ATM Fraud: Skimming is #1 Threat

Security Experts Say Mag-Stripe Technology is to Blame

By Linda McGlasson, November 1, 2010.
ATM Fraud: Skimming is #1 Threat


See Also: CISO Agenda 2015: Adding Value to a Security Program with Application Security

ill 2011 be "The Year of the Skimmer?"

After an uptick in skimming incidents already in 2010, security experts say that we will see even more skimming in the United States in the months ahead, particularly against ATMs. Lingering magnetic-stripe technology, rather than EMV chip standard used in Europe and elsewhere, is to blame, experts say.

While the average ATM skimming attack spans a timeframe of between one and two hours, losses per incident average $30,000, according to ADT Security Solutions, which provides anti-skimming solutions for the financial industry. ADT also estimates that ATM skimming attacks cost financial institutions and their customers 10 times more than losses suffered during robberies. According to ACI Worldwide's Card Fraud Guide, overall card fraud continues to escalate. ACI's report shows U.S. credit and debit card losses continue to increase. In 2004, credit card losses accounted for $1.8 billion and rose to $2.04 billion in 2007. Debit card losses accounted for $810 million in 2004 and rose to $1.05 billion in 2007.

Tom Wills, a fraud analyst at Javelin Strategy & Research, says criminals responsible for the skimming at ATMs and POS devices have been caught this year, but their arrests are no deterrent. "2010 has been a good year for law enforcement," he says. "But as long as there are vulnerable devices out there, the bad guys will continue to target and attack them."

Skimming Trends

This trend will be ongoing, as it is a reflection of a migration of fraud from Europe, where most countries have converted or are in the process of converting to the EMV chip standard, says Mike Lee, CEO of the ATM Industry Association. EMV chip technology, oftentimes referred to as smart-card technology, relies on an embedded mirco-chip for the storage of data on a card, rather than storing that data on a magnetic-stripe, which has proven to be vulnerable to skimming. The move to EMV in other parts of the world has thwarted skimming. In the U.S., where mag-stripe cards remain the norm, skimming is expected to rise, as criminals increasingly target U.S. cardholders.

"In Europe, meanwhile, more elementary attacks, such as card trapping, are happening," Lee says. Card trapping relies on social engineering and on a card-trapping device that is placed within the ATM's card reader - a device that literally traps the card. Fraudsters place these trapping devices on the ATMs and then wait for unsuspecting ATM users to approach the ATM. Once a user puts his card in and it does not come back out, the fraudster, posing as a helpful stranger, suggests the user re-enter his PIN. Commonly known as shoulder-surfing, when the PIN is re-entered, the fraudster views the PIN. When the card does not come out, the user walks away or goes into the branch to notify a teller. That's all the time a fraudster needs to retrieve the card. With the collection of the PIN and the card, the fraudster has all the information he needs to compromise the cardholder's account.

Incidents involving Eastern Europeans placing skimming devices on branch ATMs in cities across the U.S. and Canada made headlines over the summer, says Robert Siciliano, security consultant with "ATM skimming has become a staple of Eastern European criminal gangs , who recognize the U.S is one of the last holdouts on chip and PIN," he says.

Almost every manufacturer and distributor of skimming devices can be traced to the Eastern Europe or the Middle East. Siciliano's concern: As criminals from former Eastern Bloc countries develop more wireless skimming devices that incorporate text and mobile technologies, "the thieves' ability to immediately turn the data into cash increases, while their chances of getting caught significantly decrease."

Magnetic Stripe: Target for Criminals

Javelin's Wills says card skimming exploits a vulnerability that's inherent in mag-stripe technology - basically, because the mag-stripe is easy to copy. As long as the mag-stripe remains the dominant card technology in the U.S., the problem will continue, he says.
  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE Anti-Hacker Executive Order: 5 Concerns

Declaring a national emergency over hack attacks, President Obama signed an executive order...

Latest Tweets and Mentions

ARTICLE Anti-Hacker Executive Order: 5 Concerns

Declaring a national emergency over hack attacks, President Obama signed an executive order...

The ISMG Network