Skim Scan Card Skimmer Detector

Scott Schober didn’t want to have to develop Skim Scan – but after thieves stole his credit-card number at a New York City parking garage a few years ago, he began thinking about how he could help other people avoid being caught out by a similar problem.

Short on cash and racing to get to an interview, he recalls, “I reluctantly pulled out my card and put it into one of those payment machines so I could park quickly and run up so I wasn’t late.”

Within a day or so, he said, “I started having suspicious charges, and traced it back – and sure enough, it was from a skimmer in one of those parking machines. I cancelled the card, got the money back, no big deal – but it just drove me nuts.”

Schober, a security expert who works as president and CEO of New Jersey-based Berkeley Varitronics Systems (BVS), is far from the only one: increasingly sophisticated skimmers – diminutive electronic devices that criminals insert into the card slots of ATMs, gas pumps, parking and other payment devices – have become so common in recent years that raids of machines suspected to be compromised inevitably turn up one or many of the devices.

Secret Service raids regularly identify skimmers, with one recently reported audit of 879 Washington, D.C.-area businesses identifying 27 skimmers spread across 6561 point-of-sale terminals, gas pumps, and ATMs inspected – preventing an estimated loss of $7.2 million.

Another recent raid in San Diego tested over 800 payment devices and identified 21 skimming devices, preventing estimated financial losses of $63 million.

FICO last year reported that the number of debit cards compromised by skimmers soared in 2022 and increased a further 96% in 2023, with over 315,000 impacted cards and nearly 1600 skimming incidents identified – and the number of cards captured by each skimmer up 39%.

Cybercriminals not only use stolen card details to buy products, but sell them on darkweb sites where a reported 269 million card records were posted last year alone.

There had to be an easier way

One of the biggest challenges finding skimmers is their diminutive size, with contemporary models – which are widely available for purchase on darkweb sites, where criminals also trade schematics illustrating how to build their own devices – so thin that they can be completely inserted into card slots where unsuspecting consumers and merchants have no idea their card details are being taken.

Detecting and removing the devices often requires experienced technicians to take apart a suspected compromised ATM or other machine, navigating a morass of wires and circuit boards in what Schober – whose research took him to the field to experience the process hands-on – called a “very tedious” process of “tracing wires, pulling things, and moving things around.”

“It’s a rat’s nest in a lot of these machines,” he explained. “They’re not designed to be easily worked on, and there’s just stuff shoved in there.”

Schober’s experience as a skimmer victim led him to engage with the BVS engineering team to spitball ways that the devices could be reliably detected even where they were effectively invisible.

After a process of “hardcore R&D” – which included buying and dismantling many used ATMs and point-of-sale terminals online – the team recognized that the common thread with the skimmers was that they had their own read head to take data off of the card as it’s inserted.

“You know exactly where the normal read head is,” Schober explained, “so if there’s a second one before or after it, we realized that we could probably detect that.”

And so Skim Scan was born.