How to Protect Yourself when Using a Financial Card at the ATM

By | January 30, 2017

Let’s face the reality, we like it or not, most of us do have one or more financial cards in our wallets. You might call them Credit Card, Debit Card, Cash Card, Visa Card, MasterCard Card, American Express Card, Cirrus Card, Cheque Card, Carte Bancaire, CB, Revolving, Bancomat, EC-Karte, Girocard, Eurocheque-Karte, GeldKarte, Carte Bleue, MIR Card, RuPay Card, SADAD Card, UnionPay Card, 购物卡, キャッシュカード or ジェイデビットbut at the end it’s a tiny little piece of plastic that virtualize your hard-earned money.

In this article I’d like to provide few tips to make the daily use of your financial cards more secure – or at least try – to achieve so.

A China UnionPay card.

Let’s start from the moment you get possession of your card. There are normally two possibilities:

Card received via postal or courier service
You have received your letter that contain your brand new financial card. This method is known as Centralized Card Personalization meaning that all cards from a specific bank are personalized in central bureau, packed into envelopes and sent out to customers via postal or express courier service.
Before opening the envelope inspect all sides and make sure is properly sealed. If you found that one or more side of the envelope have been opened during the transport, do not activate your card and call immediately your bank to report the matter. Most probably they will tell you to trow away the envelope and wait for a new one.
In the envelope you can find at least one card carrier (the piece of paper where the cards is attached to) and the card that is normally attached with adhesive to avoid it moves during the trip from the bureau to your home.
More pages are possibly there containing advertising from the bank.
After you have removed the card from the card carrier you shall sign it on the back side. This operation is normally non necessary if the card is debit one.
I’d recommend to use a black ballpoint pen and make sure to sign the card back in a more natural possible way. Remember that you cannot repeat your signature. Once the signature is done is very hard to delete from the signature panel. After the signature is done allow ten minutes to dry BEFORE PUTTING THE CARD IN YOUR WALLET to avoid smear of the signature. Also during the dry time do not touch the signature.

A City Prestige Mastercard welcome pack.

Meanwhile you wait for the signature to dry, take a minute to read the card activation procedure that can sometime be online else calling the bank customer service. Other methods are also possible anyhow follow the procedure and activate your card.
Now that your card is activated take note of the hotline numbers to call in case of emergency to block your cards. Store those telephone numbers anywhere you like but do not store them in your wallet as if someone steal your wallet you won’t be able to quickly retrieve the telephone numbers. Better to store them on your mobile phone address book, on the mobile phone of your partner and on an online location that you can access from anywhere such as EverNote, OneNoteDropbox , Google Drive or iCloud.
Now it’s time to record your card data because when your card is lost or you want to block it you shall be able to provide such info to the bank customer service representative.
The information you shall record are the card number, the expiry date and the Card Verification Value (also known as Security Code, CVV, CSC, CVV2), a small number made of three digits, that for the vast majority of the cards is indented on the back side of the card on the right had side of the signature panel. On the American Express Cards the security code is 4-digits long and is printed on the front, on the upper-right corner of the card number.
All this information, along with your card PIN shall be stored in your Password Keeper and never on a piece of paper.
At this point the envelope and the card carrier shall be destroyed, the best and easiest way is by burning them.

A Visa Classic card. The CVV is the “123” digits on the back side of the card.

Card handed over by a bank clerk 
The card is normally handed without any envelope and is passed to you by the bank representative along with a leaflet or a welcome letter. This method is known as Decentralized Card Personalization meaning that your card was personalized in the bank branch just minutes before it was given to you. This method eliminate possible interception of the envelope, reduce shipping charges and certainly improve customer satisfaction. Along with your new cards you are also receiving your new PIN number either by a security slip or by SMS. Some banks that implement Decentralized Card Personalization allow customers to choose their own card PIN.
Back home take some time to sign the card, record the bank hotline number and your new PIN number as explained above and – again – burn any paper that might be left in your hand.

A Visa Quick Read card. The CVV is “387” digits on the front side of the card.

Now you are ready to use your new Financial Card, let’s say withdraw cash from an ATM.

