BankInfoSecurity.com

The names haven't changed, but the sophistication of the technology has.

In nearly 30 years of payment card fraud, the types of attacks -- skimming at ATMs and point-of-sale terminals, theft of account numbers from data centers, as well as social engineering -- "have all been around since the 1980s," says Tom Wills, security and fraud senior analyst at Javelin Strategy & Research. The difference today, Wills says, is the technology being used is much more refined. And the targets are evolving, too.

There have been roughly 40 incidents of skimming or POS attacks reported so far in 2010. These incidents range from tried-and-true ATM skimming to insider crimes and the troubling new trend of pay-at-the-pump thefts impacting merchants, institutions and their customers.

In fact, more fraud schemes in general are now directed at retail businesses and financial institutions, says Linda Foley, executive director of the Identity Theft Research Center. Card compromises of every variety have increased this year, Foley says, and that even takes into account the assumption that a vast majority of incidents are never reported.

See the new Interactive Timeline of 2010 Skimming Incidents.

Growth Market

The growth of skimming at both ATM and at retail POS locations in the United States can be traced back to the introduction of the EuroPay, MasterCard, Visa and chip and PIN technologies that are taking hold in Europe. "The criminals move where it is easier to extract data," says Mike Urban, senior director of global fraud solutions at FICO. Thus, the migration to the U.S., where payment cards continue to rely on magnetic stripes, which are easier to skim.

Also, the uptick in skimming and POS terminal swaps signals to Branden Williams, director of the Security Consulting Practice at RSA, the security division of EMC, "that maybe we are making some headway on hardening the exteriors of our companies, or it could just be the sophistication of the criminal." Also he says skimming, as a criminal act, is easier to pull off than a large external hack. Another reason he sees the increase in skimming is the trend toward smaller and smaller devices. "They're easier to blend in. What used to carry bulk and duct tape is now custom-made for a particular device."

Urban agrees that the targets have gotten smaller as the larger organizations have been locking down their environments, forcing criminals to target smaller businesses as a result. The POS swap "takes a little bit of guts to do, but can be done," Urban says, pointing to Hancock Fabrics' disclosure of this type of breach hitting some of its retail stores earlier this year.

Big to Small Targets

Outside of the terminal swap, the criminals are using the same techniques they used on the big retailers. While the larger retailers have realized the dangers that are exposing card data on an unprotected payment network after TJX and Heartland breaches, "the small business owner isn't even expecting these kinds of attacks, and isn't prepared for them," Urban says.

While the notorious hacker Albert Gonzalez is behind bars for the TJX and Heartland breaches, Urban says there are hundreds, even thousands of criminals who are all aspiring to be "mini" Albert Gonzalezes. "His arrest made all of them more careful, and they are picking the smaller, less flashy targets."

The payments industry has come up with various measures such as Card Verification Values, Secure Electronic Transaction, EMV, 3D Secure (Visa's Internet Security protocol for card transactions) and the Payment Card Industry Data Security Standard, which have reduced fraud in some markets for some period of time, but not caused it to go away.

"The nature of fraud management is that you build a wall, and the bad guys build a higher ladder, then you build the wall higher, and so on forever," says Javelin's Wills. There are the occasional arrests and data breach disclosures, which might make it seem like there's a new rash of fraud. "But the truth is, the more things change, the more they stay the same," Wills says.

Types of Incidents

So far, the U.S. in 2010 has seen skimming and POS fraud incidents reported from 23 states. The types of incidents include:

ATM Skimming: This crime strikes at a financial institution's automated teller machine or even at free standing ATMs in retail locations. There are numerous ways the criminals steal the card data, the most common being the card skimmer being placed over the existing card slot.