At the ATM, card skimming remains the No. 1 fraud threat. But as distinguished Gartner analyst Avivah Litan points out, skimming at point of sale devices is becoming increasingly troublesome. "POS fraud is rising, and it's likely because of skimming," Litan says.
Top ThreatsToday's two most common skimming attacks occur at the POS, either by employees who use hand-held skimmers or fraudsters who swap legitimate POS devices for devices that have been manipulated to skim and transmit card data. That so-called swap attack is what led to the card compromise at Hancock Fabrics, reported earlier in 2010.
Pay-at-the-pump terminals and ATMs also rank high in the skimming chain because they are unattended. As Litan says, "They are usually a fraudsters' easiest target." Pay-at-the-pump has proven vulnerable because of easy accessibility. Default codes used to open gas pump enclosures have been exploited by criminals posing as technicians, for instance. Once inside, the criminal can install a skimming device and connect it directly to the terminal's key pad and card reader. It's undetectable from the outside, giving the device ample opportunity to collect card data in real-time, as the card is swiped and PIN entered.
Skimming at ATMs has not changed much over the last decade. Most ATMs are compromised when skimming devices are placed over their external card readers. But technology advancements at the ATM have made strides to curb those skimming attacks. Still, while the ATM might is not necessarily the primary point of compromise, it is the channel used most often by fraudsters for fraud redemption -- cash withdrawals.
Higher-Tech SchemesOne thing that is changing about skimming, regardless of where it's perpetrated, is its increased sophistication and use of advanced technology. Across the board, fraudsters rely more on wireless communications to transmit skimmed card data. Bluetooth or cellular technology is the preferred wireless mode of communication, says Jeremy King, European regional director for the Payment Card Industry Security Standards Council.
"Organized crime is getting more involved, and this is something we are watching closely," King says. "Improving awareness is important, and the PCI PED standard is addressing some of the global card skimming trends we are seeing. In 2008, we added unattended terminals to the standard to address those trends."
But the sophistication of organized crime goes deeper than technology, Gartner's Litan says. The emergence of so-called "flash attacks," which rely on coordinated, often international, efforts to simultaneously withdraw funds from multiple ATMs, is posing increased challenges for banks the world over.
Flash attacks, Litan says, "fly under the radar, because they involve several small withdrawal amounts that occur at the same time." Institutions, already forced to cut budgetary spending for fraud detection, are fighting an uphill battle. "Banks can stop it if they can figure out the point of compromise, but many have a hard time doing that with current fraud-detection solutions," she says.
A Need for Cardholder AuthenticationStronger cardholder authentication through contactless radio-frequency identification payments or contact chip technology such as EMV could solve the authentication dilemma. Even one-time pass codes embedded into plastic payments cards would be an improvement, Litan says.
Second-factor transaction authentication will be a focus for all financial institutions in 2011, if it's not already, says Chuck Somers, vice president of ATM security and systems for Diebold Inc., the world's second-largest ATM manufacturer. "Anything beyond better authentication would involve changing the whole infrastructure," Somers says. "The industry is trying to look forward to say, 'If I add this solution to my arsenal, what is the likely attack that the criminals will come back with?' They always come back with something; we just want to have as many steps in place to combat that comeback as we can."
From a skimming perspective, authentication will become more critical in 2011, as targets and modes of attack change, Somers says. "I would expect more internal skimming, more malware, and PCI becoming more active to make sure appropriate levels of software are running on machines like pay-at-the-pump, which have proven vulnerable to those attacks."
Biometrics, a second-factor authentication layer deployed in countries such as Japan and Brazil, is not likely to be an authentication mode the U.S. pursues, Somers says. "Whether it's a biometric on its own or a biometric that's part of a two-factor authentication, in a closed system, where that user is registered and they don't use their cards outside that country, we've seen some very effective biometrics solutions," he says. "But it's only effective in those closed systems. The other effective authentication solution is chip, such as EMV."
Mobile as a second layer of authentication is a more likely option for the U.S., Somers says. "We've done some experimentation with mobile and one-time passwords that are sent via text to the mobile phone. Those are the kinds of things we could see more of," he says.
Improved analytical software will be a necessity to fill the security gap until the U.S. makes a decision on EMV or some other form of payment technology that does not rely on the magnetic stripe. "Even if we decide to move to EMV for authentication, it will take three to five years to make the change," Litan says. "We need software-based authentication now, and there does seem to be more discussion about it than ever before."
The problem, Litan says, is that U.S. payments space lacks a push for uniformity. "We're not low on technology solutions," she says. "We're low on agreements and mandates to move toward making stronger cardholder authentication part of the experience."
Card Fraud's Global ImpactThat lack of payments uniformity is having a global impact, says Lachlan Gunn, who heads up the European ATM Security Team Ltd., also known as EAST. The lingering mag-stripe in the U.S. is making cardholders in EMV-compliant countries vulnerable, he says. To support a global payments infrastructure, EMV-compliant countries have continued to issue cards that contain both the EMV chip and the mag stripe. With the lingering mag stripe, EMV cardholder data can still be skimmed. So fraudsters copy card data in Europe and then create fake mag stripe cards for use in the U.S.
"As of 2010, 95 percent of ATMs in Europe are now EMV compliant, and for a long time we had seen skimming incidents going down," Gunn says. "But now we see incidents going back up. The bad guys know that chip and PIN/EMV is making skimming more difficult, so they go to where they can use the mag stripe. For your side of the pond, that should be disturbing."
Of the EURO 150 million card-related fraud losses reported in Europe over the last year, EURO 119 million resulted from fraudulent transactions made in the U.S. "That's an opening gap," Gunn says.
Some European countries, such as Belgium, are taking stands to stop accepting mag stripe cards altogether, Gunn says. In January, Belgium will no longer accept mag stripe-based card transactions. "If a Belgium card is skimmed, then it's useless outside the Single Euro Payments Area," he says.
That move could either push the U.S. to EMV or seriously kink the global payments infrastructure. "The debate in Europe now is, 'Do we allow mag stripe transactions to continue at all?'" Gunn says. "As a control, we are increasingly seeing chip-only cards appearing in Europe, and long term, chip-only cards could become more and more prevalent."
Belgium's initiative, Gunn says, could spur a domino effect among other SEPA countries. "If it works for Belgium, hypothetically, other countries will follow," he says. "2011 will be a year that the increasing impact of chip and PIN is seen more globally, and it could be a year when people in the U.S. plan to change."