Police pursue thieves who use ‘skimming’ devices to steal credit and debit card information

Detective Eric Vitale lifted the 3-by-2-foot plastic storage container onto the table and pulled out evidence bag after evidence bag of gadgets, wires and makeshift pieces of spare metal.

The stuff looked like leftover junk from a sixth-grade science project, but the items were at one point the tools of the trade for criminals looking to defraud consumers at gas station pumps and ATMs — and they had all been collected by the San Luis Obispo Police Department since 2010.

“And this isn’t even all of it,” Vitale said, adding that the department had three more containers in the evidence locker.

Vitale has spent 12 of his 25 years in law enforcement with the San Luis Obispo Police Department, where he now heads the department’s fraud investigations. He’s become a regional expert in detecting skimming devices and investigating those who use them, fielding calls from law enforcement agencies across the country and making presentations before groups such as the Western Weights and Measures Association and various law enforcement associations.

A skimming device is an electronic magnetic reader that scans information encoded on the magnetic strips of credit and debit cards, placed inconspicuously so the legitimate user of an ATM machine or gas pump doesn’t recognize it, and it can be directly hardwired to or placed over the ATM card reader as a facade.

While the skimmer reads the magnetic information on a card, thieves at ATMs will additionally use a covertly placed camera to capture a customer’s personal identification number.

Once the thieves have the card data, they can create “clone cards” and embed collected consumer data into the magnetic strip. Those can be used at banks, points-of-sale or online with the consumer’s PIN to make purchases or cash withdrawals.

Since skimmer devices began barraging the Central Coast in the late 2000s, police departments across the county have started taking a proactive approach to combating the fraudsters, with officers and field technicians conducting random checks of banks and gas station pumps, teaching and working with business owners and employees, and maintaining contacts at the corporate level with larger companies and banks.

But like IRS phone scams or email solicitations from Nigerian princes, skimming devices are just another way criminals can get away with your money, and simple awareness could save you considerable time, money and headaches.

Like Mayberry

In law enforcement circles, skimming investigations are known as “cop kryptonite” — they require a lot of technical know-how and time, often with little payoff. If perpetrators are brought to justice, the jail or prison time is usually insignificant, and skimmer-savvy crooks can be back on the street in little to no time.

And while most consumers are protected by their financial institutions and eventually recover their losses, reimbursement can take up to a month under the law.

“That could mean a lot of trouble if you have rent due,” Vitale said.

According to the FBI, skimming devices are the calling cards of Eurasian organized crime groups with associates born in or with family in Russia or Eastern Europe. The agency says it has dismantled sophisticated organizations in Miami, Atlanta, Chicago and New York.

In 2012, the schemes became so commonplace across California that the state Department of Justice announced a crackdown on the devices, deploying its eCrime Unit to prosecute the perpetrators in county-level superior courts.

San Luis Obispo County, like other areas across the state, was hit hard by the illicit operations beginning in the late 2000s. While the cases have largely disappeared from the news, they still occur.

Vitale said the groups using skimmer technology prefer to install the devices in smaller communities, where authorities are generally less versed in how to deal with them.

The professional skimming groups, he said, can earn a lavish living through fraud and are usually well-represented legally.

“Within the hierarchy of organized crime, all we (the police) are is an inconvenience to them. I’m just the cost of doing business,” Vitale said. “I never get close enough to the top guys, unfortunately.”

Vitale said the goal in investigating the crimes is not to solely arrest those who operate the skimmers, but to trace the operation to those at the top. Depending on how sophisticated the rings are, one crew may be tasked with installing skimmers, another with harvesting their information, one to develop clones, one to cash out and another to launder the money.

“We can sit on a gas station for hours or days to find the guys hiding these things, but the key is you want to get to that hotel room, where (the clones) are being made,” Vitale said.

In October 2010, employees at the Arroyo Grande RadioShack reported that three men attempted to use fake credit cards in the store before hopping in a black Dodge Caravan and fleeing. Suspecting they might be headed for the San Luis Obispo RadioShack, detectives there responded and found one of the men in the store and the others in the parking lot.

The men, each from the Los Angeles area, were found in possession of counterfeit cards using Chase, Wells Fargo and Capital One logos and embossed and encoded with fraudulent names, as well as security features including UV technology.

During a search of their vehicle, detectives found three gas pump skimming devices, as well as 15 gas pump keys. The police said the devices were used to steal legitimate customers’ card information and to create the fake cards.

In 2011, police warned residents of skimming devices found at two gas stations in Paso Robles. The same year, three Southern California residents were arrested on suspicion of running a skimming operation that scammed Chase Bank customers in San Luis Obispo out of about $58,000.

In 2012, state prosecutors secured convictions in San Luis Obispo Superior Court for three men who ran a skimming operation that targeted Chase Bank, replacing ATM card readers with devices to retrieve the cards’ information and using a camera to capture customers’ PIN numbers. They used the skimmed information to create bogus debit cards. The scheme generated about $220,000 from 300 victims across Santa Clara, Marin, Fresno and San Luis Obispo counties.

In July 2014, three Los Angeles-area residents were arrested in Paso Robles on suspicion of operating a credit card fraud ring, using counterfeit cards at Citibank branches across the county to withdraw money from unsuspecting customers’ accounts. During the investigation, police found 46 dummy credit cards that were altered to contain real customers’ account information on their magnetic strips, information officials said were collected through skimmers.

