Fighting the Skimming Factor
Debit card compromises are a growing concern for banks, credit unions and retailers. ATM and POS skimming attacks, as well as database breaches, are growing. U.S. financial institutions are not yet seeing losses that rival those felt by their global brethren, but industry research suggests they soon will. So, what will U.S. institutions do to fight back?

Jerry Silva, founder and financial-services technology strategist for Boston-based PG Silva Consulting, says institutions can:

  • Reduce debit fraud losses by implementing fraud-monitoring tools;
  • Combat skimming attacks with updated ATM and POS hardware;
  • Make combating database breaches the priority over skimming prevention, since breach losses are greater.

Silva is the founder and financial-services technology strategist for Boston-based PG Silva Consulting, an advisory company focused on improving the deployment of technology in the financial-services industry. As an experienced executive in the financial-services technology industry, Silva spent more than 25 years in operations, technology and business development with several top-tier banks. As a research director for TowerGroup, Silva worked as an advisor and strategist for financial institutions and technology providers in the areas of business and technology strategy. Silva has chaired the Financial Services Technology Forum and the Identity Theft and Fraud Symposium, and has been quoted by National Public Radio, The Wall Street Journal, The New York Times and The Economist.

TRACY KITTEN: Card skimming: It continues to be an ever-growing concern. Hi, this is Tracy Kitten, managing editor with Information Security Media Group. I am here today with Jerry Silva, founder of Boston-based PG Silva Consulting. Jerry, go ahead and tell me a little bit about yourself and your role at PG Silva Consulting.

JERRY SILVA: I have been in the banking industry and technology for about 25 years now, and I worked in the, I guess what you would call, the trinity of jobs. I have worked both at banks; I have worked for the research industry; and recently worked for an actual provider of technology solutions. Today, I am really dedicating my time to PG Silva Consulting, which is a company that I founded to deal with making technology work in financial services. So, that is both during the process of acquisition and the actual deployment of technology solutions. So I get to work with both institutions and providers to make sure the technology is deployed as effectively as possible.

KITTEN: Great. And so when we are talking about the technology that you are focusing on, it is across the board: It is ATMs, it is teller, it is enterprise management.

Skimming is a growing problem in the United States, of course it is a problem throughout the world; but when we talk about the ATM or the POS or the self-service device, or even pay at the pump, which type of skimming attack do you deem the most threatening, and how can retailers and financial institutions combat these growing trends?

SILVA: Well, they are all kind of equally nefarious, aren't they? I think it would be more pertinent to think of it as the difference between fraud on a credit card versus a debit card, maybe, rather than being channel specific. We have had a lot of experience in the past with credit card fraud and have a lot of intelligence in place to actually capture card usage and then use that to detect any anomalies in the card usage, and then that often gets used to stop the fraud before it is committed. And I am sure you know, as much traveling as you do, you occasionally receive the phone call from Visa or MasterCard or American Express, making sure that you are the one that is actually using the card. In effect, the consumer is almost always protected from any loss as long, as it has been reported in a timely manner.

They have those systems in place on the credit card side, but you don't have the same thing ... most banks as issuers of debit cards don't yet have that kind of intelligence. Some do, but most of them don't. So as long as the card number and the PIN are correct, the transaction is going to go through; there is nothing even preventing it. And although very few banks have actually enforced it in a retail consumer world, retail banking, they could actually hold consumers liable for some small deductible in the case of fraud loss. And, in fact, we have already seen banks turn the liability back onto small business, larger fraud loss, right? And so from my perspective, it is not so much about which is worse. Is it worse if it goes ATM versus POS or a self-service device? It is really kind of equal when you are looking at it in terms of debit versus credit.

KITTEN: And what about the jitter feature? This is something that we have heard quite a bit about over the course of the last five to seven years at the ATM, but is it truly effective?

SILVA: Yeah, I think it is effective. I mean, typical skimming devices really need that really smooth travel of the card, either in the swipe or in the reader, in order to skim the data off; and so when you are using jitter technology, it makes it almost impossible for the skimmer to do that job. So from that perspective it is pretty effective.

What the problem is, is that there are still a lot of machines that don't have that jitter technology in place. And I am not just talking about the banks; I mean, banks are actually doing a pretty good job of upgrading their machines to include the jitter technology. But think about the fact that more than half or more of the country's ATMs are not bank-owned, the ISO deployments, the convenience stores and supermarkets. When you are looking at that market, the business case for ISO deployments is so sensitive to the cost of the machine, in order to provide the decent revenue model for the merchant, that if you had $500 or $1,000, whatever that jitter device costs you, that additional cost, that additional investment, can actually make or break the revenue model for a lot of different locations. So, if you've got a mom-and-pop that is only generating 75 or 100 visits per month on the machine and they are making some amount of revenue from that machine, you add now the upgrade to that jitter technology, and that revenue model just completely goes away. And if that happens, then all of the sudden you start losing the machines and, ultimately, it affects the consumer's convenience.

So, yeah, the jitter technology does work; it is just not deployed everywhere you would want it to be.

KITTEN: So, if you had to compare skimming attacks and cyber attacks with data breaches, which of those do you deem to pose the greatest threat and why?

SILVA: Well, here it is a matter of, well, the answer is "yes" to both. It is matter of wide versus deep, right? If we are looking at card skimming, [it] affects thousands of cards at a time during any single event, right? So you get a group of people together and they go off and skim cards and they are skimming, again thousands of cards and affecting thousands of people, thousands of accounts, and (during) the typical skimming attack they collect all of this information -- thousands of cards stripes before they actually hit the street with manufactured cards or with purchases. So it affects thousands of people, more or less, at once.

