Skim Reading

Skimming is quite fun, really. It's low-tech, high-tech, a Busman's Holiday, equal opportunity, annoying, and fiendish.

How it works, most commonly in New Zealand, is this. A group of villains obtain a deep insert skimming device

This little beauty is inserted deep into the little green-windowed card slot on the ATM. When some is after money, their card slides over this and it reads the magstripe. The magstripe is the bit of old casette tape running along the length of the card. It's far less secure than the chip (on most Mastercard/Visa etc cards). It would be better used to store the chorus of Rick Astley's finest moment, frankly except cards with magstripes only are cheaper to produce and it's more reliable in many places than chip readers.

The villains also install a (sometimes) discrete camera to record footage of people entering their PINs.

They will regather the deep insert and then pore over the video footage to match card and PIN. Then it's cash-time, baby.

There are variations, from the pragmatic (bluetooth in the insert so it doesn't need to be recovered on a regular basis), to the inventive (keyboard overlays to pick up the data), to the jawdropping (entire ATM covers). These aren't that practical in NZ because there are lots of cameras around ATMs and the people monitoring tend to notice, for example.

I'm going to say it bluntly: it's worse overseas. So if you're travelling, consider changing your PIN before you go. Most bank apps enable this. Better yet, change your PIN after every ATM use. Not because you'll lose out - the banks are liable for these counterfeit losses - but because you'll want to keep using your card while travelling, and if it's been skimmed with PIN, you'll get it blocked. Which is annoying.

Where else can you be skimmed? Parking machines are a popular choice as they are unattended and security at the machine is often light. Also taxis. They may have two machines, a fake one that just gathers info and a real one that they run the proper transaction through with an "apology" about the new machine. In theory it's anywhere, but in practice, it's largely these. Data compromises for online purchases are way bigger, but that's a post for another day.

How does prevention work? Narrower slots, vibration of the card, physical shields around the keypad. Things like that. But cameras and monitoring are effective,  looking for raw machine data from sensors in side the ATM, examining predictable card use withdrawing cash, monitoring customer behaviours such as just standing there too long with some kind of machinery. Banks will shut down ATMs while they are inspected.

Just a final, quick note about my Busman's holiday comment. What has been known to happen is that overseas villains come to NZ to learn their trade. They do a bit of skimming, send some info back home, and get a bit of cash to support the hedonistic side of the local economy. They then get caught and sent on their way. It's kind of harmless, largely, to NZ. Less of a thing in Covid times, of course.

So, be vigilant, protect your PIN, but don't worry: This one isn't on you.