“They come here because they think it’s Mayberry. Like we’re not exposed to this and all we have are a bunch of hick cops,” Vitale said. “But my job is to not just catch these guys, but to send a strong message: Don’t come here.”


Early versions of modern skimming devices began popping up first at freestanding and bank ATMs, Vitale said, and contemporary models continue to be found at the machines but generally inflict less harm on consumers than at gas station pumps.

The most common method used to defraud ATM users, Vitale said, involves installing a skimmer over the exterior of the ATM’s legitimate card reader. When a consumer swipes a card, the skimmer picks up the account information embedded in the card’s magnetic strip. These battery skimmers, such as the Mini123 or Mini400, can store the data and be retrieved later.

The skimmers can’t read the card’s PIN, however, which is usually captured by a covert camera. That camera, Vitale said, is the skimmer’s Achilles’ heel. The battery-powered cameras, some much smaller than the mechanical guts of body cameras worn by police officers, can be installed in an existing light above an ATM keypad. Vitale found one camera, powered by a small 3.2-volt battery, placed inside a thin strip of metal found in any automotive shop and fastened with double-sided tape to the roof of an ATM.

Sometimes those strips can look out of place and give away the jig, Vitale said, but carefully constructed facades are not noticeable, and the camera lens may peer through a pin-sized hole down on the keypad.

However, those cameras don’t have the capacity to store data for more than a few hours, and because most don’t have the ability to stop and start filming on their own, their batteries drain quickly. Therefore, the thieves must return to the ATM to change out batteries and SD cards frequently.

Another way crooks scam ATM users is by installing the readers on the doors of banks that provide after-hours indoor ATM access. Instead of installing a skimmer on the actual ATM, criminals install devices on the bank’s door card reader.

One way people can avoid this scam, Vitale said, is to not use a bank debit card to gain entry, but any other nonidentifiable card with a magnetic strip, such as a Starbucks gift card, which most banks with indoor ATMs allow.

Gas pumps

Skimming devices at self-serve gas station pumps have proven more effective and the users harder to catch.

Less-sophisticated skimmers are still used over the exterior of a gas pump’s card reader, but those are more easily detectible and have fewer capabilities, Vitale said. The “scary, nasty ones,” as he calls them, are those connected inside the machine’s interior. Those require a person to open the pump, either with a manufactured key or by prying it open, and connect an 8-pin data cable to the interior side of the card reader.

Some of these newer devices are powered by the fuel pump and can hide inside a machine indefinitely before being discovered, Vitale said, though they still need to be physically retrieved to harvest their data.

In a more recent trend, officials have found Bluetooth-capable devices inside pumps, sometimes with a remote transmitter hidden in bushes nearby, in which a user needs only approach within 50 feet of the device with a pay-as-you-go cellphone or some type of processor to read the card data.

“Every time they have to come back to harvest, they risk getting caught,” Vitale said. “But with this new stuff, there are so many variables that we don’t know when they’re coming back.”

Corporate-owned gas stations have gotten with the times and updated their employee policy to be more proactive in detecting and reporting skimmers, now requiring employees to conduct inspections during every shift.

Vitale said he is personally in communication with every gas station owner in the city, teaching them about detecting machine tampering. Nearly all routinely check their machines. Vitale and other departments also visit gas stations to examine them for those signs.

Fuel pump manufacturers also have updated their products, he said, making keys that technicians use to access the insides much harder to replicate.

Security upgrades

The harsh reality is that skimming devices are just one of a variety of ways to access a person’s financial accounts or steal their identity. The bulk — about 70 percent, Vitale said — occurs through online activity.

Though the technology has been used in other countries for more than a decade, Europay MasterCard Visa “chip & PIN” technology is slowly being implemented by U.S. banks and government agencies, and about 25 percent of U.S. banks currently issue EMV cards.

The technology effectively protects consumers against skimming devices and many other forms of card-based fraud with a small computer, or “chip,” on a card that stores information, performs processing functions and contains security features that protect sensitive information, according to the U.S. Department of the Treasury.

The most important feature of EMV, according to the federal agency, is the dynamic data generated during every transaction, which makes it nearly impossible to create counterfeit cards.

“In short, it’s very difficult to clone these chipped cards,” Vitale said. “They’re going to be the best line of defense for consumers.”

Tips to protect yourself from skimmers

San Luis Obispo Detective Eric Vitale says there are common-sense ways to protect yourself from criminals attempting to use skimming devices at local ATMs and gas station pumps. Here’s his advice.

  • Take a few seconds to look at the machine before you use it. If something looks off, tell someone and don’t use it.
  • When using an ATM, jiggle the card port and make sure it’s not a device placed over the legitimate card reader.
  • Check the lights. If lights are out, they may have been tampered with.
  • Cover your hand when entering your PIN number.
  • Check the edges of gas pump machines for any distress and check the coded tape used to seal the machines for any breaks.
  • Avoid using freestanding ATMs.
  • Use a chipped card, which doesn’t rely on magnetic strips alone and has more security features.
  • Use a credit card rather than debit. Debit cards allow direct access to your bank account. Banks have up to 30 days to refund fraudulent charges to your bank account, but credit card companies generally refund your money much faster because they want you spending and racking up interest.