Witness the recent announcement by law enforcement in New York City that a criminal gang had stolen $500,000 from hundreds of customers' bank accounts via skimming devices that read and stored account information at Sovereign Bank branches in Staten Island. The gang installed cameras onto the machines, catching victims typing in their PIN numbers. They also used the information to clone the card information, according to police.
A recent survey by security vendor Actimize shows that almost 70 percent of financial institutions experienced an increase in ATM/debit card fraud claims in 2008 compared to 2007. Twenty-three percent of respondents say those claims jumped by 5 to 9 percent, while the rest noted growth of anywhere between 10 and 74 percent. These numbers are only expected to grow in 2009, as a result of the recession.
Half of the institutions surveyed say they were hit with fraud complaints that came out of some of the major data breaches, with more than 30 percent saying they had seen fraud incidents as a result of the TJX hack, and 30 percent cited the Heartland hack.
Approximately 80 percent of the survey respondents say the big data breaches can decrease consumer confidence in ATM/debit card use. About 15 percent say they have reissued cards to more than 20 percent of their cardholder customers. In 2008, the financial institutions surveyed lost an average of $744,321 -- with some as high as $12 million -- to ATM fraud alone, and an average of $145,560, or as high as $1 million, to data breaches.
ATM Fraud Trends
The reason that criminals target ATMs is simple. "Criminals like cards and PINs. It is much easier to cash them out, rather than to hire a mule or repackager with stolen credit cards," says fraud expert Mike Urban, Senior Director of Fraud Solutions at Fair Isaac. If the magnetic stripe data and pin is available, it is easy money for the criminal to get the cash out of the ATM. "There is no fence, no making an authentic card to use at a retailer," he says. While this crime is much harder to perpetrate, criminals prefer this over other types of credit card fraud, such as signature-based fraud.
Here are the top ATM/debit card fraud trends:
#1. Skimming -- The upswing in skimming at institutions has caught fraud experts' attention. "A higher percentage of criminals are going straight to a bank and installing a PIN pad overlay and card reader," Urban says. "This is where the transaction goes through, and the customer doesn't realize that their ATM card or debit card has been compromised. I've seen a steady increase over the last couple years on this type of fraud."
#2. Ghost ATMs -- There are also the "Ghost ATMs," where the entire ATM card reader is blocked off and customers can't perform a transaction. "The customer swipes their card, enters their PIN, and then the fake ATM says it can't complete the transaction," Urban explains. There were several of these types of ghost ATMs that popped up on the east coast back four years ago. One arrest was made in those cases, he notes.
#3. Ram Raids -- Criminals continue to target ATMs in various ways, with "ram" raids happening more often in the US. Ram raids are perpetrated when criminals physically break out ATMs from the wall at the institution. In Texas, the number of ram raids has spurred institutions to partner with law enforcement, and a task force has been formed to fight the raiders. "The opportunity that some non-hardened criminals see is an exterior ATM that can be pulled out, loaded with thousands of dollars," Urban says. "So in terms of crimes of opportunity, people feeling desperate will attempt this crime."
#4. PIN ID's -- One of the other trends Urban sees happening is where criminals are testing systems to identify PINs. One particular technique is where the criminal captures the magnetic stripe data from a retailer. They then go to an online bank site with a script written on several well known PINs, and run it against the site until they get a match.
#5. Automated PIN Changes -- Another trend Urban sees is criminals go through the financial institution's telephone banking service to change PIN numbers. "They will use the ANI to change the information on the phone they're calling out from to appear like they are calling from the consumer's phone," Urban notes. If they can find the basic information on the card holder, name, card account number, last four digits of the social security number, then they're trying to take that info and go to the call center and change the PIN number over the phone. "Thus, while more time-consuming, the overhead cost is cut to near nothing other than their own work to deceive the bank call center," Urban says. Then with the changed PIN, the criminals drain the account. "The easier it is for the consumer to change their account, those are the financial institutions that will be targeted," Urban says.
#6. SMS attacks -- "Smishing" is the attack that comes through the Short Message Service (SMS) or text venue, onto a smart phone or a cell phone. Urban has personally seen three examples come through in the last month from institutions that he has no affiliation with, asking him for his account number and pin. Where the criminals are able to get the information from the customer, they then turn and clone the ATM or debit card and use it to withdraw cash.
The bank or credit union, if it is not checking for the CVV value, or the full name or expiration date, and just accepts the card transaction, will be hit with counterfeit cards made from data taken in this type of attack. These "smishing" attacks hit several midwest institutions in 2008.
#7. Malware -- Security researchers say they have found malware code that lets a criminal take control over ATMs. SpiderLabs, the forensics and research arm of TrustWave, found a Trojan family of malware that infected 20 ATMs in Eastern Europe. The researchers warn that the malware may be headed toward US banks and credit unions, as well as other parts of the world. The malware lets criminals take over the ATM to steal data, PINs and cash.
That report from SpiderLabs isn't the only malware found. Sophos researchers in March say they found a Trojan specifically designed to steal information from Diebold ATM users that had infected several ATMs in Russia. SpiderLabs researchers explain the Trojan collects magnetic stripe data and PINs from the Windows XP-based ATM's transaction application's private memory space. Researchers found it came with its own management function that allows the attacker take over the ATM with a custom interface that may controlled by the attacker when they insert a controller card into the ATM card reader. Both research arms say that they expect the Trojans they discovers to evolve and spread, infecting more ATMs. Trustwave recommends that all financial institutions with ATMs perform analysis to identify if this malware or similar malware is present.