Alert: ATM Skimming Up in U.S.Detection Requires Better Technology, Training
A new security alert from ATM manufacturer NCR Corp. warns that ATM skimming attacks in the U.S. are on an upswing. The trend likely is being fueled by the migration away from magnetic-stripe technology toward EMV chip technology.
ATMs of all makes and models have seen increases in skimming attacks in recent months, according to the alert, which NCR issued July 23. Other ATM manufacturers, including Diebold Inc. and Wincor-Nixdorf AG, did not respond to Information Security Media Group's request for comment.
As U.S. banks and credit unions phase out magnetic-stripe cards and replace them with chip cards, and U.S. merchants upgrade their point-of-sale terminals to accept chip transactions, fraudsters are going to work overtime to ensure they can capture as much card data as possible from mag-stripes to perpetrate counterfeit card fraud. ATMs will increasingly be targeted, experts predict, because the vast majority of ATMs in the U.S. won't even begin their migrations toward EMV for another two to three years.
To help ensure their ATMs are not compromised by skimming devices, security experts advise banking institutions to keep their anti-skimming services and technologies up to date; invest in skimming-detection software and services that alert them when an ATM has been tampered with; and make training employees on how to readily detect skimming devices on ATMs a priority.
NCR says it issued the alert about upticks in ATM skimming attacks after receiving numerous reports from banking institutions about ATM compromises.
"As a result of our investigations with law enforcement, we have seen that [skimming] devices that have been used in the U.S. have been bezel-mounted card skimming devices," the alert states. "This false-overlay bezel is attached on top of the legitimate card-reader bezel."
Many of recent skimming attacks also have involved the installation of small cameras near the ATMs PIN pad to capture PINs as they are entered for cash withdrawals, the alert notes.
NCR says the attacks law enforcement identified in the U.S. had compromised older versions of third-party anti-skimming devices, not devices issued by the original equipment manufacturer.
"Skimming has been the No. 1 form of attack on ATMs for many years," says Owen Wild, NCR's global director of security solutions. "Even though we have seen some regional variations, we have, and continue to view it, as the most relevant form of attack or potential attack. What now stands out, however, is that we have seen much more interest in anti-skimming solutions from customers as a result of the increase."
Owen says tracking exact figures for incidents of ATM skimming is difficult; most manufacturers base trends on information they receive from bank and credit union customers.
But according to FICO's Card Alert Service, skimming at U.S. banking institution ATMs increased 173 percent in the first quarter of this year, compared with the same period a year ago. Skimming attacks waged against U.S. ATMs at off-premises locations, such as convenience stores and hotels, also increased, up 317 percent for the same period, FICO notes.
By comparison, FICO found that skimming attacks waged against point-of-sale terminals in the U.S. dropped by 81.3 percent from the Q1 2014 to Q1 2015.
ATMS: Easy Targets
ATMs, because they are unattended, self-service devices, can be easy targets. Fraudsters can, with relative ease, attach skimming devices to the fascia of ATMs without anyone noticing.
Many banking institutions have invested in security technology that alerts them when the fascia of one of their ATMs has been manipulated or disturbed. But experts say they also need to make sure ATMs are regularly inspected.
One fraud executive with a leading regional banking institution in the Midwest, who asked not to be named, tells ISMG the uptick in ATM skimming attacks appears to be impacting some regions of the country more than others.
"Our ATMs [which are all Diebold] are equipped with anti-skimming devices," the executive says. "They are supposed to alert us if something is placed over the card reader. So far, we have not had an issue, but I am sure it is coming. We also ask our banking center staff to check our ATMs regularly."
NCR's Wild notes that the ATM manufacturer recommends the deployment of current anti-skimming solutions. "But further protection recommended includes protective PIN shields [which prevent pinhole-sized cameras from capturing PINs as they are entered on the keypad]. Practice recommendations also include advising banks to train service personnel and staff to regularly inspect for skimmers."
Why the U.S. Increase?
U.S. card issuers are quickly ramping up their EMV rollout efforts. The fraud liability shift date for EMV - the date when fraud that results from a mag-stripe transaction will be shifted to the issuer or merchant that is not compliant - is October 2015. But Visa's liability shift date for ATMs and pay-at-the-pump fuel dispensers is not until October 2017. For MasterCard, the shift date for ATMs and self-service petrol pumps is October 2016.
That means skimming mag-stripe transactions at ATMs and self-service fuel dispensers is likely to continue increasing for at least the next two years. And controlling that risk will be challenging.
While some European markets have blocked all mag-stripe transactions to control counterfeit card fraud, blocking mag-stripe transactions will never be a viable solution for the U.S., he explains.
"I attribute the increase in skimming attacks in the U.S. to several factors," Wild says. "First, there is a larger deployment of ant-skimming devices in certain regions. Second, some countries have been more proactive in deploying other measures that make using cards outside of the host country [such as blocking mag-stripe transactions] more difficult. And third, the redemption of stolen card information is much easier in non-EMV countries, such as the U.S."
Until all POS devices, ATMs and pay-at-the pump fuel dispensers have been upgraded to accept EMV chip cards, all U.S. chip cards must maintain mag-stripes.