Information on Merchant Accounts,
Ecommerce and Credit Card Processing

July 13th, 2006 by Jamie Estep

Credit card skimming – too easy to get skimming equipment!

Filed in: Fraud | 7 comments

I have stumbled upon several sites that sell equipment and supplies designed to steal people’s credit card information. These products are normally small stand-alone portable magnetic card readers that store credit card information. These readers are battery powered, and some can store the information from thousands of credit cards.

Card SkimmingA brief overview of skimming:
Credit card skimming is when a person records the information on a credit or debit card without the owner knowing about it with the intention of using that credit card information illegally. Skimming most commonly occurs in restaurants, where the card owner looses contact with the card and a purchase is made. It takes about two seconds to scan a card through a portable reader, and the reader records all of the information on the credit card. Portable card readers are small enough that someone could easily conceal one in the pocket, sleeve, and even in their hand. Occasionally thieves will setup more complex skimming devices at ATM machines, or gas stations, but restaurants are statistically the highest risk for skimming.

What bothers me about these devices in general is that they carry almost no logical, legal purpose, and they are still sold as if they do. There is virtually no practical use for portable card scanners that record the credit card information. Portable magnetic readers like this, depending on how complex, can read not only credit cards, but drivers licenses and any other card that uses a standard magnetic stripe. It is a direct Visa and Mastercard violation (PCI / SDP Regulation) to store any track date, so there is literally no legal use for these devices.

What is on your magnetic stripe:
Magnetic strips on credit cards are actually made up of three strips that contain information. These strips, called tracks, contain all of the information needed for a business to process your credit card through their merchant account. Credit cards normally have information stored on track 1 and 2, and this information contains the card holders name, account number, expiration date, and an encrypted PIN number.

Skimming control:
The government and media have been looking closely at credit card fraud, including the skimming that is done with portable readers like these. But, there hasn’t been any significant laws or legislation placed against actual devices that are created only for the purpose of recording magnetic strips. It is illegal in some states to posses portable card reading devices, but there’s nothing stopping the website’s from selling to people in those states. Website’s that sell these devices enable anyone to order a personal skimming device, without any clarification of their intended use. Portable skimmers can cost as little as a few hundred dollars, and can go up to about a thousand dollars for a high-end reader. There is also a guide located at http://camelspit.org/handyswipe/ that explains how to make low-cost portable card reader.

Once card information has been obtained there are a few options that the thief has. They can attempt to make counterfeit credit cards, sell the credit card numbers, or attempt to make purchases for merchandise online. Often the card numbers are sold to persons with the capabilities to make counterfeit cards. This equipment, which can also be easily purchased, can make a believable replica of a real credit card with the magnetic information from a stolen card can be encoded on it. That card can be used just like a normal credit card. Since only a small percentage of businesses actually check customer Id’s it is very easy for a thief to make purchases with the fake card. Thieves will also commonly try to make online purchases, but the success of this is greatly reduced with the use of Card Verification Codes, since this information is not encoded on the magnetic stripe.

Why should business care about this:
Besides the obvious negatives regarding fraud in general, it is businesses who lose the most from credit card skimming. A card holder has no liability for purchases made fraudulently on their credit card, therefore all liability falls in the hands of the business that accepted that skimmed credit card. A business cannot win a chargeback due to a fraudulent transaction, even if the card was swiped and the receipt was signed. For this reason, businesses need to check the Id of the card holder, and check the signature on the back of the card against the Id. Online businesses need to use card verification, and should always require AVS.

Website’s that sell equipment that could be used to steal credit cards:
http://www.tyner.com/magnetic/compare.htm
http://www.incodenet.com/magnetic/miniport-comparison.htm
http://www.hackershomepage.com/
http://bcdata.com/portablemsr.html
http://www.mag-stripe.com/portable.htm

Conveniently Coincidentally, many of these sites that sell portable card readers, also sell equipment used to make counterfeit credit cards.

Where to report fraud:
If you think that you credit card has been stolen, immediately contact your credit card issuer. They will cancel your current card, send you a new one, and stop any further transactions that may be fraudulent. Also check your credit card and/or bank account statements for signs that of unauthorized use of your account.

