In January 2011, a pair of Bulgarian-born Canadians named Nikolai Ivanov and Dimitar Stamatov took a road trip from their home in Quebec to New York City. Their five-day visit to Manhattan’s East Village and Astor Place wasn’t your typical tourist trek, though; instead of Statue of Liberty souvenirs, the pair collected the card data and personal identification numbers for over 1,100 ATM cards. Ivanov and Stamatov were "skimmers."

Skimming isn’t new—it’s been around almost as long as ATM machines. But Ivanov and Stamatov benefitted from a new generation of skimming technology that has turned the once-difficult crime into a mass-market business. Using pre-fabricated gear perfectly matched to the hardware of Chase Bank ATMs, they were able to read the magnetic stripe off of victims' cards and even record victims punching in their PINs. After this bit of fun, the duo went on a cross-country withdrawal spree using clones made from their victims' cards, pulling over $264,000 in cash from machines in Arizona, Illinois, and Canada.

The road trip proved so successful that the two men returned to New York again in May 2011, this time bringing Ivanov’s younger brother Iordan along for the ride. But the second skimming trip had a different conclusion; New York City police caught Ivanov and Stamatov as they were removing their gear from an ATM machine at the Chase branch at 785 Broadway (Iordan escaped back to Canada). By then, according to later admissions in court, the two men had amassed over $280,000 in fraudulent withdrawals and transactions—most of which were sent to relatives back in Bulgaria.

Skimming has been a problem for decades, but it’s become increasingly common in the past five years—and it’s spreading. Tracie Gerstenberg, who does anti-skimming business development for Tyco Integrated Security (formerly ADT), said that while skimming was previously focused in large metro areas like “New York City, Chicago, southern California, and the entire state of Florida, really,” it has recently become prevalent in smaller suburban settings where people “aren’t as educated about skimming.”

Skimmers are getting away with more and more cash, as well. In 2010, according to Secret Service figures, skimmers netted an average of $30,000 per incident; in 2011, their take rose to $50,000. By comparison, “The average bank robbery might be around $3,000 to $4,000,” said Doug Johnson, vice president of risk management policy at the American Bankers Association. (Economists have recently shown exactly why robbing banks doesn't pay.)

The scam has moved beyond ATMs. Skimmers now attach card readers to gas pumps across the US, capturing both credit and debit card data. Self-checkout machines at grocery stores have been targeted, too. And one larger criminal organization in New York was paying waiters to collect their well-heeled customers’ credit card data last year with hand-held card readers. That ring took in $1.2 million in cash as fake credit cards were used to purchase handbags, watches, and other luxury goods to be resold.

The US explosion in skimming has been driven, in part, by the low-tech nature of most US credit cards, which are still tethered to the same technology used for nearly 50 years: the magnetic stripe. Credit and debit cards in other parts of the world still use the magnetic stripe, of course, but in many places only as a backup to “smart” chip systems commonly referred to as “chip and PIN” or “EMV” (for EuroPay, MasterCard, and Visa, the companies driving cryptographically equipped smart cards in Europe and elsewhere). While chip-and-PIN-based ATMs and point-of-sale systems have reduced the volume of skimming fraud in Europe, Johnson says that the US has become the “preferred place to cash out” for skimmers from around the globe. “That’s obviously something we’d like to defeat,” he added.

To fight the trend, banks have answered with counter-skimming technology—everything from sensors that detect devices being attached to card readers to jammers that block external readers from recording and transmitting card data. But at the level of the card itself, any wholesale move away from the magnetic stripe remains years off, mostly due to the lack of financial incentive for card issuers and merchants to invest in the new tech, and because of the long life cycles of ATMs and point-of-sale systems.

Magnetic card data: what’s in your wallet?

To understand why skimming is such a problem, you have to understand the nature of the standard credit or debit card. Despite the introduction of “chip and PIN” technology elsewhere and all the talk of near field communications (NFC) and wireless payments here, the US payment card system has not changed significantly since the magnetic stripe was added to cards in the 1960s. As we’ve become more reliant on credit and debit cards for our daily transactions, the cards have become the target of criminals for the same reason Willy Sutton said he robbed banks: they’re where the money is.

The basics of skimming are not exactly rocket science: capture the magnetically encoded data from a credit or debit card and record it to a blank card or sell it to someone else who will. “Anytime anyone gets the dump of a credit card—the full dump—if you make a copy with it, it’s as good as the original.” said Ondrej Krehel, Information Security Officer at Identity Theft 911, a data risk management consulting firm in New York.

The data on a magnetic card is stored in binary form using a technique called Frequency/Double Frequency (F2F) encoding (also known as Aiken Biphase encoding). An unencoded magnetic track—one with no data—is completely magnetically consistent, with the poles of each of the permanent magnets embedded in the track facing the same direction.

The encoding of a credit card starts by laying down markers that define the length of each bit. A marker gets created by forcing a magnet within the strip to flip its polarity—creating a region of magnetic flux where two like poles push right up against each other. The flux create a “clock” signal that can be detected by a magnetic card reader as a series of spikes at the boundaries of each bit. When converted to binary data by a reader, these are translated as zeros. To write a 1 to the track, an additional point of flux is inserted between the clock frequency bits, adding an additional flux point to the wave, as shown below:

The standard format for credit and debit cards (and most other magnetic cards) uses three tracks to store data, each about 2.8 millimeters wide, with Track 1 closest to the edge of the card. Some payment cards with thinner magnetic stripes only use two tracks, because most credit cards only store data in Track 1 and 2, in a format defined by the International Organization for Standardization’s ISO/IEC 7813 specification.

Track 1 contains all the data associated with the card, including the primary account number, the name of the holder, the expiration date, a card security code (typically, it’s not the same as the one printed on the card), and a longitudinal redundancy check value used to spot read errors. Data on Track 1 is encoded in 7-bit characters (6 bits for the data, plus one for parity). Track 2 holds mostly the same data, minus the cardholder’s name; its data is encoded in 5-bit characters (four plus one for parity). Both Track 1 and Track 2 start with a series of “clocking zeros” to provide readers the base clock frequency so they can count the data bits properly, and they begin and end the real data with “sentinel” symbols that alert the reader where to actually look for data.

The third, less-frequently used track’s data is formatted according to another ISO spec, ISO/IEC 4909. Track 3 was designed to be writeable, to provide a way for prepaid cards and other payment cards to carry balance information. But few credit or payment cards use this track and most point-of-sale systems ignore the data.

For skimmers, the main trick is to record all this magnetic data and to do so without the cardholder noticing.