The Expert's View with Jeremy Kirk

ATM / POS Fraud , Card Not Present Fraud , Fraud Management & Cybercrime

FICO: Debit Card Fraud Spiked in 2016

Non-Bank ATMs and Point-of-Sale Devices Hit Hard
FICO: Debit Card Fraud Spiked in 2016

Despite a years-long move to shore up the security around payment cards in the U.S., certain types of fraud are on the rise.

See Also: BEC Defense: Advanced Tactics to Shield Your Organization

FICO, the financial risk and analytics consultancy, says the number of debit cards that were compromised after the hacking of ATMs or point-of-sale devices rose by 70 percent in 2016 versus a year prior.

The statistic comes from companies that subscribe to FICO's Card Alert Service, a paid-for product used by payment card issuers to analyze card purchases en masse to identify fraud trends.

FICO says it also detected a 30 percent rise in hacked ATMs and POS terminals at restaurants and merchants.

The statistics would seem to contradict the investments made in U.S. payment card infrastructure over the past few years. The U.S. is moving to EMV, which uses payment cards with a microchip containing security features designed to counter illegitimate card use (see EMV Rollout: Are We There Yet?).

But a closer look at how the U.S. is transitioning to EMV reveals why this uptick in ATM skimming attacks is really not so surprising. Most ATMs, especially off-premises ATMs at retail locations, have not yet been upgraded to accept EMV chip cards. And they aren't likely to be EMV compatible anytime soon.

Visa's liability shift date for fraud that results from compromised cards used at ATMs takes effect in October 2017. (MasterCard's shift was October 2016, but the card brand has not reported totals for ATMs that are now accepting chip transactions on its cards.) Still, many experts predict that a majority of off-premises ATMs, which are often run by retailers or independent operators, will never be upgraded to accept EMV chip cards. If fraud losses shifted back to merchants and independent ATM owners become too high in the wake of the liability shift, then most of these retailers and independent operators may opt to have the ATMs taken out, rather than pay for upgrades.

Stand-alone ATMs

FICO notes in its report: "As in 2015, the most compromises occurred at non-bank ATMs, such as those in convenience stores. About 60 percent of compromises were at non-bank ATMs, with the rest occurring at bank ATMs or point-of-sale devices, such as card payment machines at retailers."

If an ATM can't read an EMV chip, it reads the magnetic stripe on the back of the card, which contains account information. EMV was designed, in part, to counter skimming, in which fraudsters copy the magnetic stripe's information and encode it on a dummy card that is then used to withdraw money.

ATMs that haven't been upgraded to accommodate EMV may also be targeted by fraudsters to use those cloned cards. Non-bank ATMs are also viewed as easier targets than bank ATMs for installing skimming devices that collect payment card details.


POS terminals, as well as the back-end payments infrastructure, are targeted with malicious software by cybercriminals. The aim is the same: to capture large number of card details that can be replayed in fraudulent transactions.

Over the past few years, card breaches at merchants have become routine. Merchants are supposed to follow the Payment Card Industry's Data Security Standard, a set of security practices designed to protect card information. Smaller merchants with less IT support tend to be more disadvantaged, and it's well known that a single mistake can expose weaknesses that could lead to a breach.

Still, the amount of time in which an ATM or POS device was compromised until when the breach was detected fell last year, FICO reports. FICO say that average compromise period for either an ATM or POS was 11 days, down from 14 days in 2015. Keep in mind, however, that this statistic is for FICO subscribers, and its fraud alert service may have been a contributor to the improvement.

Dodgy ATMs

It can be tricky to identify a skimming device on an ATM, but FICO dispensed the usual advice: If an ATM looks like it has been tampered with, find a different one.

If your card gets stuck in an ATM, it could be a sign of an attack. "Sometimes you may think that your card was captured by the ATM when in reality it was later retrieved by a criminal who staged its capture," FICO says. "Either way, you will need to arrange for a replacement card as soon as possible."

Another common sense tip is to avoid an ATM if someone is hanging around it. FICO advises to "never engage in conversations with others around an ATM. Remain in your automobile until other ATM users have left the ATM."

(Executive Editor Tracy Kitten contributed to this report.)

About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.