But on the other hand, the loss per person is typically limited to either the daily card limit or the daily card limit times the number of days the consumer isn't aware that it is going on. So from that perspective, you can consider card skimming to be a very, very wide kind of fraud event, but not very deep -- pretty shallow.

Data breaches, on the other hand, are a different thing all together. There, we are talking about a very, very deep thing. So if a retail store or institution loses the consumer's personal data, the data then can contain account numbers, Social Security numbers, etc., it gets much more damaging at the individual level. Once you get a fraudster that has enough information to open accounts, move balances, close legitimate access, close accounts -- really the fraudster is only limited to the total amount of your account balance. They can take the entire thing. And it gets worse, if they go on then to establish other relationships, and notably credit relationships, they can destroy the consumer's credit history and their credit reputation. So while it doesn't happen with the same frequency as skimming, you know we are not talking about as wide of an affected area with a data breach, it is certainly much more catastrophic, because it dives deeper into the consumer's financial well-being and takes forever for the consumer to come back.

KITTEN: And that is interesting, because as the fraudsters become more intelligent and they become more connected, it is really going to be more difficult for us to even separate skimming from a data breach attack, because it is all going to be connected together.

SILVA: Absolutely, especially when they start using that information together. So you can imagine a skimming attack that goes after card's mag-stripe information in conjunction with, perhaps, a data breach. And now they have got an entire picture of your financial security.

KITTEN: And on that note, when we talk about the connection between a compromise of the mag-stripe information, getting a PIN and then tying it in with your personal history and your banking information, what role do you think chip-and-PIN technology or EMV, as it is called everywhere else in the world, could play here in the U.S.?

SILVA: Absolutely, if we brought that over here it would be very, very effective, in terms of stopping that card fraud. In fact, the entire impetus behind EMV was the high levels of fraud overseas that were taking place, because there was so much offline authorization taking place. So from that perspective, EMV is a very, very effective technology. The issue is not so much about whether the technology works; there are so many legitimate challenges in moving EMV to the U.S. that I don't see it happening any time soon, if ever, not the least of which is cost. I mean, the cost of retrofitting and/or upgrading ATMs and POS devices to use EMV is not trivial. Although the per-machine cost may be low, you are talking about, what, half a million machines, ATMs, and God knows how many more POS devices out there? And so the cost becomes non-trivial.

Then there is also the issue of reissuing the millions of cards, both credit cards and debit cards, back to the consumer. When you look at the cost of fraud in this country, it is very different. Both the fraud and the frequency of fraud in this country are very different than it was in Europe when EMV was established. The numbers just don't justify that kind of investment just yet. We haven't seen the levels of fraud where the banks are saying, "Well, it is going to be cheaper for us (or the issuers), it is going to be cheaper for us to go off and retrofit every ATM we have, every POS device that we have, and reissue every card that we have because that will be cheaper than paying off the fraud." That is just not the case, yet.

How hackable is the EMV technology? Well, it has already been done, right? It has already been hacked. But in the specific case where somebody got around the EMV standard, it wasn't an easy hack; it really required that fraud to be kind of an inside job. They had equipment that kind of went between the card itself and the POS device, let's say, so I think in order to hack the EMV card itself, you need additional technology. It can't be as cleverly hidden as a skimming device can be, for example. Now that problem, that hurdle, eventually, will have to come down at some point, but we are not there quite yet. So no technology is ever going to be 100 percent; but EMV is very, very effective, and it takes a lot to hack it. But again, the cost of moving to EMV in this country, it is just not going to pay off the additional fraud that we are going to stop.

KITTEN: So given that, you know, moving to EMV is something that we know works in other places in the world, but given that it is just cost prohibitive at the time in the U.S., what advice can you offer financial institutions and retailers who are interested in improving risk awareness, risk management programs, and just overall security?

SILVA: Well, you know, I can think of two different things. One is customer education. Customer education is always important in fighting fraud. The more your customer knows, the better protected you are as an institution or as a retailer. And we have already seen the use of things like online banking -- and this was almost accidental -- we have seen that be used as kind of an accidental weapon against fraud, because people are much more aware than ever of the day-to-day events that are taking place in their accounts. Before online banking, you kind of had to wait to see your monthly statement before you noticed any kind of funny business taking place in your accounts; but nowadays, you have most people that are logging on either daily or weekly, and now you have banks that are also offering alerts, so people are much more self-aware of what is going on in their financial situation. So you have to kind of take that lead and say, "Well, we will try to educate the customer as much as possible, teach them how to use the alerts, teach them what to look for in the case of fraudulent activity. So customer education is very important.

The other thing I think I would say is we have a wealth of information on customer behavior stored across the four banking systems -- all the front-office channels, ATM, online banking systems -- we have a lot of information about how often and in which way the consumers are interacting with the institution.

Banks are just beginning to use that kind of information for online banking to understand how their customers normally behave, so we are starting to build -- and we are talking about a very few banks -- but they are starting to look at customers' behaviors online so that they can see, well, if an ACH transaction gets generated, does this happen when they normally do it, or are they doing it on a Saturday, or are they doing it from a computer they have never used before? So they are just starting to use that kind of information to understand how the customers normally behave and then use that information to prevent the fraud. So we need to start leveraging that information; start applying it to the ATMs as well, start applying it to the IBR, and use the next generation of that kind of fraud-detection technology and try to prevent the "bad cards" from coming into the payment system. It is almost like we have to assume we are going to get bad cards, and now instead of stopping the bad cards -- we should still be trying to do that -- but in addition, assume that the cards are going to get through and now look at the behavior and say, "Does this behavior fit with what that consumer typically does?"

KITTEN: Thank you for your time today, Jerry. We have been talking with Jerry Silva of PG Silva Consulting. For Information Security Media Group, I'm Tracy Kitten.




Around the Network