How does a card skimmer work

Card Skimmers: How They Work and How to Detect Them in 2026

by

Published: May 16, 2026 | Last updated: May 16, 2026 | 11 min read

TL;DR

  • Card skimmers are physical or electronic devices that capture payment card data from ATMs, gas pumps, and payment terminals without the cardholder’s knowledge
  • Skimmers operate in two stages: data capture (reading the magnetic stripe or chip) and data exfiltration (transmitting stolen data via Bluetooth, cellular, or physical retrieval)
  • Physical skimmers now include overlay devices fitted over card slots, internal compromises of ATM and pump hardware, and shimmed chip readers designed to bypass EMV security
  • Detection requires visual inspection, thermal imaging, radio frequency scanning, and monitoring transaction anomalies on the backend
  • Organizations should implement EMV chip mandates, terminal tamper detection, Bluetooth frequency monitoring, and behavioral analytics to reduce fraud risk

What Is a Card Skimmer?

A card skimmer is a device or technique used to steal payment card data without the cardholder’s knowledge or interaction. Skimmers capture data from the magnetic stripe, chip, or contactless interface of a payment card, then transmit or store that data for later use in fraudulent transactions.

Skimming differs from other payment fraud because it targets the card itself rather than the cardholder. The victim’s card is physically swiped or inserted into a compromised reader. The attacker captures the data without needing passwords, PINs, or social engineering.

Card skimming is widespread. The Federal Reserve reported that payment fraud losses exceeded $28.6 billion in 2024, with card-present fraud accounting for 34% of that total (Federal Reserve Payment Systems Risk Assessment, 2025). ATMs and gas pumps remain the primary attack surface because they are unattended, unmanned, and often poorly monitored.

How Card Skimmers Capture Data: The Technical Process

Card skimmers operate in two distinct phases: data capture and data exfiltration. Understanding both phases is essential for detection and prevention.

Phase 1: Data Capture

Skimmers read card data through one or more methods depending on the card type and reader design.

  • Magnetic Stripe Reading: The magnetic stripe on the back of a card contains the cardholder’s name, card number, expiration date, and CVV. A skimmer reads this data by running the card through a magnetic read head. The attacker does not need to know the PIN or access the chip. A simple magnetic stripe reader costs less than $50 and can be integrated into an overlay device fitted over a legitimate card slot.
  • Chip Reading: EMV chip readers are more complex than magnetic stripe readers. They communicate with the chip using specific electrical signals and protocols. Some skimmers use shimmed chip readers that intercept the communication between the card and the legitimate reader. The shim sits between the card and the reader, captures data, and passes the signal through to complete the transaction legitimately. The cardholder notices nothing.
  • Contactless Reading: Contactless cards (NFC-enabled credit cards, mobile wallets) broadcast data wirelessly. A skimmer equipped with an NFC reader can capture this data from several feet away without physical contact. This method is silent and does not require the attacker to be present at the exact moment of transaction.
  • Data Encoding: Once captured, card data is encoded in standard magnetic stripe format or stored in the skimmer’s memory. The attacker may also clone the data onto a blank card or encode it onto a new payment card for immediate use.

Phase 2: Data Exfiltration

After capturing the data, the attacker must retrieve or transmit it. Methods vary by skimmer type and location.

  • Bluetooth Transmission: Modern skimmers use Bluetooth Low Energy (BLE) to transmit captured data wirelessly to an attacker’s smartphone or laptop within 30-100 meters. The attacker can retrieve data without returning to the device. Bluetooth transmission is silent, unencrypted in many cases, and difficult to detect without active RF scanning.
  • Cellular Transmission: Some skimmers include cellular modules (GSM, LTE) that transmit data to cloud servers or attacker-controlled VPNs. These skimmers are more expensive but allow real-time data exfiltration and remote monitoring.
  • WiFi Transmission: Skimmers placed in retail locations may use WiFi to transmit data. This method requires the skimmer to connect to a network, making it detectable through WiFi scanning.
  • Physical Retrieval: The attacker returns to the device and physically removes it or downloads data from onboard storage. This method is slower but requires no wireless capability. The attacker must return to the location within hours to retrieve the data before the card data becomes useless.

Types of Card Skimmers: Physical and Technical Variants

Card skimmers take several physical forms, each with different detection challenges.

