What is ATM Skimming & How to Prevent in India 2020

What is ATM Skimming & How to Prevent in India 2020

What is ATM Skimming & How to Prevent in India:

ATM Skimming is a fraudulent practice in which criminals place a skimming device over the ATM card reader slot. A skimmer reads the cards that are swiped through it and gathers the data. The data is then retrieved and superimposed on blank ATM cards. Therefore, in laymen terms ATM skimming it is the theft of credit and debit card details from ATMs. For a normal ATM user it’s near impossible to spot the device unless they actively look for it. 

However, to withdraw money from ATMs criminals need to acquire both card details and the user’s ATM PIN. Therefore, criminals also place a hidden camera inside the ATM in such a manner to be able to read the PINs of users clearly. After having access to both the card details and the ATM PIN, fraudsters are able to withdraw money fraudulently from the victim’s accounts. 

Types of ATM Skimming:
ATM skimming processes are broadly divided into two categories. In former type, a device known as “Skimmer” is superimposed on the card slot reader of the ATM. When a card is swiped into the slot the user, skimmer records the data present on its magnetic tape. A spy camera usually placed in the brochure holder enables fraudster to read the PIN. 

In the later case, stolen or used ATMs that thieves get their hands on, are rigged to collect the user’s data. These ATMs are only semi operational and do not dispense cash, making user feel them as faulty. Such ATMs are usually purchased in the second hand market, at low prices. In reality, these are meant to steal card details. 

Devices Used for Skimming:
Following devices are used for “Skimming” cards 

  • Card Readers Slot Overlays: As discussed beforehand, they are plastic devices that are placed exactly over the card reader slot. When you slide your card into such a compromised ATM, you unwittingly slide it through the skimmer first that scans and captures all the information of the magnetic strip. 
  • Spy Cameras: They are hidden cameras meant to capture the ATM PIN of users. They are usually miniaturized and come in various shapes and sizes, making them easy to hide in plain sight. 
  • Keypad Overlays: They are alternatively used to capture the ATM PIN of gullible users. These fake keypads are placed over the actual ATM keypad. As users type in their PINs, the fake keypad records it.  

How to check for skimmers:

To detect skimming devices, you should check the following parts of ATM carefully: 

  • Keypad (used to enter PIN)
  • Card reader slot (which reads your card)

The warning signs to watch for include:

  • Tape and/or sticky glue residue
  • Anything hanging or loose fitting attachments 
  • Any mark of shouldering, loose wires etc. 

Scrutinize the ATM: 
To prevent being victims of ATM skimming, you should check the card reader slot for presence of any overlays. If the card scanner appears protruding or does not match the usual style, it might be a compromised one. Similarly, any lose wire, tiny holes, scratches, tapes, joints etc are warning signs to watch out for. 

Cover the keypad when entering the PIN: 
ATM authentication process is based on two parameters – what we have (ATM card) and what we know (ATM PIN). Therefore, fraudster must know your ATM PIN to perform un-authorized financial transaction. 

Covering your keypad while entering the PIN can prevent cameras from reading it. Besides, it also protects you from shoulder surfing. However, this precaution won’t work in case of fake keypads. 

Check your Bank Statement:
Checking your bank statement, can help you detect any fraud early, and thus take immediate suitable remedial measures. For example, reporting the fraud to your bank and nearest Police Station/ cyber cell. 

Choose ATM Kiosk Carefully: 
While no ATM is completely risk free, but it’s better to use ATMs in busy and populated areas, where it is difficult for skimmers to install their setup. Fraudsters are more likely to install skimmers in isolated areas where they won’t be caught.  

Similarly, ATM centers manned by guards are much less likely to be tampered with. Therefore, avoid secluded ATMs where regular guards are absent. Similarly, be alert for skimming devices in tourist areas, as they are one of the most targeted ones by skimmers.

Taking Care of ATM PIN:
As explained, hidden cameras are placed to record the ATM PIN as you type in. They are usually placed above the PIN pad, above the display screen or in nearby structures. Therefore, if you see a small pinhole drilled into the ATM, be cautious. Similarly, if you find something unusual in the ATM center like an artificial object, check it for presence of any spy cameras. 

