ATM Skimming: How Effective is Jitter?

Critics: Fraudsters Already Know How to Bypass This Security Solution

By , June 21, 2010.
ATM Skimming: How Effective is Jitter?

ATM skimming - it is the fastest-growing electronic-fraud risk, according to the U.S. Secret Service, accounting for more than $1 billion in annual losses. And some industry experts estimate skimming-related losses to be as much as three times higher.

See Also: Identity, Security and Risk Requirements for a New IAM Architecture

Chuck Somers, vice president of ATM security and systems for Canton, Ohio-based Diebold Inc., a major ATM manufacturer, says, "The security threat posed by skimming is continually evolving."

While the average skimming attack spans a timeframe of between one and two hours, losses per incident average $30,000, according to ADT Security Solutions, which provides anti-skimming solutions for the financial industry. ADT also estimates ATM skimming attacks cost financial institutions and their customers 10 times more than losses suffered during robberies.

Among the initiatives deployed to combat ATM skimming is jitter technology, which uses a stop-start, or jitter motion, when a card is inserted in the ATM. In theory, the irregular motion distorts the magnetic stripe details on the card, so if a skimming device has been placed on an ATM, the jitter feature makes the copied information unusable.

But some industry experts say that jitter technology is outdated and only partially effective - and that banking institutions need to be exploring new security solutions.

"You're in trouble if jitter is all you're relying on," says Avivah Litan, a security analyst at Gartner.

The Jitter Debate

Introduced more than seven years ago to the U.S. market by manufacturers such as NCR Corp., Diebold, Fujitsu and Wincor Nixdorf AG, jitter remains the leading technology relied upon by most financial institutions to prevent skimming. It's a standard feature on the majority of bank-owned ATMs, and it's much less expensive than other solutions.

Doug Johnson, vice president of risk policy management for the American Bankers Association, says jitter remains a reliable technology -- one that does prevent most attacks, since "many skimming devices depend on a nice, smooth card reader."

Jerry Silva, founder of Boston-based PG Silva Consulting, a financial-services advisory firm, agrees that jitter is effective against typical skimming devices, which depend on that smooth read of the card. "Skimming devices really need that really smooth travel of the card," he says. "So from that perspective, it is pretty effective."

But fraudsters have gotten around jitter, other experts say.

Carl Schriber, the vice president of ATM security provider Absolute Financial Services Inc., says jitter technology is outdated.

"I am surprised that anyone today is offering jitter as a solution," Schriber says. "Most skimmers on the market today have already taken care of that (jitter) issue and defeated it."

According to Schriber, jitter works on ATMs with motorized card readers -- ones in which the user inserts the card and then allows the reader to pull the card in, read the mag-stripe data and then push the card out. The technology is not effective on machines with dip readers, in which the user manually inserts and withdraws the card. "[Jitter] is easily defeated and has been," Schriber says.

As Gartner's Litan points out, even if jitter were unbreakable, it's a siloed solution - one that only addresses the ATM link in the payments chain. That kind of siloed approach to fraud prevention is no longer effective.

"Right now, a lot of financial institutions are only relying on jitter," Litan says. "Some of the bigger banks -- the big five, I'd say -- are just now working toward incorporating fraud detection at the ATM. It's kind of shocking that they did not have better fraud detection before now, but then again, up until recently, ATM fraud was manageable."

ATM skimming attacks over the last six months in the United States have exploded, and Litan says the trend will continue. The continued use of the mag-stripe makes U.S. cards vulnerable, and fraudsters have worked around measures to prevent mag-stripe skimming.

Multilayered Approach Needed

U.S.-based institutions contacted for this article declined to comment, deferring instead to Johnson and the ABA.

But Mark Prestwood, senior ATM channel manager for ANZ New Zealand, a New Zealand bank with (NZ) $123.5 billion in assets, says jitter can be effective as part of a multilayered security strategy.

Follow Tracy Kitten on Twitter: @FraudBlogger

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE 3 States to Probe Premera Breach

Three state insurance commissioners are launching a joint investigation into the cyber-attack...

Latest Tweets and Mentions

ARTICLE 3 States to Probe Premera Breach

Three state insurance commissioners are launching a joint investigation into the cyber-attack...

The ISMG Network