestrated to confuse bank customers,” Mewalall stated.

“This confusion is what makes bank customers vulnerable to accepting this ‘assistance’, creating the opportunity for criminals to defraud them.”

Mewalall said there were two main ways in which card details were skimmed by criminals.

The first is by using a handheld skimming device.

This typically occurs at a bank ATM, where a fraudster posing as an employee of the bank would approach a customer and coerce them into swiping their card through the device.

Mewalall explained that in one version of this scam the criminal would claim the bank card has been deactivated and request the customer to re-activate it by swiping it through a skimming device.

This can happen before or after a customer withdraws money, and often involves a second or third person who “shoulder surfs” and sees the PIN the customer used.

In other cases, the ATM card reader entry slot could be damaged and a card fraudster would offer to escort the victim to another nearby ATM to attempt the withdrawal.

En route to the ATM, the criminal obtains the card and quickly skims it through the device while the customer is not looking.

They then observe the customer as they type in their PIN and are able to access the customer’s bank accounts at a later stage.

“What makes this scenario so alarming is that the victim is handed back the original card only to discover that money was withdrawn from the account much later.”

Mewalall further advised customers to be vigilant when using their cards to pay at restaurants, fuel stations, and toll gates, where workers themselves may be partaking in card cloning and could skim the card while the customer is not looking.

“The golden rule is to never let your card out of your sight when making payments,” Mewalall emphasised.

He also warned there have been instances where a handheld card reader was temporarily attached to an ATM with a notice requesting that customers swipe their card before or after using the ATM.

Another popular method for skimming at an ATM is to use a mounted skimming device which is placed over the actual ATM card slot.

“These devices are created to look like a card reader slot and fit seamlessly over the slot, making them difficult to detect,” Mewalall said.

“The false reader in the skimming device acquires the magnetic strip data and the PIN is compromised by means of a spy camera installed within the mould containing the skimming device.”

Most of these ATM-mounted skimming devices do not interfere with the ATM when used, which makes them difficult to identify.

There are also devices which can be overlayed over the ATM’s numeric keypad to capture your PIN.

The images below from ShieldYourPIN — an online resource which aims to help banking customers defend against ATM skimming — show what ATM mounted skimming devices, PIN pad overlays, and hidden cameras could look like.

In short, Mewalall summarised these tips for protecting your card from being skimmed:

Follow the instructions on the ATM screen carefully.
Be alert to your surroundings.
Do not use the ATM if there are loiterers or suspicious people in the vicinity.
Be aware that fraudsters are often well dressed, well-spoken and respectable-looking individuals.
If you are disturbed while transacting at the ATM, your card may be skimmed by being removed and placed back into the ATM without your knowledge. Cancel the transaction immediately and report the incident using your Bank’s Stop Card Toll free number which is displayed on all ATMs, as well as on the back of your bank card.
After successfully transacting at the ATM, leave immediately. Be cautious of strangers requesting you to return to the ATM to finalise any transaction as skimming may occur during this request.
Never force your card into the slot if you experience initial difficulty, as it might have been tampered with.
If your card is swallowed by the ATM, do not leave the ATM before you have cancelled your card.
Know what your ATM looks like so that you can identify any foreign objects attached to it.
Do not ask anyone to assist you at the ATM, not even the security personnel guarding the ATM or a bank official. Go into the bank for assistance.
Do not insert your card if the screen layout is not familiar to you.
Whether you are at a restaurant, retail stores, filling station or tollgate, ensure that you never lose sight of your card.
Check your balance regularly and report discrepancies to your bank immediately.

One way to lower the chances of your card getting skimmed is to use contactless payments, and cardless or contactless ATM withdrawals. These options are safer because the card never leaves your hand.

Mewalall said the only risk contactless payments carried was if the card was stolen and not reported immediately.

However, these transactions are limited to a predetermined number of low value transactions on any specific day, after which a PIN would be required to complete a transaction.

This discourages criminals from using this technique.

Mewalall added that contactless payments also receive higher levels of surveillance as far as fraud was concerned and were therefore much safer.

South African issued contactless cards are embedded with an RFID (Radio Frequency ID) tag, which is read together with the card’s EMV chip, which is encrypted.

Even if a criminal tapped a victim’s contactless card using an NFC reader, Mewalall said that all they would get is the card number and expiry date.

“Neither the CVV nor the PIN number would be exposed, both of which the criminal would need to make fraudulent online purchases.”

The images below show one of FNB’s tap-enabled ATMs.