The best way to prevent your bank card from getting cloned or skimmed is to avoid inserting it into any devices and instead use contactless payments or withdrawals whenever possible.
Nearly all bank cards issued today have a Europay, Mastercard, and Visa (EMV) chip, which makes them very difficult to tamper with or clone, unlike older chip-less cards.
However, many still feature magnetic strips, which are susceptible to card cloning or skimming.
Skimming and cloning involve fraudsters stealing your debit or credit card information to create counterfeit cards that can be used to spend money from your account.
The point at which the card’s information is captured is typically when it is inserted into a card slot in an ATM or a point-of-sale device, which has been maliciously modified with one or a combination of skimming devices:
- Overlay skimmers — Placed on top of the actual card reader on ATMs or payment terminals
- Internal skimmers — Installed inside the card reader to make it more difficult to detect
- Wireless skimmers — Mobile skimmers fitted with wireless communication capability to relay information to criminals nearby, typically using Bluetooth
The fraudsters can also use fake card readers, keypad overlays, or hidden cameras to capture the victim’s PIN, which will be necessary for in-person transactions.
A more primitive method is shoulder-surfing, which involves a criminal watching the keypad closely as you enter your PIN.
According to data tracked by the South African Banking Risk Information Centre (SABRIC), the most common places where cards are skimmed are toll gates, ATMs, supermarkets, liquor stores, and restaurants.
There are several ways to avoid your card’s information landing in the hands of criminals, including ensuring it does not leave your sight when making payments and never handing your card over to a merchant.
During withdrawals, you should closely monitor the ATM card slot to ensure the card is never removed, skimmed, or replaced without your knowledge.
Generally, accepting help from bystanders at an ATM is a bad idea.
There might also be some signs that the ATM or payment machine’s card slot was tampered with, like a raised or bulky card reader.
The image below shows an example of a card-skimming combo used in South Africa.
While the aforementioned methods can help reduce the likelihood of your card being skimmed, skimming devices can be difficult to notice.
Banks and leading banking security experts have repeatedly emphasised that using tap payments and cardless or tap withdrawals is not only more convenient but safer than inserting your card into a device.
Most bank cards feature radio frequency identification (RFID) and near-field communication (NFC) technologies that work with their EMV chip to support encrypted contactless transactions.
Contactless payments don’t even require that you touch the card to the terminal — they generally work when within 4cm of the POS device.
Linking your card to an NFC-enabled smartphone or smartwatch digital wallet, like Apple Pay, Garmin Pay, Google Wallet, or Samsung Wallet, can further enhance security.
Opening the digital wallet will require using an authentication method, such as entering a PIN or scanning your fingerprint or face, before you can tap.
This prevents criminals from easily making contactless payments with it if they steal your smartphone or smartwatch.
Banks also offer some protection with tap-to-pay cards by allowing you to limit the amount you can tap with a card before needing to enter a PIN.
However, this must be entered into an external device, increasing the risk that your PIN could be exposed.
Using a digital wallet will not expose your card details or PIN to any unwanted onlookers.
In the past few years, South Africans have become paranoid about tap-to-pay functionality, a natural response considering how we have become accustomed to criminals coming up with new and creative ways to steal our money.
Many believe fraudsters can hold contactless payment devices close to their cards or smart payment devices and take money from their accounts.
However, SABRIC has explained that this is highly unlikely because registering an NFC POS device involves a rigorous vetting process by the issuing bank, which includes the mandatory submission of Know Your Customer documentation.
In addition, banks monitor merchant transaction activity and conduct merchant site visits. “Should any irregularities be identified, an investigation will be launched immediately,” SABRIC stated.
“Collusion with a merchant could be a possible way to defraud people. However, this is also unlikely as the proceeds of crime resulting from this specific modus operandi would go into a merchant’s bank account, which, again, is closely monitored.”
“Furthermore, this payment option is only available for a predetermined number of low-value transactions on any specific day, after which a PIN would be required to complete the transaction.”
“Thus, the financial reward associated with these transactions is low, while the reputational and prosecution risk to the merchant remains high.”
SABRIC also pointed out that criminals would only be able to get a card number and expiry date by holding a skimming device near the card.
“Neither the CVV nor the PIN number would be exposed, both of which the criminal would need to make fraudulent online purchases,” SABRIC said.
