ATM attacks have shifted from basic skimming into attacks on ATM software and ATM networks, fraudulent mobile alerts, and account takeover via stolen information and call centers, according to a report released Tuesday by Javelin Strategy & Research.
Traditional skimming is being replaced by more sophisticated attacks as criminals have become more organized and global, said Robert Vamosi, analyst at the Pleasanton, Calif.-based research firm and author of the report. "Now what we're seeing is use of malware inside the ATMs or somewhere along the ATM network that takes the same data and gives it to the criminals."
For example, there have been ATM attacks in which apparent maintenance crews opened up ATMs and installed malware on the machines, he said. Early last year, Diebold Inc. issued a security update for its Windows-based ATMs after criminals attacked a number of them in Russia and installed malware designed to steal sensitive data. In other cases, such as in the RBS WorldPay heist, criminals target the backend, where the ATM interfaces with other networks at a financial institution, Vamosi said.
"Someone can gain access through administrative privileges to encrypted PIN data, then use a laptop computer to reverse the encryption on the PINs," he said.
The industry's movement towards Triple DES encryption for all ATMs will be help as a buffer against such attacks, he added. Additional steps to mitigate ATM attacks on ATM software include using security software that protects against malware or injection attacks, and using encrypted PIN pads in ATMs that are compliant with the PCI Data Security Standard, according to Vamosi. He noted that the attacks on Diebold ATMs in Russia were a result of flaws in a non-PCI compliant keypad.
Other ATM attacks involve sending banking customers fake SMS alerts urging them to provide their account numbers and PINs; criminals then use the stolen data to create a cloned card. Criminals also might change a person's PIN and take over the account by using stolen personal data in a call to a bank's call center.
Ten percent of fraud victims the U.S. experienced fraudulent ATM withdrawals, according to the Javelin study, which surveyed 3,294 consumers online in November. The report also incorporates data collected via a phone survey of 4,784 consumers.
Twenty-three percent of those who experienced fraudulent ATM withdrawals left their primary financial institution, the study showed.
According to Javelin, ATM PIN fraud may increase in the U.S. as Mexico and Canada migrate to EMV chip standards, which help prevent skimming attacks.