  • Overlay Skimmers: These devices fit over the legitimate card slot on an ATM or gas pump. The cardholder inserts their card into the overlay, which reads the data as the card passes through. The overlay then passes the card through to the legitimate reader, completing the transaction normally. The cardholder sees no evidence of fraud. Overlay skimmers are common at unattended ATMs and older gas pumps. They are relatively cheap to manufacture and install. Detection requires physical inspection of the card slot for misalignment, unusual thickness, or loose components.
  • Internal Skimmers: Attackers gain access to the internals of an ATM or gas pump and install a skimmer directly into the card reader mechanism. This skimmer is invisible to the user because it is hidden inside the machine. The internal skimmer reads data as the card passes through the legitimate reader. Internal skimmers are harder to detect because they leave no external evidence. They require technical knowledge to install and physical access to the machine’s internals. Detection requires opening the machine and inspecting the card reader for additional hardware.
  • Wireless PIN Pads: Attackers intercept or compromise wireless PIN entry devices used at retail checkouts. A wireless PIN pad skimmer captures both the card data and the PIN. This allows fraudsters to use the card for both online and in-person transactions. Detection requires monitoring for unauthorized wireless devices near payment terminals.
  • Mobile Phone Skimmers: Fraudsters use modified smartphones with NFC readers to capture data from contactless cards without the victim’s knowledge. The attacker walks past a victim with the phone held near the victim’s wallet, silently capturing card data. This type of attack requires no physical access to legitimate payment infrastructure.
  • Shimmed Chip Readers: A shim is an interceptor device placed between the legitimate chip reader and the card. As the card enters the reader, the shim captures the chip data before passing the signal through to complete the transaction. Shimmed chip readers are difficult to detect because they add minimal bulk and the transaction completes normally.

Detection Methods: How Cybersecurity Teams Identify Skimmers

Detecting card skimmers requires a multi-layered approach combining physical inspection, electronic detection, and behavioral monitoring.

Visual and Physical Inspection

The simplest detection method is visual inspection. Trained security staff or customers should look for signs of tampering on ATMs and payment terminals.

Red flags include:

  • Loose or misaligned card slots that do not match the surrounding hardware.
  • Card slots that have visible gaps between the overlay and the legitimate reader.
  • Unusual thickness or color mismatch between the card slot area and the rest of the machine.
  • Damaged or scraped edges suggesting recent installation.
  • Wobbly or rattling components that should be fixed in place.

Physical inspection is free and effective at detecting overlay skimmers. However, it requires trained personnel and regular audits. Many fraud incidents occur at machines that have not been inspected in weeks.

Thermal Imaging

Thermal cameras detect heat signatures from electronic devices hidden inside ATMs or gas pumps. Skimmers generate slight heat from their processors, readers, and wireless modules. A thermal image taken from the card slot area can reveal hidden electronics.

Thermal imaging is effective at detecting internal skimmers but requires specialized equipment and trained operators. It is not practical for routine inspections at every machine. Organizations typically use thermal scanning during security audits or after fraud incidents.

Radio Frequency (RF) Scanning

Skimmers using Bluetooth, cellular, or WiFi emit radio frequency signals. RF scanners designed to detect unauthorized wireless devices can identify these signals near ATMs and payment terminals.

Professional RF scanning tools can sweep a machine and its surrounding area for wireless transmitters. Detection range varies by frequency and transmitter power. Bluetooth skimmers may be detectable from 10-50 meters away. Cellular modules have longer ranges.

RF scanning is effective at detecting wireless skimmers but produces false positives from legitimate devices (nearby smartphones, WiFi routers). Security teams must distinguish between the skimmer’s wireless signal and background RF noise.

Transaction Monitoring and Behavioral Analytics

Backend monitoring can detect skimming through behavioral anomalies in transaction data.

Patterns that suggest skimming include:

  • Sudden clusters of fraudulent transactions from the same ATM or gas pump within a short time window (e.g., 50 fraudulent charges in one night).
  • Fraudulent transactions originating from geographically distant locations immediately after the victim used a specific ATM.
  • Unusual card usage patterns suggesting cloned cards (e.g., same card number used simultaneously in different countries).
  • High-value transactions or cash withdrawals at specific machines at unusual hours.
  • Repeated fraud on cards used at the same location.

Banks and payment processors monitor these patterns. Machine learning models can correlate fraudulent transactions to specific machines. When fraud clusters emerge, the organization can dispatch security teams to inspect the machine.

This method is reactive rather than preventive. Fraud is already occurring by the time it is detected. However, it allows banks to remove compromised machines from service quickly.

Magnetic Stripe Analysis

Payment processors can analyze magnetic stripe data for signs of skimming. Cloned cards created from skimmed data often have minor imperfections in the encoded stripe. The magnetic encoding may be slightly off-spec compared to cards issued directly by banks.

This method requires comparing suspected cloned card data against the bank’s original card records. It is not foolproof because modern skimmers can encode data perfectly, but it catches some lower-quality clones.

Prevention Strategies: Reducing Skimming Risk

Cybersecurity and payment security teams should implement multi-layered prevention strategies targeting different points in the skimming process.

