A new foe of card skimmer crooks: Target Corp.

Posted on by

The war on credit card skimmers continues, this time from an unexpected source: Target Corp. Yes, the retailer. Cyber criminals attach skimmers to the outside of ATMs, gas pumps and other credit/debit card readers. When you insert your card into the machine, these skimmers capture your account number and PIN, which will be used later to clean out your account.

Brian Krebs has written about card skimmers for years, and I quoted him in this piece that I referenced when I last wrote about the topic in 2015.  Last year, he documented some of the ultra-thin skimmers that ATM vendors found inside their machines. It is pretty amazing how the crooks continue to innovate in smaller and smaller devices to steal our data.

Skimming is sadly on the rise: 161,000 cards were stolen annually, up more than four times the rate from 2021. Now they have a new nemesis — Target Corp. They recently blogged about their approach, which uses a piece of plastic called EasySweep to ferret out the skimmers. There isn’t any electronics on this card — it is just thick enough to see if something else is already inserted in the slot, and is sheer genius. Their cybersecurity group took the rather unusual step of 3-D printing the plastic that measures the thickness of the card reading slot. Target staffers can quickly swipe the thing in each of their 20 or so terminals in a typical store in a few minutes. And it is simple: if the card fits, the reader is clean. If it jams, it could indicate the presence of a skimmer. Each store now checks their readers daily. They have sent 60,000 of the cards to their stores, and they offer the design to other retailers free of charge.

Granted, the war on skimmers is a cat and mouse game: originally, many IT folks thought they could find them by scanning for unknown Bluetooth devices, because many of them sent out their collected data via that frequency. Then the crooks developed skimmers that had to be removed and the data downloaded. While there is a limit to how thin they can be made, so far the EasySweep cards are still a valid testing tool.

Still, consumers should be on the lookout, as the cops say. Check your machine for obvious signs of tampering, such as a loose part or something odd either with the card slot or the keyboard (which might have an overlay to capture your keystrokes). If you are at a bank of machines, compare the one you intend to use with its neighbor to see if there are any physical differences. And cover your hand as you enter your PIN number. If you can, use an embedded EMV chip card, which are harder to skim. And also consider more advanced cards, such as from Apple/Goldman Sachs, that can create virtual CVV numbers on the fly to make it more difficult to skim.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.