ATM Skimming Arrests: Sign of the Times?Fraudsters Capitalize on Slow U.S. Migration to EMV
Twelve members of an alleged ATM skimming ring in California have been accused of stealing hundreds of thousands of dollars from U.S. bank accounts from late 2012 through fall 2013 as part of low-tech attacks that fraud experts say easily exploit magnetic-stripe card data.
See Also: The 2020 Bad Bot Report
Experts say U.S. banking institutions and other ATM deployers can expect to see these types skimming schemes increase over the next 18 to 24 months as the United States' migration toward enhanced payment-card technology that complies with the Europay, MasterCard, Visa standard ramps up and the use of magnetic stripe cards, which are more vulnerable to skimming, declines.
Federal authorities charged 12 defendants in two separate complaints with conspiracy to commit bank fraud for various roles they allegedly played in these attacks that victimized U.S. banks and accountholders, according to the Federal Bureau of Investigation.
So far, nine defendants have been arrested, and three are fugitives believed to be overseas, investigators say. If convicted, the defendants each face up to 30 years in prison.
FBI spokeswoman Laura Eimiller says the arrests in the case hinged on regional and federal law enforcement. This case is a continuing joint investigation by the FBI, the Los Angeles Police Department, the Las Vegas Metropolitan Police Department, Homeland Security and the Secret Service.
Skimming Still Effective
The low-tech attack method, which compromised ATMs in California and Nevada, involved the use of fascia skimming devices and mini video cameras.
"This is a classic example of a tried-and-true criminal methodology that continues to flourish," says John Buzzard, who heads up FICO's Card Alert Service. "There is a lot of interesting preventive technology out there, but it isn't universally employed by everyone. The criminals are constantly trying to undermine the success of anything that gets in their way of stealing payment card and PIN."
Until the migration to EMV is completed for all U.S. debit and credit cards, skimming attacks against point-of-sale devices and ATMs will continue, says financial fraud analyst Shirley Inscoe of the consultancy Aite Group. The U.S. is a prime target because of its continued reliance on mag-stripe technology. The U.S. also is the largest global market for debit and credit card usage, experts note.
"Some think these criminals are stepping up their efforts, realizing the days are numbered when this will no longer be effective," she explains. "This is a particularly appealing crime, since it enables the theft of actual cash as opposed to buying goods and services online, for example, that later need to be fenced. Until EMV cards for both debit and credit are completely rolled out in the U.S., this type of fraud will continue to thrive. Hence, financial institutions encourage customers to cover the keypad when entering their PINs and to notify the institution immediately if they notice anything unusual about the ATM hardware."
But as this California ring proves, customer education can only go so far, Buzzard and Inscoe note. Banking institutions and other ATM deployers, such as retailers, must be vigilant about inspecting ATMs for suspicious attachments. They also should be reviewing surveillance footage, which could clue them in to suspicious activity at the ATM after-hours, experts say.
The California Ring
In the latest California case, law enforcement authorities allege the defendants bought or built skimming devices to be placed over ATM card readers to skim debit numbers from the mag-stripes when the cards were entered by accountholders. The defendants also have been accused of installing mini video cameras to capture users' PINs.
With the debit numbers and PINs, the ring then replicated the copied card data onto gift cards and used those fake ATM cards to fraudulently withdraw cash from ATMs in Los Angeles; Orange County, Calif.; Las Vegas and San Francisco, authorities allege.
Authorities found hundreds of thousands of dollars in cash and credit card skimming equipment linked to the crime ring when they issued search warrants for the defendants' arrest, the FBI says.
Bank ATMs Targeted
Buzzard and Inscoe says ATMs located at bank and credit union branches are just as vulnerable as off-premises ATMs because their higher volume of transactions is appealing to fraudsters. Even if ATMs are located in well-lit walk-up or drive-up locations at branches or banking centers, they are still vulnerable, Inscoe says.
"On- and off-premises ATMs can equally be at risk for tampering," Buzzard says. "The name of the game is capturing as many cards and PINs as possible in a short window of time."
"Usually the skimming machines and cameras are installed during non-business hours, so there is nobody to challenge whoever is doing the work," she says. "This type of crime has evolved to the point the attachments to the hardware are carefully matched to the machine. The colors are matched, and it is not readily apparent changes have been made unless someone really scrutinizes the ATM."
Fraudsters' equipment is increasingly difficult to detect, Inscoe adds.
"The cameras are extremely small and are usually mounted higher than people tend to look, and are carefully trained on the keyboard where customers enter their PINs," she says. "The skimmers will typically hold thousands of card numbers, and someone will come retrieve the data periodically, or it may be set up to transmit the data as it is captured to a remote machine. This is one form of big criminal business."