ATM Fraud: Access Doors Under AttackFraudsters Target Vestibules for Skimming Schemes
Card skimming at ATMs and access doors to the vestibules that house them is a source of increasing concern for financial institutions and law enforcement agencies.
See Also: DevSecOps Community Survey 2019
In Connecticut, a court has just sentenced a Romanian citizen for the role he played in a multistate skimming scheme that targeted bank ATMs and vestibules.
Though not new, vestibule skimming is a surging trend, and fraud expects say the industry can expect to see more incidents until financial institutions take additional measures to address security at the ATM and its surrounding access points.
"The vestibules are definitely getting hit more often," says Aite fraud analyst Julie McNelley. Criminals have found a security gap, and now they are exploiting it, she says. "They saw that the banks were proactively checking the ATM, so then they hit the vestibules."
Inside the Connecticut Case
The most recent vestibule skimming case in Connecticut sheds light on the fraudsters' methods of operation.
On May 3, the U.S. District Court of Connecticut sentenced Ion Preda to 24 months in prison imprisonment and five years of supervised release for the role he played in a multistate ATM and vestibule skimming scheme that targeted People's United Bank, PNC, Wachovia, now part of Wells Fargo, and other institutions.
According to court records, from September 2009 until his arrest in May 2010, Preda and co-defendant Marius Olustean targeted branch ATMs and ATM vestibules in Connecticut, Pennsylvania, New York and New Jersey.
In March, Olustean pleaded guilty to the same charges and was sentenced to 41 months.
With skimming devices and pinhole cameras, the two copied and collected magnetic-stripe details from cards and PINs. They then created counterfeit ATM/debit cards and fraudulently withdrew more than $200,000 from numerous bank accounts.
Preda and Olustean were linked to a September 2009 attack on a People's United Bank ATM in Madison, Conn., where they installed a PIN-capturing device. They then used cloned cards and stolen PINs to withdraw cash from compromised accounts at another People's United Bank ATM in Greenwich, Conn. In June and July 2009, the two installed skimming devices and pinhole cameras at a Wachovia ATM and PNC ATM in Philadelphia, and subsequently stole money from compromised accounts at those banks as well.
When the duo was arrested by Indiana State Police, authorities seized $1,285 in cash, laptop computers, gift cards, tools and Western Union receipts linking them to the compromised accounts.
Anti-Skimming Tech: Ineffective?
Experts say the battle against skimming - particularly ATM vestibules - is challenging for several reasons. For one, the anti-skimming technology banks and credit unions rely on is varied. Some rely on technology that alerts branch staff when the fascia of an ATM is manipulated. Others rely on transactional analytics, biometrics readers and even out-of-band authentication for ATM transactions. Few institutions focus on security for vestibule access doors.
John Buzzard, who monitors card fraud for FICO's Card Alert Service, says institutions should pay more attention to combining transactional fraud-detection tools with ATM-fraud prevention tools.
"The one important thing here to remember is that reasonably sophisticated criminals can skim cards and PINs directly from the ATM without a vestibule door card reader as part of their modus operandi," Buzzards says. "Financial institutions can really only focus on a couple of areas to reduce their exposure to fraud scams, like vestibule card skimming."
Mike Urban, a financial fraud expert with Fiserv, a core processor that provides security services to financial institutions, agrees. In fact, Urban questions the need for vestibules. Today, they pose more security vulnerabilities than benefits.
"Vestibule skimming has been around since the '90s, and it's ongoing," Urban says. "It's an opportunistic crime, and it's much more difficult to protect. It's much more challenging to detect if something has been added to the reader, like we can at ATMs. And because data is not being recorded like it is for ATM transactions, it's also more difficult to track."
The easily copied mag-stripe poses additional concerns, says Randy Vanderhoof, executive director of the Smart Card Alliance. "Until the U.S. issuers reach the point where their fraud losses or the expenses in mitigating further losses reach the level of where magnetic stripe fraud is no longer a cost of doing business, or banking regulations intervene, we will be seeing more cases," he says.
Card issuers will eventually migrate toward new payments technology, such as chip and PIN payments that meet security requirements of the Europay, MasterCard, Visa standard. Until then, however, institutions have to address skimming fraud in the here and now.
"This is a very high priority for financial institutions," McNelley says of recent skimming incidents. "But they can't rely on one technology or solution. They need a layered approach, one that includes a combination of policies and procedures, like regular inspections of ATMs (and vestibules)."