Part 1: Skimmers, Shimmers, and You

When did you last swipe to pay?  That split second might seem harmless, but behind it sits a criminal ecosystem siphoning an estimated $50 billion a year, usually from the people who can afford it least. The nightly news gives you warnings and blurred photos, but never the real story. 

Skimmers aren’t petty scams. They’re engineered predators evolving inside our payment systems while misconceptions and outdated guidance keep the public in the dark.

This series is designed to cut through that fog. No fluff. No myths. Just a clean dissection of how modern skimmers are built, how they steal, and how investigators fight back. If you want to understand the hardware, the tactics, and the countermeasures that actually matter, you’re in the right place. Bring your curiosity. Let’s crack these devices open.

The Skimmer Problem

Payment card skimmers (aka skimmers) are fraudulent devices designed to swipe your data when you swipe your card. Criminals plant skimmers in retail stores, grocery stores, gas pumps, and ATMs to capture victims' payment information, which later gets cloned onto blank cards. 

The FBI puts the damage at more than $1 billion a year, and FICO’s annual skimming reports show the trend isn’t slowing. Their 2023 and 2024 data confirm a steady rise in incidents, even after the post-pandemic surge documented in 2022.

Behind those numbers sits the part most people never see. The highest-impact victims aren’t big spenders. They’re citizens on government benefits whose EBT cards still rely on insecure magstripe payments, leaving them exposed while chip-enabled consumers move on safely. Skimmers hit where defenses are weakest, and the people with the least cushion pay the price.

Expertise from the Front Lines

In DivisionHex at Coalfire, I lead forensic analysis for skimmer investigations, having analyzed the hardware and code behind more than a hundred fraudulent payment devices. Three years of reverse engineering these attacks led to collaboration on joint operations with major retailers and eventually into the International Association of Financial Crimes Investigators (IAFCI)SAPTA Working Group. SAPTA, the Skimming and Payment Terminal Attack group, unites public and private investigators who are focused on keeping digital payments secure.

"The IAFCI Skimming and Payment Terminal Attack working group indicates that skimming-related crimes are estimated to cost businesses and consumers at least $1 billion annually in the United States, but industry experts believe the true losses could be much higher—potentially approaching $50 billion—due to significant underreporting and evolving criminal tactics. As technology advances, so do the methods used by criminals. SAPTA is committed to breaking down barriers between the public and private sectors, fostering collaboration and information sharing. There is no such thing as competition when it comes to combating fraud".  - SAPTA Working Group, IAFCI

Within SAPTA, I serve as a core member of SAPTA-Tech, the team focused on advanced analytical techniques for identifying compromised cards and extracting evidence from recovered devices. After presenting my research at Hardwear.io USA 2025, the skimmer landscape continued to shift. By November 2025, I was presenting alongside Kroger’s skimmer expert, Jon Buffington, at SAPTA’s eighth annual working group meeting.

"Skimmers continue to evolve in both sophistication and concealment, which is why close collaboration between retailers, law enforcement, and forensic examiners is more important than ever. By combining real-world incident response with detailed hardware and firmware analysis, we're able to identify threats faster, create rapid defensive measures to combat criminal activity, and reduce customer exposure more effectively." - Jon Buffington, Advanced Security Engineer, Enterprise Security Operations, The Kroger Co.

How do Skimmers Work? 

Skimmers come with plenty of misconceptions, and most of them center on what payment methods these devices can actually capture. Traditional skimmers target the magnetic stripe, pulling unencrypted data straight off a swiped card. 

For the average consumer, chip and contactless payments feel safer, and in most cases they are. But “safer” doesn’t mean immune. A copy of that same magstripe data lives unencrypted inside the chip itself. If an attacker builds a device that knows where to look, it can still rip sensitive information from what people assume is a secure transaction.

Point-of-Sale vs. ATM vs. Gas Pump Skimmers

Skimmers are parasitic devices that aim to keep their host (the payment terminal) alive and operational while quietly capturing victims' information. They can essentially take the form of any payment terminal that criminals decide to target.

