ATM security is like an on-going race between the good guys and bad guys. As soon as the industry develops a technological advantage to defeat ATM skimming, it seems criminals find another way to steal card data.
Last year, ATM skimming attacks jumped by 12 percent and now represents 92 percent of all fraud at the ATM — making it the number one ATM crime globally.
ATM skimming is a global threat with low risk and high profit for organized crime. The 2.5 million ATMs worldwide are an attractive, lucrative target for criminals, says Claire Shufflebotham, global security director with TMD Security.
Global losses from skimming are estimated at over $2 billion annually and growing. According to a report from the U.S. Secret Service, the cost of an ATM skimming incident in the U.S. has risen to $50,000 on average, up from $30,000 a few years ago.
With the global migration from magnetic stripe to EMV technology, experts warn card fraud will shift to the weakest link — to countries like the United States that have not widely adopted chip and PIN technology.
John Buzzard, client relations manager for FICO Card Alert Service, predicts the types of fraud we saw in 2013, such as the malware incident on ATMs in Mexico and corporate security breaches, will continue in 2014.
He says statistics show fraudsters prefer ATMs located at financial institutions. However he cautions that as we move to a more self-service environment and begin using kiosks that accept cards and PIN numbers, we will begin to see more fraud at non-traditional locations such as post offices, cafes and transit authorities. In fact, statistics show this is already beginning to happen.
Understanding ATM Skimming Technology
Digital and analogue skimming attacks are the most common techniques used by criminals to steal data stored on a magnetic stripe.
In a digital skimming attack, criminals place a device which looks like a card reader on the ATM and copy the data when the card is passed over the device. The data is typically stored in the memory of the skimmer and is downloaded to a PC where it can be read and used to make fake cards. In an analogue card skimming attack, criminals record the sound of the card data signal during the transaction. The data is then retrieved from the recording and used for fraudulent purposes.
Douglas Russell, director of DFR Risk Management, says anti-skimming devices have been extremely successful in distorting card data; making it more difficult for criminals to extract card data. He says ATM skimming devices which use a form of electromagnetic signals to distort or jam the data are a very good defense against digital and analogue skimmers.
But, he says, criminals don’t give up and there is no lack of technology available to assist them in their fraudulent endeavors. As the industry responds to skimming attacks, we are seeing criminals improve on the effectiveness of their technique and develop new technology to defeat preventive measures.
A new form of skimming technique called a stereo skimming undermines anti-skimming solutions. In this type of attack the criminal uses a skimmer with two heads which allows them to record both the jamming signal and the card data signal. The card data signal is then excluded from the jamming signal and converted it into an analogue or digital format.
Russell says there is no proof stereo skimming is being used today in the marketplace. However it is extremely feasible and he predicts we will begin to see more sophisticated skimming techniques like stereo skimming in the near future.
EMV’s Impact on ATM Skimming
Despite EMV migration around the world, card fraud is still a major problem and losses continue to rise as non-universal adoption of EMV fosters cross-border fraud.
In 2012 with full adoption of EMV technology at the ATM in Europe, deployers reported skimming attacks fell by seven percent. But international losses increased by 55 percent that same year, according to Shufflebotham’s presentation. Criminals simply moved to the weakest link and are now committing fraud in countries that have not fully implemented chip and PIN technolgoy such as the United States, Dominican Republic, Brazil, Mexico, Peru and Thailand.
EMV chip technology is far more secure than magnetic stripe and virtually impossible to skim. However until magnetic stripe technology is completely phased out, it will continue to be an attractive target for criminals because it is easy to steal, according to Buzzard.
And so the race to between the good guys and the bad guys goes on … until the entire world fully implements EMV technology.
ATMIA members can download Best Practices to learn more about tried and true methods to combat ATM skimming.
May 6, 2014 By Nancy