Detect Fake Overlays of Keypad:
Sometimes fraudsters place a fake overlay pad over the real one, to capture your ATM PIN details. A fake keypad may have larger or smaller keys than usual. Similarly, placing a fake keypad is likely to raise the height of keypad more than usual. Therefore, if your keypad seems to protrude oddly, check it thoroughly. 

Also, you can press down few random keys of the keypad. If it feels different than usual – sticky, rigid, spongy there maybe fake keypad overlays. 

Shake your Card Reader Slot: 
Many skimmers are placed just over the existing card slot to skim your card details. Therefore, just wiggle the plastic or pull it a bit to expose the skimmer, if any. Legitimate card readers won’t bend, break or bulge as you would test it. 

A proper card reader is sturdily attached to the ATM machine. Therefore, following can be signs of tampering: 

  • Shouldering or glue marks 
  • Presence of tape, loose piece of plastic 
  • Tilted or skewed to one side 

If the card reader moves or jiggles, it’s a warning sign. ATMs are sturdily constructed, and none of their components should bulge or jiggle. 

A skimmed card reader slot of an ATM

An example of fake keypad 

Others:

  • Don’t use your year of birth as you ATM PIN. It can be found out by simple OSINT techniques e.g., social media analysis.  
  • A normal ATM should easily and quickly accept your card. If the ATM you are trying to use is not accepting your card readily, don’t proceed further. 
  • Criminals are most likely to install skimmers on weekdays, when banks remain closed. Therefore, statistically there are lesser chances of finding skimmers on weekdays. 
  • The more you familiarize yourself with the appearance of reliable ATMs, less likely you will be fooled by rigged ATMs. 

Found a Skimmer – What’s Next?
If you find any skimming device in an ATM or if you suspect so, inform the guard present outside the ATM as well as the concerned branch, so that they can take appropriate remedial measures. If the branch is closed, you should contact the police and share the details for proper investigation. 

What to do if your Became a Victim of ATM Skimming?
In ATM skimming frauds, your ATM card details (what we have parameter) and ATM PIN (what we know parameter) of authentication are stolen. Thus, it’s a case of identity theft. 

Section Dealing with Identity Theft:
Information Technology Act, 2000 is the primary law dealing with cyber crimes and matter concerned thereto. Section 66 C of IT Act, deals with “Identity Theft” as reproduced below:

Section 66C: Punishment for identity theft: 
Whoever, fraudulently or dishonestly make use of the electronic signature, password or any other unique identification feature of any other person, shall be punished with imprisonment of either description for a term which may extend to three years and shall also be liable to fine with may extend to rupees one lakh.

Whether Offences are Compoundable, Cognizable and Bailable?
Section 77A of IT Act says –“Subject to certain exceptions, all the offences under the IT Act for which the punishment is imprisonment for a term of 3 years or less, are compoundable. The provisions of sections 265 B and 265 C of the Code of Criminal Procedure, 1973 shall apply with respect to such compounding”.

Section 77B of the IT Act further lays down –“Notwithstanding anything contained in the Code of Criminal Procedure, all the offences punishable with imprisonment of 3 years and above under the IT Act shall be cognizable and all offences punishable with imprisonment of 3 years or less shall be bailable offences’.

A plain reading of the Section shows that offence is Cognizable, Bailable and Compoundable. 

Conclusion:
Since Section 66 C of Information Technology Act, 2000 is cognizable. Therefore, you should approach the nearest police station, or local/ state cyber cell having jurisdiction over your area to lodge an FIR, in accordance with Section 154 of Cr.P.C.

Section 154 in The Code Of Criminal Procedure, 1973

Information in cognizable cases:

(1) Every information relating to the commission of a cognizable offence, if given orally to an officer in charge of a police station, shall be reduced to writing by him or under his direction, and be read Over to the informant; and every such information, whether given in writing or reduced to writing as aforesaid, shall be signed by the person giving it, and the substance thereof shall be entered in a book to be kept by such officer in such form as the State Government may prescribe in this behalf.