Point-of-Sale Skimmers

Point-of-sale terminals have taken the hardest hit in the recent surge of skimmer activity. Criminals can deploy these devices in seconds, often slipping them into place while an employee looks away. The overlays are battery-powered and engineered to avoid triggering the terminal’s anti-tamper sensors. By sitting directly on top of the legitimate hardware, they add a second malicious keypad that records the victim’s PIN as they press both the real and the fake keys.

To capture swiped cards, attackers embed a magnetic read head into the terminal’s swipe path. For data retrieval, modern skimmers use Bluetooth, allowing criminals to pull stolen card data from nearby mobile devices with zero physical contact. Some units keep Bluetooth dormant to save power until the operator wakes the device with a quick magnet swipe. Others broadcast constantly, making them detectable to retailers and law enforcement teams running the right discovery tools.

ATM Skimmers

ATM skimmers have been in play for decades, and despite new hardware defenses, their core functionality hasn’t changed much. Attackers deploy two primary variants: overlay skimmers that mimic point-of-sale attacks, and deep-insert skimmers that hide entirely inside the ATM’s card slot. Overlay units sit on top of the real fascia and capture magnetic stripe data as cards pass through, just like their retail counterparts.

Where ATMs diverge is in PIN theft. Some criminals use classic keypad overlays, but many escalate to a separate device outfitted with a pinhole camera, giving them a clean view of victims entering their PINs. It’s low profile, high yield, and still one of the most effective combos in the skimmer playbook.

Deep-insert skimmers push stealth to the extreme, hiding so far inside the ATM’s throat that even a cautious customer won’t spot them. Criminals accept the trade-off: limited internal space makes these devices harder to detect but also forces them to run on tiny batteries, far smaller than what overlay skimmers can carry. With power at a premium, deep-insert units skip power-hungry Bluetooth entirely. Operators extract them using a specialized retrieval tool, then pull the stolen data through a serial cable dump once the device is out.

Gas Pump Skimmers

Gas pump skimmers come in overlay and deep-insert variants, but they also introduce a third breed of parasitic device. Criminals use widely shared pump cabinet keys to get inside the housing and plant hardware directly in the payment path. These units tap into the card reader’s serial connector, pulling power straight from the pump so they never need a battery. By capturing unencrypted payment traffic, they passively monitor every transaction without touching the PIN pad or card slot, making them far harder to detect than surface-level attacks.

Once deployed, operators pull the stolen data wirelessly over Bluetooth, avoiding any need to reopen the pump. For a deeper look at this attack class, SparkFun produced a full reverse-engineering breakdown of a gas pump skimmer that shows exactly how these devices operate.

Modernization of EBT Cards

For most consumers, the question “When did you last swipe to pay?” might be impossible to answer. Chip and contactless payments have taken over. 

But for millions of Americans on government benefits, swiping is still mandatory. Every state except California still requires Electronic Benefits Transfer (EBT) users to swipe their cards, forcing them into the most vulnerable payment method with no chip or contactless alternative.

The impact is brutal. In multiple skimmer dumps, over half the compromised cards were EBT. The fraud became so widespread that states can no longer reimburse victims with federal funds. 

California, one of the hardest-hit states, was the first to roll out chip-enabled EBT cards. While the federal government has encouraged states to update their EBT cards, there are no guarantees or time frames.

The USDA’s “SNAP EBT Modernization” roadmap shows only four states currently moving toward chip upgrades, leaving the majority of EBT users exposed with no clear timeline for relief.

Our Research

As industry partners to both retailers and law enforcement, I work across teams to handle the digital forensics behind skimmer investigations. Local agencies often have limited technical resources, which means recovered devices sit in evidence lockers for months, untouched and unanalyzed. The stolen data inside them is rarely recovered or reported, leaving victims unaware that their card was ever compromised.

That gap is exactly why public and private collaboration has become a force multiplier. Law enforcement can stay focused on tracking the criminals, while specialists dig into the hardware, extract breadcrumbs, and reverse-engineer the devices that fuel these attacks. It’s coordinated work, and it’s the only way to stay ahead of an adversary that constantly innovates.

In the next part of this series, I'll dive into the anatomy of a skimmer attack, how both consumers and businesses alike can spot these devices, and introduce my research into card shimmers.