After an uptick in skimming incidents already in 2010, security experts say that we will see even more skimming in the United States in the months ahead, particularly against ATMs. Lingering magnetic-stripe technology, rather than EMV chip standard used in Europe and elsewhere, is to blame, experts say.
While the average ATM skimming attack spans a timeframe of between one and two hours, losses per incident average $30,000, according to ADT Security Solutions, which provides anti-skimming solutions for the financial industry. ADT also estimates that ATM skimming attacks cost financial institutions and their customers 10 times more than losses suffered during robberies. According to ACI Worldwide's Card Fraud Guide, overall card fraud continues to escalate. ACI's report shows U.S. credit and debit card losses continue to increase. In 2004, credit card losses accounted for $1.8 billion and rose to $2.04 billion in 2007. Debit card losses accounted for $810 million in 2004 and rose to $1.05 billion in 2007.
Tom Wills, a fraud analyst at Javelin Strategy & Research, says criminals responsible for the skimming at ATMs and POS devices have been caught this year, but their arrests are no deterrent. "2010 has been a good year for law enforcement," he says. "But as long as there are vulnerable devices out there, the bad guys will continue to target and attack them."
Skimming TrendsThis trend will be ongoing, as it is a reflection of a migration of fraud from Europe, where most countries have converted or are in the process of converting to the EMV chip standard, says Mike Lee, CEO of the ATM Industry Association. EMV chip technology, oftentimes referred to as smart-card technology, relies on an embedded mirco-chip for the storage of data on a card, rather than storing that data on a magnetic-stripe, which has proven to be vulnerable to skimming. The move to EMV in other parts of the world has thwarted skimming. In the U.S., where mag-stripe cards remain the norm, skimming is expected to rise, as criminals increasingly target U.S. cardholders.
"In Europe, meanwhile, more elementary attacks, such as card trapping, are happening," Lee says. Card trapping relies on social engineering and on a card-trapping device that is placed within the ATM's card reader - a device that literally traps the card. Fraudsters place these trapping devices on the ATMs and then wait for unsuspecting ATM users to approach the ATM. Once a user puts his card in and it does not come back out, the fraudster, posing as a helpful stranger, suggests the user re-enter his PIN. Commonly known as shoulder-surfing, when the PIN is re-entered, the fraudster views the PIN. When the card does not come out, the user walks away or goes into the branch to notify a teller. That's all the time a fraudster needs to retrieve the card. With the collection of the PIN and the card, the fraudster has all the information he needs to compromise the cardholder's account.
Incidents involving Eastern Europeans placing skimming devices on branch ATMs in cities across the U.S. and Canada made headlines over the summer, says Robert Siciliano, security consultant with ADT.com. "ATM skimming has become a staple of Eastern European criminal gangs , who recognize the U.S is one of the last holdouts on chip and PIN," he says.
Almost every manufacturer and distributor of skimming devices can be traced to the Eastern Europe or the Middle East. Siciliano's concern: As criminals from former Eastern Bloc countries develop more wireless skimming devices that incorporate text and mobile technologies, "the thieves' ability to immediately turn the data into cash increases, while their chances of getting caught significantly decrease."
Magnetic Stripe: Target for CriminalsJavelin's Wills says card skimming exploits a vulnerability that's inherent in mag-stripe technology - basically, because the mag-stripe is easy to copy. As long as the mag-stripe remains the dominant card technology in the U.S., the problem will continue, he says.
Retail skimming at POS terminals has been traced to 14 U.S. locations since the beginning of the year. In other parts of the world, such as Australia, POS swaps have been a problem, Siciliano says. Fraudsters go into a retail location and trade or swap an existing POS device with one that has been manipulated to skim card data. "Criminals down under perfected their social engineering skills required to replace the terminals and then swap them out again," he says. "Once they exhausted their Australian resources and put every merchant on high alert, they set their sights on the U.S. We are now a huge target. Australia, in turn, is going chip and PIN, too."
End-to-end encryption of card data during transmission of the transaction - from the POS to the server -- is becoming a standard practice to help curb card fraud, Siciliano says. But it's not enough. "Unfortunately, plastic (mag-stripe) cards as we know them will be vulnerable from now into the future," he says.
Tokenization is another option that could help retailers foil skimming attacks . But tokenization is a relatively new technology -- one that has not been standardized and is oftentimes mistaken for encryption.
ATMIA recommends a lifecycle security approach, which includes physical systems and software security. "In addition, we know for sure that customer education, especially teaching customers to protect their PINs, plays a massive role in crime prevention," he says.
Skimming is the world's No. 1 card-fraud problem, Lee says. "We need to lobby authorities to impose stronger sentences for convictions arising from skimming, including possession of illegal skimmers," he says. "EMV compliance and customer PIN protection are key."
Javelin's Wills says financial institutions and retailers need to initiate long-term approaches to solving the skimming problem. "They'll need to cooperate and invest in security infrastructure to make that happen," Wills says. "Otherwise, we're just going to be stuck with the same old problem for many years to come."