(2) A copy of the information as recorded under sub- section (1) shall be given forthwith, free of cost, to the informant.

(3) Any person aggrieved by a refusal on the part of an officer in charge of a police station to record the information referred to in subsection (1) may send the substance of such information, in writing and by post, to the Superintendent of Police concerned who, if satisfied that such information discloses the commission of a cognizable offence, shall either investigate the case himself or direct an investigation to be made by any police officer subordinate to him, in the manner provided by this Code, and such officer shall have all the powers of an officer in charge of the police station in relation to that offence.

Will you get Money Refund from Banks in OLX Frauds?
Money refund in case of un-authorized electronic banking transactions is governed by RBI circular dated July 06, 2017. 

RBI Notification:
The bank’s (All scheduled commercial banks, Small finance bank and Payment Banks) liability in case of Unauthorized Electronic Banking Transactions is governed by RBI circular - RBI/2017-18/15, DBR.No.Leg.BC.78/09.07.005/2017-18 dated July 06, 2017. 

The Most Important Aspects of the Circular are as follows:
Limited Liability of a Customer:

1. Zero Liability of a Customer
A customer’s entitlement to zero liability shall arise where the unauthorized transaction occurs in the following events:

  • Contributory fraud/ negligence/ deficiency on the part of the bank (irrespective of whether or not the transaction is reported by the customer).
  • Third party breach where the deficiency lies neither with the bank nor with the customer but lies elsewhere in the system, and the customer notifies the bank within three working days of receiving the communication from the bank regarding the unauthorized transaction.

2. Limited Liability of a Customer:
A customer shall be liable for the loss occurring due to unauthorized transactions in the following cases:

  • In cases where the loss is due to negligence by a customer, such as where he has shared the payment credentials, the customer will bear the entire loss until he reports the unauthorized transaction to the bank. Any loss occurring after the reporting of the unauthorized transaction shall be borne by the bank.
  • In cases where the responsibility for the Unauthorized electronic banking transaction lies neither with the bank nor with the customer, but lies elsewhere in the system and when there is a delay (of four to seven working days after receiving the communication from the bank) on the part of the customer in notifying the bank of such a transaction, the per transaction liability of the customer shall be limited to the transaction value or the amount mentioned in Table, whichever is lower.

Will get Money Refund in OLX Frauds?
RBI guideline says - In cases where the loss is due to negligence by a customer, such as where he has shared the payment credentials, the customer will bear the entire loss until he reports the unauthorized transaction to the bank. Any loss occurring after the reporting of the unauthorized transaction shall be borne by the bank.

Here the fraud is the result of deficiency that lies neither with the bank nor with the customer but lies elsewhere in the system. Therefore, if the customer notifies the bank within three working days of receiving the communication from the bank regarding the unauthorized transaction, he/she can enjoy zero liability. And any loss occurring to the victim shall be borne by the concerned bank.

Reversal Timeline:
On being notified by the customer, the bank shall credit (shadow reversal) the amount involved in the Unauthorized electronic transaction to the customer’s account within 10 working days from the date of such notification by the customer (without waiting for settlement of insurance claim, if any). 

Frequently Asked Questions:
What should be Done if your ATM Details have been Stolen?
The fraud needs to be reported as soon as possible. 

If you have an Account with Bank A and have used the Card to Withdraw the Money from an ATM of Bank B, which has been Compromised, which Bank should you Report your Concern to?
A complaint should be lodged at Bank A at the earliest possible. According to the RBI “Longer the time taken to notify the bank, the higher will be the risk of loss”.

Who Returns your Money?
The bank that has issued you the card will pay you back the money. If prima facie it is established that you are a victim of skimming fraud, the bank makes the payment up-front.

Conclusion:
There is no foolproof way to completely detect a skimmer. However, following the above mentioned precautions can certainly help reduce instances of this fraud. Finally, whenever in doubt, use a different ATM.