ATM fraud losses are increasing globally, and we can expect to see this trend continue as the U.S. ramps up its migration to EMV at the point of sale.
See Also: Data Security Risk: A CISO's Perspective
ATMs and other self-service payments devices, such as pay-at-the-pump gas terminals, have always been prime targets for criminals. These unattended terminals are easy to compromise with card skimmers and well-placed cameras designed to capture PINs as they're entered on PIN pads.
"The best way to guard against ATM attacks is to regularly inspect devices for skimming and shimming devices and frequently test ATM software."
A new report from the European ATM Security Team shows that global ATM fraud losses increased 18 percent to €156 million (U.S. $177.5 million) in the first half of this year, compared to the same period a year ago. EAST attributes much of that increase to an 18 percent rise in global card-skimming losses, which account for €131 million (U.S. $149 million) of that total.
What's more, most of those ATM fraud losses are being reported within non-EMV-compliant markets, such as the United States and the Asia-Pacific region, particularly Indonesia, EAST notes.
"International skimming losses have risen for the past four reporting periods [two years], and EAST is working closely with Europol to raise awareness of this issue in Asia-Pacific and the Americas," says Lachlan Gunn, executive director of EAST. Gunn will address some of these international trends Oct. 27 at Information Security Media Group's Fraud Summit in London.
Everyone talks so much about a migration to card-not-present fraud once EMV is in widespread use at the point of sale at U.S. merchants. But we forget that fraud is migrating to self-service channels, too, where EMV is not yet used.
And fraudsters aren't just targeting ATMs. At the recent National Association of Convenience Stores convention in Las Vegas, I heard reports that pay-at-the-pump attacks are also on the rise.
One reason why attacks are up at ATMs, as well as gas pumps, is that the EMV liability shift date for these devices is later, so magnetic-stripe transactions at those devices remain the norm, at least for now.
While the liability shift date for U.S. merchants was Oct. 1, Visa's and MasterCard's EMV liability shift date for self-serve gas pumps is not until Oct. 1, 2017. For ATMs, the liability shift is Oct. 1, 2016, for MasterCard and Oct. 1, 2017, for Visa.
Getting Around EMV
Meanwhile, fraudsters are using techniques that will prove effective at self-service channels even after the EMV rollout for these devices is complete.
Card-trapping attacks were up 18 percent from the first six months of 2014 to the first six months of 2015, according to EAST. This type of fraud involves "trapping" a card in the ATM's card reader, so that a user thinks the ATM has malfunctioned and has "eaten" his card. In reality, a fraudster has manipulated the card reader to trap the card so he can retrieve it later. EMV cards are not immune to this type of attack, especially if the PIN also is compromised by a well-placed camera.
Commonly known as "jackpotting" attacks, these malware attacks command ATMs to dispense cash without the need for a card. While we first heard about this type of attack impacting ATMs in Eastern Europe, jackpotting has since been identified in the U.S. and other parts of the world (see Alert: Indian ATMs Face New Attacks).
As EMV for debit transactions becomes commonplace, fraudsters will move from skimming to shimming attacks, which have already popped up in Mexico. In these attacks, a shimmer is placed inside the ATM's card reader to intercept and capture communications between the chip card, once inserted, and the ATM's EMV kernel. Because card numbers on EMV chips are not encrypted, shimmers can capture that data, along with the PIN, if a camera also is installed near the PIN pad.
ATMs: Prime Targets
Unattended ATMs will continue to be among fraudsters' favorite targets. The best way to guard against ATM attacks is to regularly inspect devices for skimming and shimming devices and frequently test ATM software.
Banking institutions also should regularly review transaction logs for suspicious activity. Inspection of logs is what clued banks into some of the early jackpotting attacks.