EMV Chip Adoption and Enforcement

EMV chip technology was designed specifically to prevent skimming and counterfeiting. Unlike the magnetic stripe, the chip generates a unique transaction code for each purchase. Cloned chip data cannot be reused.

However, EMV adoption is incomplete in the United States. Many older ATMs and gas pumps still use magnetic stripe readers only. Enforcing chip-only readers on all machines eliminates the magnetic stripe attack surface.

Organizations should audit all payment terminals and ATMs. Any machine still accepting magnetic stripe swipes should be replaced or upgraded. Gas pumps in particular lag behind because replacing them is expensive and requires operational downtime.

Tamper Detection and Physical Security

ATMs and payment terminals should include anti-tamper mechanisms that alert when the machine has been opened or the card reader accessed.

Physical security measures include:

  • Sealed casings that break if opened, providing visible evidence of tampering.
  • Wireless alarms that alert the bank when the machine’s access panel is opened.
  • Video surveillance of ATM and pump areas to catch attackers installing or retrieving skimmers.
  • Regular security patrols and visual inspections on weekly or daily schedules.
  • Bollard protection around standalone ATMs to prevent physical attacks.

Many skimming incidents occur at machines that lack these protections or where protections are ignored.

Wireless Device Detection and Monitoring

Organizations should implement continuous RF monitoring at high-risk locations. Dedicated RF scanners installed near ATMs and gas pumps can detect unauthorized wireless devices.

These scanners should:

  • Monitor specific frequencies used by common skimmers (Bluetooth 2.4 GHz, cellular bands).
  • Alert security staff when unauthorized devices are detected.
  • Log all wireless device detections for analysis.
  • Distinguish between skimmer signals and legitimate background RF noise.

Wireless monitoring is continuous and requires minimal human intervention once installed. It catches skimmers transmitting data in real time.

PIN Entry Device (PED) Security

Retail payment terminals and wireless PIN pads should be authenticated and hardened against compromise.

Security measures include:

  • Encrypting PIN entry devices to prevent unauthorized access to internal hardware.
  • Implementing certificate pinning so devices communicate only with authorized payment processors.
  • Conducting regular firmware updates to patch vulnerabilities.
  • Replacing aging PIN pads with modern EMV-compliant devices that include encrypted processing.

Wireless PIN pads should include authentication mechanisms that prevent attackers from intercepting or spoofing legitimate devices.

Transaction Monitoring and Velocity Checks

Backend systems should monitor for fraud patterns and anomalies.

Monitoring includes:

  • Velocity checks that flag multiple transactions from the same card in geographically distant locations within a short time.
  • Clustering algorithms that identify fraud hotspots at specific ATMs or gas pumps.
  • Real-time alerts when fraud exceeds threshold values.
  • Machine learning models that learn each cardholder’s normal spending patterns and flag deviations.

When fraud is detected, the bank should immediately:

  • Contact the cardholder to confirm the transactions.
  • Issue a replacement card with a new number.
  • Quarantine the suspected machine for inspection.

Cardholder Education

End users should understand skimming risks and detection methods.

Cardholders should:

  • Inspect ATMs and payment terminals before using them. Look for loose, misaligned, or damaged card slots.
  • Avoid using machines in high-crime areas or that appear unmaintained.
  • Cover the keypad when entering their PIN.
  • Monitor their account statements for unauthorized transactions.
  • Report suspicious machines to the bank immediately.

While individual vigilance cannot prevent all skimming, educated cardholders catch some machines before attackers retrieve cloned card data.

Common Detection Mistakes and How to Avoid Them

  • Mistake 1: Assuming Visual Inspection Catches All Skimmers : Many overlay skimmers are designed to match the legitimate card slot closely. A skimmer made of black plastic may be indistinguishable from the legitimate black card slot. Attackers use high-quality manufacturing to blend in.Fix: Combine visual inspection with other detection methods. Do not rely on visual inspection alone. Train inspectors to feel for rough edges, gaps, and loose components, not just visual misalignment.
  • Mistake 2: Ignoring Internal Skimmers : Security teams may focus on detecting obvious overlay devices while missing internal skimmers hidden inside the machine’s card reader mechanism.Fix: Conduct periodic internal inspections of ATM and gas pump hardware. Use thermal imaging to scan for hidden electronics. Replace aging card readers with newer, harder-to-compromise designs.
  • Mistake 3: Not Monitoring Wireless Signals Continuously : RF scanning is effective, but many organizations scan only during security audits. Attackers can install skimmers between audits and remove them before the next scheduled scan.Fix: Implement continuous RF monitoring using installed wireless sensors. Monitor 24/7 rather than episodically.
  • Mistake 4: Assuming Fraudulent Transactions Occur Immediately : Fraudsters do not always use cloned card data immediately. They may wait weeks or months before using the stolen data to avoid immediate detection. By then, the machine may no longer be in service.Fix: Correlate fraud to the machine where the card was used, even if fraud occurs weeks later. Maintain historical records of which cards used which machines. When fraud is detected, cross-reference back to the machine.
  • Mistake 5: Neglecting Gas Pumps : ATMs receive more attention than gas pump skimmers. However, gas pumps are easier to compromise and less frequently monitored. Skimming at gas pumps is rampant.Fix: Extend skimming prevention to all payment terminals, not just ATMs. Gas pumps should receive the same scrutiny as ATMs. Conduct regular inspections and install tamper detection on pumps.

