3 Reasons Skimmers Are WinningAnti-Skimming Tech Won't Win War on Card Fraud
Banks and credit unions say that losses linked to card-skimming and other sources of debit card fraud are increasingly concerning.
See Also: Top 50 Security Threats
In early May, a Connecticut a court sentenced a Romanian man for the role he played in a multi-state skimming scheme that targeted bank ATMs and vestibules. In April, Toronto police said eight area hospitals had been targets of ATM skimming attacks. That same month, in Las Vegas, a grand jury indicted 13 California residents for the roles they played in an alleged two-year card-skimming scheme for attacks linked to ATM vestibule entry doors at Chase branches in Nevada.
Arrests and financial losses linked to skimming continue to add up. Why do many institutions struggle to thwart attacks waged against ATMs and the vestibules that house them? (See ATM Fraud: Access Doors Under Attack.)
Mike Urban, a financial fraud expert with Fiserv, a core processor that provides security services to financial institutions, says anti-skimming technologies just can't keep up.
"There is a lot of different technology out there, but criminals have figured out what techniques they can use to get around most of it," Urban says. "It's not that easy to stop skimming."
In the U.S., banks understand the vulnerabilities linked to mag-stripe card technology are the root issue. Until mag-stripes are replaced with chips that conform to standards like the Europay, MasterCard, Visa standard, skimming fraud will remain an issue.
"We're dealing with a card technology today that is just too easy to replicate," Urban says. "That's the big layered solution that we could get out there - having the chip encrypting that card information in such a way that it can't be compromised."
Beyond outdated card technology, a number of factors have contributed to ATM skimming's success. Cardholder behavior, outdated or ineffective anti-skimming technology and too many endpoints are the top three, experts say.
How cardholders use ATMs and ATM vestibules plays a role. Users are not savvy and often compromise themselves. They don't inspect ATMs for manipulated card readers, or they neglect to cover keypads as they enter PINs, making it easy for nearby cameras or so-called shoulder-surfers to record PINs as they're entered. Users also swipe their cards at vestibule access points, which are increasingly compromised with skimming devices.
Education plays a role, and financial institutions have done more in recent years to educate consumers about safe ATM behavior; but they can't control a user's every move.
In some cases, like the link between compromised cards and vestibule-access skimming, taking vestibules out of the equation would benefit banks, says John Buzzard, who monitors card fraud for FICO's Card Alert Service.
"The vestibule card reader really serves no purpose," Buzzard says. "Any magnetic card, a grocery-store card or a loyalty card, can open the door. You don't have to use your ATM card, but most consumers do."
The anti-skimming feature known as jitter, which uses a stop-start or jitter motion at the card reader to prevent card details from being copied, is a standard feature, but one that has been defeated. In theory, the irregular motion distorts the magnetic-stripe details on the card, so if a skimming device has been placed on the ATM, the jitter feature makes the copied information unusable.
Introduced more than seven years ago to the U.S. market by ATM manufacturers such as NCR Corp., Diebold, Fujitsu and Wincor Nixdorf AG, jitter remains the leading technology financial institutions use to prevent skimming. But jitter is only effective on ATMs with motorized card readers - readers that pull the card in, read the mag-stripe data and then push the card out. The technology is ineffective on machines with dip readers, in which the user manually inserts and withdraws the card.
Beyond jitter, the more sophisticated the technology to thwart or detect the skimming attack, the more problems arise.
Skimmer-detection sensors and monitoring systems designed to alert banks and credit unions when an ATM's card reader has been manipulated have proven difficult to integrate and ineffective, Buzzard says. "Some of the detection technology can interfere with the operability of the ATM," he adds.
Many of the higher-tech solutions also only work on certain ATM makes and models. For banking institutions that have mixed ATM fleets, like Buffalo, N.Y.-based M&T Bank Corp. (approximately $79.2 billion in assets), those types of detection technologies have not been easy to implement.
"A lot of the solutions out there are very proprietary and difficult to integrate," says Carolyn Criscitiello, a vice president in M&T's Alternative Banking and Retail Services division.
That's why M&T in November 2011 released its own anti-skimming solution called Blocker - a low-tech ATM addition made up of plastic translucent plates that go around the card reader. The plates are intended to prevent criminals from attaching skimming devices over an ATM's fascia.
"The Blocker could be used on almost any make and model, and it did not interfere with the ATM technology, nor did it require us to take the ATMs offline for an upgrade," Criscitiello says. "It has been very effective."
M&T is working to install the Blocker on all of its 2,000 ATMs. It also just signed The Bancsource Inc. and Pendum LLC as licensed distributors, to sell and market the Blocker to other banking institutions and ATM deployers.
Too Many Endpoints
When card fraud results from a skimming attack, it hits card issuers. And, chances are, the card issuer was not the deployer of the compromised ATM.
So when banks review technologies that have the greatest impact on thwarting losses linked to skimming and other attacks, anti-skimming investments for ATMs just don't rank very high.
"I do talk to banks about their fraud types, and a lot of the large banks that have the money to invest in anti-skimming technology don't control the ATMs that are getting hit," says Gartner fraud analyst Avivah Litan. "There are just too many endpoints for banks to control, too many ways for a card to be skimmed. At the end of the day, it's the card fraud they're concerned about."
From a fraud perspective, financial losses linked to ATM skimming are not banks' biggest worry. According to Gartner, from 2009 to 2010, losses suffered by U.S. banks linked to ATM skimming increased 13 percent. Comparatively, losses connected to POS PIN debit fraud jumped 71 percent.
To address growing fraud on the POS side, institutions are more focused on investing in back-end systems that detect card fraud than they are in anti-skimming technology for ATMs.
"Remember, you can skim cards at POS systems, too, and that's where most of the PIN debit fraud is occurring," she says. (See Michaels Breach Bigger than Reported.)
With between 15 million to 20 million merchants in the United States now accepting debit cards, card issuers have to invest in solutions that detect card fraud, not individual devices.
"None of these technologies is fool-proof," Litan says. "There is mo such thing as tamper-proof when it comes to ATMs and POS devices."
One Battle at a Time
Losses linked to ATM skimming globally cost the financial industry about $350,000 a day, says ID theft expert Robert Siciliano. "It's just getting easier and easier to do," he says.
Institutions are concerned, but ATM skimming is only one piece of a much larger fraud puzzle.
According to BankInfoSecurity's Faces of Fraud survey, 35 percent of banking institutions suffered from fraud linked to ATM skimming or some other type of ATM attack in the last year. On the POS-skimming side, 23 percent say they suffered from fraud.
But when asked about overall credit and debit fraud, 84 percent said they had suffered from some sort of fraud within the last 12 months.