Lax security makes non-banking sites prime targets for skimming attacks, like the ones that hit eight hospitals in Toronto.
See Also: Rethinking Endpoint Security
Earlier this week, Toronto police announced that eight area hospitals had been recent targets for ATM skimming attacks. Over the past six months, authorities believe fraudsters targeted these hospitals because of traffic and the high-volume cash dispensers in these locations. But security experts say the ATMs were more likely hit because they're easy targets.
"ATM placement in establishments like hospitals and 'cash only' enterprises seems to be an afterthought to security, with the installation of ATMs in really remote areas of the building, where fraudsters can easily tinker with skimming-device placement and retrieval without the threat of immediate capture," says John Buzzard, who monitors card fraud for FICO's Card Alert Service.
Beyond placing ATMs in remote locations, hospital staffers are not typically trained in what to look for when it comes to ATM tampering. So skimming devices could go undetected for months, depending on how often their cash is replenished by a cash carrier.
In the Toronto incidents, the devices were found by armored drivers when they opened the ATMs for cash replenishment.
"The hospital ATMs were hit with the same fraud as many American banks have experienced at their own ATMs," says Aite fraud analyst Shirley Inscoe. "In today's world, they (the devices) match the color of the ATM surround and everything, making them look like they are just part of the ATM."
Now detectives hope surveillance footage will help them identify the fraudsters.
"Clearly, when people are going to a hospital, they have other things to worry about other than their financial security," said Det. Ian Nichol during the press conference. "It's definitely a lowly thing to do."
Similar incidents have cropped up over the years at other commercial establishments, such as office complexes.
"It's the newest form of bank robbery, I suppose, since the bank must reimburse all the affected customers," Inscoe says.
But hospitals pose unique challenges, because facility access, at least where ATMs are located, is not limited or screened for clearance, as it would be in a business setting.
"When we see a series of similar attacks, it is often because the attacker recognized a vulnerability and worked that vulnerability until it was exhausted," says Robert Siciliano, a McAfee consultant and ID theft expert.
Siciliano also suggests the same ATM model may have been installed at all eight hospitals. The ability to use the same skimming device on all the ATMs, coupled with the hospitals' lax security, made these locations targets too good to pass up.
Skimming, Despite Chip and PIN?
Though Canada has made its migration from the mag-stripe to the Europay, MasterCard, Visa chip and PIN standard, card details used at the ATMs in Toronto were still skimmed and copied.
Since all chip and PIN cards have maintained their mag stripes, and many card readers on ATMs and POS terminals - even in EMV-compliant countries - continue to read mag stripe details, EMV cards remain susceptible to skimming. This vulnerability is one reason several countries in Europe, which also have undergone EMV migrations, are blocking mag stripe reads on cards used within their borders. (See ATM Cash Trapping on the Rise.)
Buzzard says the real concern is cross-border fraud. "The skimmed cards would have a high risk factor if the thieves perpetrated cross-border transactions in the U.S., as an example, where chip authentication would not presently be part of the authorization."