In the minds of most banking customers, an ATM is a safe place to check accounts and get cash. But increasingly, ATMs are becoming fraud traps for unwitting customers. This February in Boston, for instance, three people were caught planting fake card readers on ATMs owned by Bank of America and Citizens Bank. They racked up $137,000 in ill-gotten gains before being arrested.
Putting fake card readers on ATMs to capture card data -- called "skimming" -- is a rapidly growing crime in the U.S. and around the world, experts said. According to Diana Kelley, founder of consulting firm SecurityCurve, the cost of ATM card skimming to banks and consumers worldwide at approximately a billion dollars annually.
In the U.S., 10% of all fraud victims experienced fraudulent ATM cash withdrawals and as a result, 23% of those left their primary financial institution, according to an April report by Javelin Strategy & Research, a Pleasanton, Calif.-based financial services analysis and consulting firm. Nearly 20% of fraud victims in the U.S. had their PINs stolen, said Robert Vamosi, Javelin research analyst.
Sophisticated ATM skimming devices
While skimming has been a problem for the past five years, the devices have become much more sophisticated and difficult to detect, fraud experts said. With over 425,000 ATM machines in the U.S. alone, there are plenty of opportunities for criminals to try their luck at different locations and on various ATM models.
"They're fairly advanced from the standpoint that the devices that they're making or buying are of much higher quality than the past, [which makes them] so much harder to identify," said Michael Urban, senior director of fraud solutions at FICO (Fair Issac Corp.), which provides FICO credit scoring as well as fraud detection products and services. "They use the same types of paints and finishes [as the ATM makers]." In addition, he added, many now transmit the stolen data via a Bluetooth or GMS cellular signal, so the criminal doesn't have to return to the ATM to retrieve the stored data.
Jerry Silva, principal at PG Silva Consulting agreed: "They can replicate them right down to the exact color.…If an entire facade is replaced, it's hard for customers to tell."
A quality skimmer runs in the $5,000 to $8,000 range, SecurityCurve's Kelley said. Many now come with both card reader and keyboard overlays, so that both the card data and PIN can be captured. Alternatively, a criminal may use a hidden camera to watch customers enter their security codes. Just about any ATM is at risk, consultants said, although attackers tend to go after the most common models in whatever region they're targeting.
Banks and ATM vendors have been trying a variety of methods to stop skimming, such as putting commercials on the ATM display warning customers about skimming, adding bevels to the keyboards and card readers to make it difficult to attach skimmers, and sensors that can detect the addition of a device and send an alert to bank employees. There is also "jitter" technology which physically jiggles the card as it goes into the card reader, making it difficult for a skimming device to read the strip. Some experts, however, say that jitter isn't a full-proof defense.
ATM card skimming protections
Besides anti-skimming technologies, financial institutions can take additional steps to protect their ATMs and customers from attack by skimmers:
1. Physically inspect the ATMs once a day. "Best practices include doing a physical inspection every time someone's out there filling the machine," Silva said.
That's particularly important if skimmers have already hit yours or a competitor's ATM. "You need to increase inspections and have someone to go out several times a day to check ATMs, including after hours and on weekends," FICO's Urban said. "Criminals scope out each of the locations they're going to target, and if they see increased inspections, they may go on. It's a low-tech solution, but it often works. "
2. Enforce standards for the appearance of ATMs. "Adopt visual standards for ATMs so all ATMs should look alike," Urban said, noting that branch managers may put something on one ATM, but not another, so they all look slightly different. "One branch decides to put a brochure holder on one, another doesn't, and you wind up with a hodgepodge [of ATM facades]. You want them as standard as possible so you can tell if [a skimmer] is put on one of them."
3. Make sure your PIN entry devices meet guidelines from the Payment Card Industry Security Standards Council, which manages the PCI Data Security Standard. The PCI SSC also has guidelines for merchants, "Skimming Prevention: Best Practices for Merchants," which include self-evaluation forms to help pinpoint vulnerabilities.
4. Look for anomalous activity in customer accounts. Fraud detection software isn't foolproof, but it can detect some behaviors associated with a fraudulent transaction, Urban said. For example, if a customer who always uses his debit or credit card locally suddenly makes a large purchase in Brazil, the software can alert the bank, which might delay the transaction until it can verify its legitimacy.
Updated customer contact information is critical for quickly verifying the legitimacy of transactions or stopping fraud. Banks that monitor account activity also need to regularly update their customer data, Urban said.
5. Network with other bank security officers. Participating in electronic security taskforces, or even casual cooperative agreements with other local banks, can help ensure that bank security managers are the first to know when a skimmer is targeting his or her area, Urban advised
Chip and PIN
The ultimate solution to the problem may be to move to a smart card technology, called chip and PIN, in which the chip carries the data not the magnetic strip and is widely used in other parts of the world.. Europe is moving to the Europay, MasterCard and Visa (EMV) smart card specifications, which require both a microchip and magnetic strip to complete a transaction. A cloned card that has just the strip data will be rejected when EMV becomes the European standard, which is slated to occur by the beginning of 2011. According to Visa Europe, more than 4,000 European banks and payment providers have issued or are issuing a quarter of a billion Visa EMV chip and PIN cards as well as upgrading millions of card readers.
However, the U.S. isn't following in Europe's footsteps any time soon.
"The cost [of ATM fraud] is still not large enough for U.S. banks to go through with the cost of reissuing card and redeploying machines," Silva said. "You have to replace the card reader in every ATM, and replace every single POS device and software, as well as all of the cards, and train people. Fraud losses are not great enough to justify that yet, unlike in Europe."
About the author:
Sue Hildreth is a freelance IT writer based in Waltham, Mass. She has been covering trends and technologies in corporate IT since 1996. She can be reached at Sue.Hildreth@comcast.net.