Here you shall apply a bit of precautions, as ATMs have been long time favorite targets from thief and criminal gangs. Be picky about what ATMs you use. Don’t go up to an ATM in a dark place. Find one that’s in a well-lit area, publicly visible and not tucked away somewhere. Also, don’t use ATMs with unusual signage or instructions, such as a command to enter your PIN twice to complete a transaction.

After you have identified your ATM it’s time to inspect it to check the presence of any foreign devices installed by criminals to steal your card data and/or PIN.

There are mainly four things you shall inspect:

  • Fake Pinpad

The aim of a Fake Pinpad is to capture the PIN of your card and utilize it to make a card clone. 
To check if a fake pinpad in installed wiggle, pull, shake the pinpad area, if you see something moving or even detaching means that a fake pinpad is installed. In the pictures below few examples of common fake pinpads.

A fake panel with pinpad and a card skimmer ready for installation.

A fake pinpad, applied as overlay over the genuine one.

  • PinHole Camera
    As alternative to a fake pinpad, some criminal gangs uses miniaturized cameras, so called PinHole Camera, that are installed in a way to capture the video of the moment you are entering your pin for later recovery and creation of a clone card. Checking for a PinHole Camera is relatively easy task because we need to look around for a small hole. As you can see from the below pictures the PinHole Camera can be sometime installed very near to the PinPad but some other time can be even installed above the ATM display or inside a leaflets holder. If you found any strange hole, do not use the ATM.
    A simple trick, that I strongly recommend to use all the times, is to cover the PinPad with your hand or with your wallet, while entering the card PIN.

A pinhole camera placed on upper part of the ATM display.

A pinhole camera installed nearby a pinpad.

Place your hand over the pinpad while entering your card PIN.


  • Card Skimmer device
    The scope of a Skimmer is to read the data encoded into your financial card magnetic stripe so to make a clone. This system is always used in conjunction with a fake keypad or a PinHole Camera because to use the cloned card the criminals need also the card PIN that is not stored in the card magnetic stripe.
    Skimmers reproduce the slot were the card is inserted in a way that fit the genuine card slot. In the fake slot is installed a tiny magnetic stripe reader and some electronics that stores the date/time and the data from all magnetic stripes inserted into the ATM. Periodically criminals remove the skimmers from the ATM to retrieve the data. Latest generation of card skimmers send the captured data via a Bluetooth connection to small handheld devices or more commonly to android smartphones loaded with specific apps.
    Some more sophisticated version of card skimmers are also able to transmit data using an integrated GSM module.

Installation of a skimming device on ATM.

The skimming device installed on the ATM.

It’s relatively easy to spot a card skimmer because of its thickness and the fact and most of this devices always leave gaps with the ATM.

If you think that the ATM you are going to use does have a card skimmer do not insert your card into it. Simply leave the place.

The Card Skimmer devices are extremely popular because they are cheap to assemble and very easy to use. The very real problem here is that to buy them is not even necessary to adventure on the Dark Web, and as a simple search on AliExpress shows that anyone can buy them.

A skimmer installed on a NCR ATM.

  • Card Shimmer device
    In order to reduce the frauds generated by magnetic stripe cards and to implement new services, the financial card industry adopted to add a security chip into the card, in addition to the magnetic stripe.
    Nowadays, the vast majority of financial institution issue chip-based credit and debit cards.
    The technology of the chip-based financial cards make this kind of cards extremely secure compared to the magnetic stripe technology, however, as technology and miniaturization advances, criminal minds quickly adopt new solutions to steal your card data.
    Several banks and police are starting to report the rise of a completely new generation of card skimmer, so called “Card Shimmers”. This extremely thin devices are installed inside the ATM card slot and act as man-in-the-middle, between your card chip and the chip reader of the ATM. Basically a Card Shimmer is able to record a whole card transaction (commands sent from ATM to Chip Card and reply from Chip Card to ATM) and those data can be later used to create a clone chip card.

Card Shimmers retrieved by Royal Canadian Mounted Police on ATMs in British Columbia.

Shimmers devices are very hard to detect and there is still no experts consensus about how to spot them. At this point of time, the only simple idea that is coming to my mind is those to inspect the ATM card slot with your cellphone flashlight looking for anything strange in the slot.

While doing all above checks, be always considerate and respectful of the property, do not break anything and enjoy your cash withdrawal!