ATM Skimming: Insights on New AttacksSeattle Arrests Highlight Crime Ring Strategies
Combined, the Seattle schemes are believed to have drained more than half a million dollars from retail customer accounts in at least six states, according to the U.S. Attorney's Office. Beneyam Asrat G-Sellassie, 22, of Seattle, Ionut Buzbuchi, 55, of Renton, Wash., and Mihai Eleckes, 35, of Issaquah, Wash., now face federal charges for their individual involvements in the skimming attacks that hit branch ATMs, as well as card-readers used to access ATM vestibules outside branch lobbies.
Part of that vulnerability can be pinned on the United States' continued reliance on magnetic-stripe technology, experts say.
"International rings are unfortunately common to U.S.-based ATM skimming," says John Buzzard of FICO's Card Alert Service. "One of the reasons we are seeing such a compression of non-U.S. citizens perpetrating these scams in the U.S. also has to do with our lack of smart-card practices in the U.S. I expect to see tremendous change when the U.S. eventually adopts smart-card practices sometime in 2015 or thereafter." [See Visa Pushes EMV in U.S..]
MasterCard this week announced it hopes to make EMV mandatory in the United States by April 2013.
But the lingering mag-stripe is only part of the problem. Outdated technology and poor detection practices also play a role. "Why don't more banks have anti-skimming devices?" asks Jerry Silva, a financial fraud and card skimming expert at PG Silva Consulting. "Banks have always been targeted by skimming fraud. .... Both problem and solution have been well documented by now."
'Where the Money Is'
Banks and credit unions also make attractive targets, says FICO's Buzzard, because they have the money. High transaction volumes coupled with easy access make them ideal for fraudsters. In fact, Buzzard referred to a similar bank-ATM-skimming incident revealed recently by authorities in Florida as "really typical." The compromise of two walk-up ATMs at Tampa Bay area bank branches, one a Bank of America branch, led to financial losses of at least $26,000. [See ATM Skimming Spree Investigated.]
ATM skimming is a hot issue, says Ben Knieff, who oversees fraud prevention strategy for NICE Actimize. "They hit FIs of all sizes and geographies, can work fast and are technically quite sophisticated," Knieff says of emerging ATM crime rings. "Branch and vestibule ATMs are being hit, and [banks] continue to train branch personnel to spot skimming devices, but it is an ongoing challenge."
Chuck Somers, vice president of ATM Security and Systems for Diebold Inc., says organized crime groups are exploiting software and hardware vulnerabilities. "We expect that industry regulations will continue to increase to ensure that the proper safeguards are put in place to reduce the loss to the industry, and focus on protecting personal identification information," Somers says.
Many ATMs, when upgraded from IBM's legacy OS/2 platform to Microsoft Windows, were enhanced with skimming-detection technology and, in some cases, anti-skimming hardware and software, such as card readers with jitter. The jitter feature aims to distort card details when cards are read by the ATM, so that if a skimming device has been attached, the copied information is useless. In recent years, however, fraudsters have gotten around the jitter. [See ATM Skimming: How Effective is Jitter?.]
Skimmers' M.O.Some of those hardware and software vulnerabilities were likely exploited in the Seattle scam allegedly perpetrated by Buzbuchi and Eleckes. The duo, which has been on law enforcement's radar since 2009, is suspected of being linked to skimming attacks in Washington, Idaho and Arizona, where they allegedly targeted ATMs at BECU, Watermark Credit Union, First Tech Credit Union and Chase.
"It would be pretty likely they were hitting the same models of ATMs," so they could reuse the same skimming equipment, Knieff says. "Similarly, if they were skimming the vestibule-entry readers - a spot users and employees may not check as carefully - it could have been that many of them had similar construction. It looks like they scaled pretty well, so it is a bit unlikely that they were making devices for too many [different] makes and models."
Targeting specific banks makes sense, since the equipment is usually the same, regardless of geographic location.
The losses attributed to the Buzbuchi and Eleckes scheme is believed to have totaled more than $160,000. They two men now face charges for conspiracy to commit bank fraud and possession of device-making equipment. Each could be sentenced to as many as 30 years in prison.
For his part, the scheme G-Sellassie allegedly orchestrated is believed to be linked to more than 20 skimming incidents in Washington, Oregon, California and Nevada that likely compromised as many as 1,800 accounts. More than 570 accountholders were hit with fraudulent ATM withdrawals and debit purchases totaling at least $394,000. G-Sellassie was busted at a Chase branch in Seattle when he tried using counterfeit cards he'd created from detailed copied at ATMs in Las Vegas.
G-Sellassie now faces up to 10 years in prison and a $250,000 fine.