If you feel that your identity may have been stolen, contact the three major credit bureaus. Request a fraud alert be placed on your credit file, asking creditors to request your permission by phone before any new accounts are opened.
Equifax – (800) 525 6285 – http://www.equifax.com
Transunion – (800) 680 7289 – http://www.transunion.com
Experian – (888) 397 3742 – http://www.experian.com/

You can also report credit card fraud to the FTC, but it is rare that any formal investigation would take place unless your fraud is part of a larger group of similar frauds.
FTC – (877) 438 4338 – http://www.ftc.gov/

If your credit card, wallet, or purse was stolen, you should file a police report with a local police department as well as cancel your current credit cards.

Additional information related to credit card skimming:
Bankrate – On the dark side of credit card fraud
ICMA – Hypercom Launches Attack on Credit Card Skimming
Microsoft – What to do if you’re a victim of credit card fraud
Transaction World – Credit Card Skimming Growing Trend or Media Hype?

**Disclaimer, there is no implication to any website listed as to whether they do sell equipment to thieves, only that the equipment that they sell could potentially be used for credit card skimming.**

Other blog posts related to skimming:
Fraud Alert: Credit card skimming

7 Responses to “Credit card skimming – too easy to get skimming equipment!”

  1. Pete October 14, 2006 at 3:34 am

    Reading this after a bit of fraud I caught and stopped on my card I learned more than I wanted to know.
    I’m an electronics professional, “retired” and could build one of these if I had a mind to but why?
    What’s three of four hundred dollars for equipment to make fake cards.
    With today’s gas prices using one at the pumps wouldn’t take long to make your money back.
    That’s exactly what happened to me. A fake card was being use to buy gas.
    It went on for several months and the stupid jerk continuously bought gas from the same station at about the same time of the month for about the same amount each time.
    I was lucky as I didn’t loose but about 200.00 dollars.
    The Master Card I have really dissapointed me in their process.
    I now only carry it as a backup to my American Express as there are still some who don’t take AMX.
    AMX takes care of fraud simply and easily.
    Master Card is a bunch of jerks.

    Pete G
    Pearland, TX

  2. Fredrik April 10, 2007 at 5:00 am

    To get gas from a pump with a credit card would also requier a pin code, right?
    As the pin code is encrypted, I didn’t know that you were able to get the pin code from a an ordinary skimmer, or am I wrong?

  3. jestep April 10, 2007 at 6:14 am

    With a gas pump you will usually have the option to process the card as debit or credit. If the card is processed as credit, even if it is a debit card, you don’t ever have to enter your PIN number and there is no chance of your PIN number being compromised. The PIN is not encoded on the card, so unless you enter it, there is no way for anyone to get it.

    If you do enter your PIN number when the card is processed, then there would be a chance that it could be compromised. I have heard of cameras being used to capture what a person is entering, and I have also heard of entirely fake ATM machines used to capture card and PIN combinations.

    Whatever the case, there is no way to capture a PIN number if it is never manually entered.

  4. MikiDox April 20, 2007 at 6:04 am

    What about those devices that they put
    on ATM`s to copy card info,are those available anywhere on the market,and what is the avrage price.

  5. Jessica October 16, 2007 at 11:55 am

    I just wanted to comment on your statement that businesses cannot win a chargeback, even with a signed receipt.

    As someone who works for a financial institution and handles chargebacks, a signed receipt causes the bank to shoulder the liability. The merchant has no way and does not need to prove they checked ID’s. Simply that they retained the signed receipt. (this of course is relating to non-PIN based transactions)

  6. raymond July 6, 2008 at 2:09 am

    this is something that will take about 5 years to REALLY take care of. its sad that some people actually ask where to buy this stuff

  7. Jiminy August 28, 2008 at 10:17 am

    Oh, Pete. I know your comment is super old, but for the peanut gallery I would like to add that you are more a troll than someone with a real story.

    You have a “Master Card”. Well guess what, your Mastercard card is not issued by Mastercard, and they have nothing to do with refunding you or dealing with fraudulent activity. There are hundreds of companies that issue these cards, with varying levels of service. Many of them have better service than Amex, and many have bad service.

    If you are not keeping track of spending on your credit card, and you allow someone to make purchases on it for months without reporting the unauthorized activity, you deserve to lose the money.