This kind of fraud has been a popular trend for a while now in the criminal world, said Chester Wisniewski, a senior security adviser for the enterprise computer security company Sophos Inc. who writes for the company's Naked Security blog.
“I'm getting asked about it more frequently,” he said.
Many of the thieves committing credit card/debit card fraud — known as “carders” — are highly organized and connected to international rings, he said. The types of devices they use to commit the fraud may differ depending on the machine and the sophistication of the carders, but the intent to steal people's account numbers is the same.
“In essence, your card is going through two readers instead of one,” he said, adding the legitimate transaction still occurs.
One problem is that the U.S. is one of the few countries in the world still using a magnetic strip on credit cards to read transactions, Wisniewski said. Most other countries use “chip-and-PIN” cards, which have an added layer of security that requires a person to enter a PIN while inserting the card in a device.
“The instance of fraud in the United States is much higher than the rest of the world,” Wisniewski said.
So even if you steal a card number elsewhere, you'll likely come to the United States to commit the fraud, he added.
It happens most often at ATMs, but he has heard of credit card readers being swapped with fake ones at retail stores, as well, while distracting or tricking an employee.
“I'd be a nervous wreck. I'd never be able to pull it off,” he said.
You can 3D-print the skimmers, but you can buy everything you need over the Internet — blank cards to create your own credit cards, gas pump and ATM skimmers, etc.
The sites that have these items are kind of like a “criminal eBay,” Wisniewski said.
The investigation into the Oklahoma fraud started when the banks noticed strange activity on the accounts when the men started cashing in on the accounts and alerted law enforcement.
“We had some very early detection and really jumped on it,” said Scott Flowers, executive vice president and chief banking officer of First United Bank of Durant, which was one of the defrauded banks. The others, according to the indictment, were Arvest Bank of Oklahoma; and First Texoma National Bank, Landmark Bank, and Shamrock Bank, all of Durant.
Flowers said banks have a lot of systems in place to prevent fraud on their ATMs, including sophisticated anti-skimming devices, but people swipe their cards in other places like gas pumps and grocery stores, and the criminals have adapted with them.
“Technology breeds technology, and it's just the way it is,” Flowers said. “Money is the thing, and how do I get it?”