The goal of such a setup is to capture the information stored in the magnetic stripe as it’s passed in/out of the machine in order to create a copy of the card.

Often some attempt to capture the PIN as well may be employed, such as a camera aimed to record the keypad.

If you swipe a card through the reader at the store, it reads the card, and uses it to buy something.

If I was clever, I could duct tape two readers together, end-to-end, in such a way that you could swipe your card through both of them in one motion. You swipe your card only once, but it went past two readers now. So it buys two things instead of just one thing.

If I was even more clever, I could shrink the readers down so that they both fit into the size of a single reader. When you come to swipe your card, you only see one reader, so you think you’re buying one thing. But in reality, there are two separate readers crammed in there, making you buy two things.

A credit card skimmer is essentially a tiny extra credit card reader that nefarious people will stick onto the outside of or hide inside of genuine readers, so that when you stick your card through them, both readers see your card. As far as you know, you just used a single reader to do a single thing, but without your knowledge, a second reader has also read your card and can then use it to buy things just like the first reader can.

Usually they won’t actually make a payment right away at the moment of scanning. Many fraud detection hits would point to the infected reader and lead authorities straight to it. Instead, the reader will simply store the credit cards it sees in a list. The criminal can retrieve their skimmer and its stored list, get far away from where they planted it, and start trying those stolen cards one-by-one to see if any of them will buy something. Most probably won’t, as fraud detection is quite sophisticated these days. But some unlucky ones will. And there’s not really much to be done about the criminal as they and their skimmer are probably long gone by now.

The magnetic strip on your card has all the data necessary to complete a transaction. The skimmer goes over the card reader you intend to use, so it can read that info when you go to use your card. The skimmer can either save that information to be collected later or transmit the information.

To add to the other comments: they don’t, at least not in the EU (unless you have a tourist with an unsecure card, so I guess if you’re an American in Europe, you should probably watch out).

The information you can skim off the magnetic strip is only useful for cardholder not present transactions, and is insufficient for that purpose. There must be additional checks beyond simple card details to process a cardholder not present transactions.

Cardholder not present transactions still account for the vast bulk of card fraud, but it’s from avenues such as malware and social engineering rather than ATM skimming.

Let me glue together some of the comments here.

There are currently a few kinds of transaction that can happen at the reader, and a PIN may or may not be collected.

The first kind of transaction involves just a card number. The person making this transaction may not need your expiration date, security code, or any other kinds of information. Obviously, this isn’t very safe. These are very commonly involved in fraud.

Another kind involves the card number plus some other information like the expiration date, the security code. These things are harder for a skimmer to scan (and often not possible) so they are less commonly involved in fraud.

Another kind involves the “chip” on modern cards. That kind of transaction involves some fancy math and encryption that skimmers can’t break yet.

Then there’s your PIN, which may have to be entered at the reader.

The swipey kind of reader uses the magnetic strip on your card. That strip has your card number on it. That’s it. A skimmer hides a second reader inside the main reader. That secondary reader simply records every card number it sees and doesn’t interfere with your purchase.

If you happen to have to enter a PIN, the sophisticated skimmers might have a camera pointed at the PIN pad to try and capture that PIN. Then they have your card number and your PIN.

This means someone who skims your card can make a “card number only” transaction with your card. They can have a higher chance of success if they also steal your PIN. Let’s come back to this.

The “chip” readers require you to insert the card so the metal “chip” comes into contact with some things inside the reader. Ultimately the chip is a tiny computer that gets powered by the reader. Your bank sends some numbers to the chip. The chip sends some numbers back to the bank. There is some math that involves secret numbers inside the chip that ONLY the bank knows, and if the numbers the bank gets back check out it accepts the transaction. In theory a skimmer could intercept this traffic. HOWEVER, the bank sends your chip different numbers every time, and encryption math is made so knowing the “answer” to one number doesn’t make it easier to guess the “answer” to another. The skimmer would have to see *billions* of transactions to “break” a chip card. So basically, it’s not feasible to break this encryption yet. The chip is built in a way you can’t really get the secret numbers off it.

HOWEVER, sometimes the magnetic strip has enough of your card number the chip reader STILL has room for a skimmer that can get your number off it. I see this more at gas stations, where they have a combo reader that can handle chip cards OR swipe cards in the same reader. So even though your chip transaction is safe, they can still steal your number and maybe your pin.

## Why’s all this matter?

Well, when it comes to fraud prevention and liability, the card companies have a sliding scale. They don’t like “number only” transactions, even if they have PINs. They tend to scrutinize these a little more and if fraud happens with them it’s more likely the vendor is going to be responsible for making it up. Still, a lot of businesses use them so someone with a skimmer can get away with a lot.

They also don’t really like magnetic swipe transactions so much anymore. Those are technically still “number only”. It’s cheap and easy to make a device that puts a number on a magnetic strip. So someone with a skimmer can make a “fake” version of your card and try it at a store. Especially if they have your PIN.

Card companies as of a few years ago do not offer much mercy if fraud happens with these readers. They want stores to upgrade to chip readers. But that costs money, and using the chip service incurs more fees. Lots of small businesses don’t want to deal with that. So they buy the stripe-only readers and risk more fraud liability.

Right now card companies give the best “deal” to fraud cases where a chip reader was used. They have an investigation, and if they find out there was an equipment failure or some other condition the store might get some or all of the money back. In practice this only really happens if cards are *stolen* because the chips can’t really be duplicated or “broken”.

## So to summarize:

Skimmers work because of capitalism. A lot of stores do not want to pay the extra fees or spend the extra money for chip readers. So they use a kind of card reader that is susceptible to helping people steal cards and also helping people use stolen cards. If the card companies made it cost the same to operate chip cards as swipe readers more people would use them. But they get the best of both worlds: they get more money for chip cards *and* don’t have to foot the bill when stores that don’t pay extra get fraudulent swipes. Some countries moved 100% to chip readers.