But as the U.S. works to speed its migration to the EMV chip, executives at leading ATM manufacturers say they see new opportunities for contactless ATM transactions, which could ultimately put an end to skimming.
In part one of this exclusive three-part interview with Information Security Media Group, executives from the world's top three ATM manufacturers - NCR Corp., Diebold Inc. and Wincor Nixdorf AG - discuss how they see ATM security and anti-skimming technology evolving, and talk about the work they are doing behind the scenes to help banking institutions address emerging fraud trends.
Skimming: Still the No. 1 Threat
When it comes to skimming, the banking industry has "an inherent problem," says Owen Wild, global marketing director of NCR's financial services for NCR. "The vulnerability still resides on the magnetic stripe on the card. As long as the stripe remains, this risk remains."
So even in international markets where EMV chip cards that still also have mag stripes are now standard, the lingering mag-stripe has allowed skimming to remain viable, Wild says.
Until mag-stripes no longer appear on payment cards - and they will for some time until the entire world is EMV chip enabled - banking institutions will have to invest in anti-skimming technology, he adds.
Benefits of Contactless Payments
While the U.S. is making the migration to EMV, it will be several years before the mag-stripe is completely replaced. This is why, Wild says, contactless payments - made possible via chip cards or even mobile devices equipped with chips - are becoming increasingly attractive.
"We are still seeing ATM skimming growing, and it remains an active threat in other regions," not just the U.S.," he says. "The use of contactless allows us to provide contactless card data. And, to prevent skimming, you eliminate the need for the card to come into contact with the ATM."
Bernd Redecker, director corporate security and fraud management at Wincor Nixdorf, which is based in Germany, acknowledges that contactless transactions have their benefits. But in markets, such as Europe, where consumers are accustomed to conducting contact transactions with their EMV chip cards, contactless can pose risks.
"To make the ATM EMV contactless is not that difficult on the manufacturing side," Redecker says. "The problems are more in the standardization of this technology ... which opens loopholes for attack against this kind of implementation."
Not having the card physically enter a reader definitely helps eliminate the risks posed by skimming, Redecker says. But going completely contactless is not yet a realistic option, he contends. "Anti-skimming has been a rat race over the years. What we are suggesting is that we change the process."
Protecting the ATM
Rather than constantly developing new anti-skimming solutions, Redecker suggests vendors focus more attention on protecting the ATM itself.
"What we are proposing is optical surveillance," he explains, which alerts the institution when the ATM's fascia is manipulated in any way.
And Nick Billett, senior director of core ATM software and security at Diebold, says that contactless transactions technology is too new to be viewed as a cure-all for skimming.
"Really, this is something for the industry to continue to deal with," Billett says. "Contactless is a very, very good solution. ... But this is a technology that may potentially compete with contactful EMV transactions that need to be implemented in the U.S. in the near future."
Until the market fully understands EMV and has industrywide, global specifications for contact and contactless payments, contactless ATM transactions could create more headaches, Billett says.
Also discussed during this first part of the three-part interview:
- How organized crime is fueling the migration of ATM attack tactics across international borders;
- Why ATM malware is getting more attention from vendors; and
- How attackers are adapting their techniques to exploit multiple security innovations simultaneously.
In part two of the series, to be posted soon, the panel discusses how ATM manufacturers are joining forces to share information about emerging threats.
Wild oversees the global development and execution of NCR's marketing strategy and programs for its security solutions portfolio. Redecker heads Wincor Nixdorf's corporate security and fraud management team, which includes Wincor Nixdorf's security products and solutions. At Diebold, Billett oversees research, development and delivery of extensions for financial services products, operating systems, systems software, security modules and security-related ATM products. His teams also investigates global ATM skimming and logical attacks.
The other panelists are: Uwe Krause, vice president of banking at Wincor Nixdorf, who heads banking product management and marketing for national and international markets; and Joerg Engelhardt, vice president of product management and marketing for Diebold, who oversees management of the business lifecycle for the company's product portfolio.