ATM skimming remains threat

ATM skimming can be a pretty local affair, and typically garners none of the national headlines that payment breaches of big box stores receive. Nonetheless, this form of theft racks up millions of dollars in losses each year—losses generally charged to financial institutions rather than the ATM/debit card holders.

Actual dollar loss statistics are hard to come by. In one report, an NCR spokesman estimates the direct losses globally amount to more than $3 billion.

A recent white paper prepared by the ATM Security Association— estimates skimming losses in Europe alone amounted to about $343 million in 2014. This organization also estimates that the average cost of a skimming incident rose 18% in 2014 over the previous year, to about $61,000.

Last year FICO detected a 174% increase in card and PIN-skimming points of compromise, year over year, at U.S. bank-owned ATMs compared with 2014.

Other indications of the upsurge in ATM skimming attacks come in the form of local news alerts. A simple internet search reveals several news reports in 2015 about warnings from the U.S. Secret Service about likely ATM skimming scams. These happened to be located in St. Louis, New Orleans, and across North Carolina. Also last year, NCR saw fit to issue a security update in which it said it was tracking an increasing frequency of card skimming attacks in both the U.S. and Mexico.

All this comes on the heels of a notorious case in New York City in which a group of Romanian natives were caught and sentenced in 2014 for a scheme that had stolen almost $1 million from ATMs throughout the city.

Radar should be on this

Banks, in particular, ought to put this particular threat on the front burner, if only for liability purposes. According to the Federal Trade Commission, a customer is liable for only $50 of losses if, within two business days, he or she learns about and reports the loss or theft of a card. If after two business days but less than 60 calendar days the victim reports the loss or theft, that person’s liability is limited to $500.

On the one hand ATM skimming is unique in that it bridges the gap between very low technology—crooks using plastic to trap cards in the ATM slot—and relatively high technology—using Bluetooth systems to snitch card data wirelessly.

On the other hand, it is quite common, both in frequency and in the fact that it is a particularly insidious crime. The ATM Security Association’s European ATM Security Team, in its white paper, details the various methods crooks use to skim ATMs, while cataloging the various methods to deter the crime—and their generally lagging effectiveness.

Skimming and stripe vs. chip-and-PIN debate

In short, the organization says, ATM skimming will continue to be a formidable threat until every country, including the United States, fully adopts EMV, or chip-and-PIN, card technology.

“It is clear that the presence of the magnetic stripe on payment cards is the underlying cause of the persistent threat of skimming and card compromise at the ATM,” it says in its conclusions. “The strategic goal of the card payment industry needs to be to remove the magnetic stripe from the card once the global migration to EMV is complete and correctly implemented.”

Latest on skimming methods

Briefly, the ATM organization lists these most common ATM skimming methods:

• Digital skimming—A device copies the magnetic stripe data, encrypts the data, and then transmits the data to the criminal’s computer, who uses it to make counterfeit cards.

• Analog skimming—The data is stored as an audio file, using an MP3 or MP4 player, which is later converted back into digital data. A variation of this includes an off-the-shelf software decoding program that can strip away any kind of jamming the bank may have employed to deter skimming.

• Stereo skimming—Two data-read heads are used simultaneously, one of which records both the jamming signal and the card data signal, the other records just the jamming signal. Later, the latter recording can be used to strip away the jamming from the card data.

• Card trapping—The criminal inserts a device into the entrance to the card reader that seizes the card so that the cardholder cannot retrieve it. When the victim leaves the ATM, the criminal quickly comes in and steals the card.

Common to all of these methods is the concurrent use of pinhole cameras or false keypad plates that can record the victim’s PIN as it is entered.

Countermeasures don’t always cut it

The ATM Security Association also evaluates the various countermeasures ATM owners and manufacturers currently use.

Some now seem to be better than others—sensors that can detect physical attacks in the area of the card reader, for example, generally work better than redesigning the physical surround in the area of the card slot. For more details about other countermeasures, access the free white paper.

In the meantime, the association advocates a four-step plan:

1. Establish global ATM security industry standards for existing and new ATMs.

2. Develop and provide a reliable, independent means of evaluating available solutions against criminal attacks.

3. Establish a reliable, up-to-date source of information on the latest skimming techniques, to be used by deployers and technology providers.

4. Include a proactive and timely way to share information between technology suppliers and deployers about new hardware and software updates to defend against new threats.

“Skimming has never been a bigger challenge globally and criminal techniques are varied and constantly evolving,” the white paper concludes.The ATM Security Association's white paper details the various methods crooks use to skim ATMs, while cataloging the various methods to deter the crime—and their generally lagging effectiveness.