ATM Skimming: How Effective is Jitter?Critics: Fraudsters Already Know How to Bypass This Security Solution
ATM skimming - it is the fastest-growing electronic-fraud risk, according to the U.S. Secret Service, accounting for more than $1 billion in annual losses. And some industry experts estimate skimming-related losses to be as much as three times higher.
See Also: Rethinking Endpoint Security
Chuck Somers, vice president of ATM security and systems for Canton, Ohio-based Diebold Inc., a major ATM manufacturer, says, "The security threat posed by skimming is continually evolving."
While the average skimming attack spans a timeframe of between one and two hours, losses per incident average $30,000, according to ADT Security Solutions, which provides anti-skimming solutions for the financial industry. ADT also estimates ATM skimming attacks cost financial institutions and their customers 10 times more than losses suffered during robberies.
Among the initiatives deployed to combat ATM skimming is jitter technology, which uses a stop-start, or jitter motion, when a card is inserted in the ATM. In theory, the irregular motion distorts the magnetic stripe details on the card, so if a skimming device has been placed on an ATM, the jitter feature makes the copied information unusable.
But some industry experts say that jitter technology is outdated and only partially effective - and that banking institutions need to be exploring new security solutions.
"You're in trouble if jitter is all you're relying on," says Avivah Litan, a security analyst at Gartner.
The Jitter DebateIntroduced more than seven years ago to the U.S. market by manufacturers such as NCR Corp., Diebold, Fujitsu and Wincor Nixdorf AG, jitter remains the leading technology relied upon by most financial institutions to prevent skimming. It's a standard feature on the majority of bank-owned ATMs, and it's much less expensive than other solutions.
Doug Johnson, vice president of risk policy management for the American Bankers Association, says jitter remains a reliable technology -- one that does prevent most attacks, since "many skimming devices depend on a nice, smooth card reader."
Jerry Silva, founder of Boston-based PG Silva Consulting, a financial-services advisory firm, agrees that jitter is effective against typical skimming devices, which depend on that smooth read of the card. "Skimming devices really need that really smooth travel of the card," he says. "So from that perspective, it is pretty effective."
But fraudsters have gotten around jitter, other experts say.
Carl Schriber, the vice president of ATM security provider Absolute Financial Services Inc., says jitter technology is outdated.
"I am surprised that anyone today is offering jitter as a solution," Schriber says. "Most skimmers on the market today have already taken care of that (jitter) issue and defeated it."
According to Schriber, jitter works on ATMs with motorized card readers -- ones in which the user inserts the card and then allows the reader to pull the card in, read the mag-stripe data and then push the card out. The technology is not effective on machines with dip readers, in which the user manually inserts and withdraws the card. "[Jitter] is easily defeated and has been," Schriber says.
As Gartner's Litan points out, even if jitter were unbreakable, it's a siloed solution - one that only addresses the ATM link in the payments chain. That kind of siloed approach to fraud prevention is no longer effective.
"Right now, a lot of financial institutions are only relying on jitter," Litan says. "Some of the bigger banks -- the big five, I'd say -- are just now working toward incorporating fraud detection at the ATM. It's kind of shocking that they did not have better fraud detection before now, but then again, up until recently, ATM fraud was manageable."
ATM skimming attacks over the last six months in the United States have exploded, and Litan says the trend will continue. The continued use of the mag-stripe makes U.S. cards vulnerable, and fraudsters have worked around measures to prevent mag-stripe skimming.
Multilayered Approach Needed
U.S.-based institutions contacted for this article declined to comment, deferring instead to Johnson and the ABA.
But Mark Prestwood, senior ATM channel manager for ANZ New Zealand, a New Zealand bank with (NZ) $123.5 billion in assets, says jitter can be effective as part of a multilayered security strategy.
"It's a very useful feature, but should not be relied upon in isolation," Prestwood says. "If 100 cards are used in an ATM during the time a skimming device is in place, the jitter may make it impossible to decipher the card data on 80 of those," for instance.
ANZ, as an extra measure of protection, has installed PIN shields on its ATMs to protect the PIN from capture. "Putting measures in place to protect both the card data and the PIN gives the best chance of stopping the fraud," Prestwood says.
Other techniques institutions might deploy in addition to jitter include:
- Radio-frequency jamming, which uses an electromagnetic field to detect foreign objects placed or mounted on an ATM's fascia;
- Camera surveillance, which can recognize when a foreign object is placed on an ATM;
- Devices that sense vibration, such as when an ATM is drilled to attach a skimmer.
Outside the U.S., chip-and-PIN-based cards, such as those mandated by EMVCo.'s Europay, MasterCard, Visa EMV standard, have proven effective. But the mag-stripe offers fraudsters a loophole. An EMV-compliant card issued in the United Kingdom, for instance, cannot be compromised in the U.K., because only chips are typically read. But, when U.S. travelers use their mag-stripe cards in the U.K., the cards can be skimmed. And U.K. cards can be compromised in the U.S., because only the mag-stripes are read.
"There is no single 'silver bullet' to overcome the increasingly serious skimming threat, in which criminals continually work to defeat vendors' evolving anti-skimming technologies," says Diebold's Somers. "That's why we recommend a multilayered approach to ATM security."
In addition to technology, communication is also key, says the ABA's Johnson.
"Communication across banks as to skimming activity can be very effective in limiting skimming losses," Johnson says. "Such communication allows the banks that were not skimmed to know which of their customers might be vulnerable because they used the compromised ATM during the time the device was in place."
Johnson says security vendors are releasing new features that go beyond jitter -- but jitter still plays a significant role.
ANZ's Prestwood agrees, saying that if the world ultimately moves to a non-mag-stripe standard such as EMV, then jitter will be obsolete. "But until then," he says, "it remains one of the most cost-effective measures that ATM deployers can implement."