ATM / POS Fraud , Endpoint Security , Fraud Management & Cybercrime
Why Skimming Will Grow in 2017ATM, Pay-at-Pump Terminal Attacks Will Plague Issuers
Localized skimming attacks, whether waged against ATMs or self-service gas pumps, continue to wreak havoc on banks and credit unions. "It's death by a thousand cuts," one executive with a leading card issuer on the West Coast tells me.
See Also: Live Webinar | Education Cybersecurity Best Practices: Devices, Ransomware, Budgets and Resources
As 2016 drew to a close, we got yet another reminder of the problem when federal prosecutors announced that a Romanian man pleaded guilty to using counterfeit cards to steal $127,000 from several New York banks in 2015, according to The Associated Press.
"Just because we are better at preventing at-the-pump fraud transactions doesn't mean that there is no fraud occurring. There is."
The defendant, Illie Sitariu confessed to authorities that he and an unnamed accomplice stole card data and PINs with skimming devices and pinhole cameras they had attached to various ATMs, including those owned by Capital Region, First Niagara Bank, Trustco Bank and Berkshire Bank, according to court records.
By today's standards, the loss of $127,000 to a counterfeit card scheme doesn't sound like much. Relative to multimillion-dollar losses we've seen linked to malware point-of-sale breaches at Target and Home Depot, Wendy's and others, $127,000 seems miniscule.
But the damage from skimming attacks can add up.
How Big Are Skimming Losses?
Unfortunately, we don't have a good handle on just how big skimming losses really are. That's because skimming, whether at gas pump or ATMs, is hard to track.
While experts from the retail side, including Gray Taylor, executive director of convenience store and petroleum industry technology association Conexxus, say card skimming at the pump has declined, bankers say just the opposite.
Last month, I blogged about Visa's and MasterCard's agreement to extend the EMV fraud liability shift date from October 2017 to October 2020 for self-service gas pumps. The blog sparked a flurry of comments from readers, who say the longer gas pumps are allowed to accept magnetic-stripe cards, the more fraud losses banks and credit unions are going to be forced to absorb.
One reader, Wes Spencer, responded: "While fraudulent transactions may indeed be declining at the pump, card skimming is certainly not. That risk is as present as ever and will continue to be so. Just because we are better at preventing at-the-pump fraud transactions doesn't mean that there is no fraud occurring. There is."
And he's right. Counterfeit card fraud is much different than skimming. Counterfeit fraud that occurs when someone uses a counterfeit card to pay for gas at the pump. That type of fraud has dropped rather significantly in the last two to three years. But card skimming at gas pumps has not declined, issuers tell me.
"Gas pump skimming is the worst problem for most banks, in not only our area but much of the southeast," says Marjorie Meadors, who oversees card fraud prevention for Louisville, Ky.-based Republic Bank & Trust. "Republic has banking centers in Florida and skimming is also very active there."
But providing exact figures for losses linked to pump skimming has proved challenging, Meadors adds, because criminals typically move skimming devices from one pump to the next within a day or two.
"By the time we identify a gas station, the skimmer has been moved elsewhere," she says. "But the FBI, local police and the Secret Service are all working on gas skimming. We consider the Visa/MasterCard move to allow an extra three extra years as extreme, and a blow to card issuers."
So while counterfeit card fraud at self-service gas pumps has declined since 2014, according to industry experts and Visa, issuers tell me that the number of cards compromised at self-service pumps continues to climb because of skimming attacks, and they expect the growth of skimming at both gas pumps and ATMs to pick up in the year ahead.
Why? Because EMV chip rollouts at physical points-of-sale are making POS attacks less appealing to criminals than attacks at self-service terminals that still accept mag-stripe cards.
EMV Rollouts at POS Push Attack Shift
U.S. retailers are working overtime to get their EMV POS terminals up and running. Merchants that are still accepting mag-stripe cards have seen significant upticks in chargebacks for counterfeit fraud since October 2015, when the EMV fraud liability shift took effect. In 2017, those retailers want to reduce their chargebacks as much as possible.
In April 2016, Liz Garner, vice president of the Merchant Advisory Group, which represents large retailers, told me that chargebacks were running between $10,000 and $15,000 per week for some smaller merchants, and were as much as $1 million a week for some of the largest merchants (see EMV: Chargebacks Hitting Merchants of All Sizes).
Today, ATMs and self-service gas pumps are the easiest targets because most of these terminals are still not yet accepting chip transactions. And that likely won't change until they're impacted by the fraud liability shift.
For ATMs, Visa's liability shift takes place in October 2017. (MasterCard's shift was October 2016, but MasterCard has not reported totals for ATMs that are now accepting chip transactions on its cards.) For self-serve gas pumps, the liability shift for both Visa and MasterCard is not until October 2020.
Shirley Inscoe, a financial fraud expert and analyst at consultancy Aite Group, told me last month that skimming remains U.S. banks' No. 1 ATM fraud worry.
"We as consumers use ATMs all the time to withdraw money, and that means, in order to reduce operating costs of servicing those machines and replenishing that cash, more and more [U.S.] banks are going to go to larger bills in the machines," Inscoe says. "As they do that, it makes the ATMs more attractive to theft."
And the biggest skimming worry in 2017 will be attacks like the one waged by the Romanian and his unnamed accomplice in New York.
Skimming attacks that capture magnetic-stripe details and PINs enable fraudsters to clone debit cards that can be used at ATMs for fraudulent cash withdrawals. It's not a new scheme or a complicated one; but it is a scheme that has proven effective and profitable for criminals.
And until ATMs are equipped to accept chip cards for cash withdrawals, these types of schemes will continue to grow.