So one of our readers asked us this question the other day: How do people make/steal money using credit card skimmers?
ANSWER
There are a few ways that people make money using skimmers (some of which are mentioned here) but some aren’t.
First and foremost, a credit card skimmer is just an easy way to collect a pool of credit card numbers. The pool will keep getting fresh new data as long as the skimmer is well placed/hidden (ie. a gas station pump). Also, the magnetic strip on your credit card contains a ton of information including but not limited to the name on the card, the credit card number, and expiration. The first 6 digits of the card even identify where the card came from (such as bank, issuer, etc.)
Let’s call the guy who made/placed the skimmer the “fraudster”. The fraudster collects the credit card data that the skimmer has read and can do multiple things with it.
1) As mentioned, he/she can sell large swaths of these CC numbers online in auctions (usually anonymously on TOR). Since they know the first 6 digits, they can even bucket them into high value cards. For example, Amex cards typically have higher credit limits than a regular debit card. They might organize the Amex cards into one list and earn more on that list than they would from say, Bank of America debit cards.
2) Another thing they can do is transfer the stolen card info onto a new card. BUT it is actually not as common to do this onto an existing card with the fraudster’s name on it. Instead, these fraudsters usually buy blank hotel keys in bulk (very easy to purchase, common item for hotels/motels). They now have hundreds physical cards that they can transfer the stolen credit card info onto. Now these cards are just blank white plastic cards, so going to a store and using them is pointless and too risky. Instead, they sign up to get their own credit card machine. Some are pretty cheap or even free (such as PayPal Here or Square). They can pretend to be some store using fake information and then start physically swiping the cards with the stolen data. The advantage of physically swiping them is the transaction will appear to the processing company and bank/card issuer as done “in-person” since the card was swiped. These are seen as lower risk transactions since most fraud is committed via just “keyed-in transactions” (such as online purchases, over the phone purchases, etc.). The machine that reads the cards only reads the magnetic strip, so it doesn’t recognize that these are just generic hotel keys or crappy plastic cards someone bought online. So to the machine/reader, and to the credit card company and the credit card processor, it is just a normal physically swiped transaction.
There are more nuances and ways this can get more lucrative but that’s the basics of it. Luckily most cardholders are protected from this kind of fraud by their bank/card issuer. If you recognize bad transactions they will cancel the card, refund your money, and send you a new one. The bummer is that people who get hosed are the businesses that might unknowingly accept your stolen card information and sell something. When you get a refund from your bank after “disputing” a transaction – that money typically comes from the business it was used at, not the bank. So if a business is tricked into selling a $2,000 painting over the phone to a guy who gave them a stolen credit card number – that business is going to lose the painting and the money and there’s nothing they can do about it since the responsibility to investigate was theirs (according to most processors).