Frequently Asked Questions About Card Skimmers

What is a card skimmer?

A card skimmer is a device that captures payment card data from a magnetic stripe, chip, or contactless interface without the cardholder’s knowledge. Skimmers are installed on ATMs, gas pumps, or retail terminals and read card data as the victim swipes or inserts their card. The attacker then uses the stolen data to commit fraud.

How do skimmers transmit data?

Skimmers use several methods to transmit stolen data: Bluetooth to nearby smartphones or laptops within 30-100 meters. Cellular networks to send data to cloud servers. WiFi if installed in a location with network access. Physical retrieval if the attacker returns to remove the device and download stored data.

Can skimmers be detected by cardholders?

Some skimmers can be detected through visual inspection. Overlay skimmers sometimes show visible misalignment or loose edges. However, well-manufactured skimmers match legitimate card slots closely and are difficult to spot. Internal skimmers are invisible to users. The best detection comes from combining visual inspection with technical scanning and backend monitoring.

Are chip cards safer than magnetic stripe cards?

Yes. Chip cards generate a unique transaction code for each purchase. Cloned chip data cannot be reused. However, many ATMs and gas pumps still accept magnetic stripe transactions. As long as magnetic stripe is available, skimmers can capture that data. Full protection requires chip-only readers everywhere.

How common is card skimming today?

Card skimming remains a significant problem. The Federal Reserve estimated that card-present fraud exceeded $10 billion annually in 2024 (Federal Reserve, 2025). ATMs and gas pumps account for thousands of compromised machines at any given time. Fraud rates vary by region, but skimming is not rare.

What should I do if I think I used a skimmed ATM?

Contact your bank immediately. Report the machine’s location and the date you used it. Ask the bank to monitor your account for unusual activity. Request a replacement card with a new number. Review your statements for weeks afterward for unauthorized transactions. Consider placing a fraud alert or credit freeze on your credit file.

How do payment processors detect skimming fraud?

Payment processors use behavioral analytics to identify fraud patterns. When many fraudulent transactions originate from the same ATM or gas pump, the processor flags the machine. Machine learning models also detect cloned cards by identifying the card number used in multiple geographically distant locations simultaneously.

Can contactless cards be skimmed wirelessly?

Yes. Contactless cards broadcast data wirelessly that can be captured by an NFC reader from several feet away without physical contact. A skimmer equipped with an NFC reader can capture this data silently. However, contactless transaction limits (typically $100-$250) reduce fraud exposure compared to swiped cards.

What is the difference between a shimmed chip reader and an overlay skimmer?

An overlay skimmer covers the entire card slot with a fake reader on top. A shimmed chip reader is a thin interceptor that sits inside the legitimate card slot, between the card and the real reader. Shims are harder to detect because they add minimal bulk. Both methods capture card data, but shimmed readers are more advanced and harder to spot visually.

How can businesses prevent skimming on their premises?

Install modern EMV-compliant chip readers only. Use wireless PIN pads with encryption and authentication. Implement tamper detection on terminals. Monitor wireless signals near payment terminals for unauthorized devices. Conduct regular visual inspections. Install video surveillance of checkout areas. Train staff to recognize skimmers. Monitor transaction data for fraud patterns.

Key Takeaways

  • Card skimmers capture payment card data in two phases: data capture (reading the card) and data exfiltration (transmitting stolen data via Bluetooth, cellular, or physical retrieval)
  • Skimmers operate through overlay devices, internal hardware compromises, shimmed readers, and wireless interception. Detection requires visual inspection, thermal imaging, RF scanning, and behavioral analysis
  • EMV chip adoption, tamper detection, wireless monitoring, and transaction behavioral analytics are the most effective prevention methods
  • Gas pumps and older ATMs remain high-risk because they often lack modern security features and receive less frequent inspection than newer machines
  • Organizations should implement multi-layered detection combining physical security, electronic scanning, and backend monitoring rather than relying on a single method
  • Cybersecurity teams should focus on continuous monitoring rather than episodic audits to catch skimmers before attackers retrieve cloned card data

Leave a Comment