ATM Attacks Exploit Lax Security

Toronto Hospitals Struck by Skimming Attacks
ATM Attacks Exploit Lax Security

Lax security makes non-banking sites prime targets for skimming attacks, like the ones that hit eight hospitals in Toronto.

See Also: Webinar | Everything You Can Do to Fight Social Engineering and Phishing

Earlier this week, Toronto police announced that eight area hospitals had been recent targets for ATM skimming attacks. Over the past six months, authorities believe fraudsters targeted these hospitals because of traffic and the high-volume cash dispensers in these locations. But security experts say the ATMs were more likely hit because they're easy targets.

"ATM placement in establishments like hospitals and 'cash only' enterprises seems to be an afterthought to security, with the installation of ATMs in really remote areas of the building, where fraudsters can easily tinker with skimming-device placement and retrieval without the threat of immediate capture," says John Buzzard, who monitors card fraud for FICO's Card Alert Service.

Beyond placing ATMs in remote locations, hospital staffers are not typically trained in what to look for when it comes to ATM tampering. So skimming devices could go undetected for months, depending on how often their cash is replenished by a cash carrier.

In the Toronto incidents, the devices were found by armored drivers when they opened the ATMs for cash replenishment.

"The hospital ATMs were hit with the same fraud as many American banks have experienced at their own ATMs," says Aite fraud analyst Shirley Inscoe. "In today's world, they (the devices) match the color of the ATM surround and everything, making them look like they are just part of the ATM."

Now detectives hope surveillance footage will help them identify the fraudsters.

"Clearly, when people are going to a hospital, they have other things to worry about other than their financial security," said Det. Ian Nichol during the press conference. "It's definitely a lowly thing to do."

Similar incidents have cropped up over the years at other commercial establishments, such as office complexes.

"It's the newest form of bank robbery, I suppose, since the bank must reimburse all the affected customers," Inscoe says.

But hospitals pose unique challenges, because facility access, at least where ATMs are located, is not limited or screened for clearance, as it would be in a business setting.

"When we see a series of similar attacks, it is often because the attacker recognized a vulnerability and worked that vulnerability until it was exhausted," says Robert Siciliano, a McAfee consultant and ID theft expert.

Siciliano also suggests the same ATM model may have been installed at all eight hospitals. The ability to use the same skimming device on all the ATMs, coupled with the hospitals' lax security, made these locations targets too good to pass up.

Skimming, Despite Chip and PIN?

Though Canada has made its migration from the mag-stripe to the Europay, MasterCard, Visa chip and PIN standard, card details used at the ATMs in Toronto were still skimmed and copied.

Since all chip and PIN cards have maintained their mag stripes, and many card readers on ATMs and POS terminals - even in EMV-compliant countries - continue to read mag stripe details, EMV cards remain susceptible to skimming. This vulnerability is one reason several countries in Europe, which also have undergone EMV migrations, are blocking mag stripe reads on cards used within their borders. (See ATM Cash Trapping on the Rise.)

Buzzard says the real concern is cross-border fraud. "The skimmed cards would have a high risk factor if the thieves perpetrated cross-border transactions in the U.S., as an example, where chip authentication would not presently be part of the authorization."

About the Author

Tracy Kitten

Tracy Kitten

Former Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

Kitten was director of global events content and an executive editor at ISMG. A veteran journalist with more than 20 years of experience, she covered the financial sector for over 10 years. Before joining Information Security Media Group in 2010, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by, ABC News, and MSN Money.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.