2012: Year of the SkimmerFraud Losses to Increase; Mag-Stripe Vulnerabilities to Blame
Robert Siciliano, a security expert and McAfee consultant, says 2012 will be to skimming what 2011 was to the hacker and hacktivist. "2012 will be the Year of the Skimmer," he says.
"Skimming fraud is an epidemic," says Mike Urban, who oversees product management for Fiserv's Financial Crimes division. "And it continues to grow every year."
Some big skimming cases have grabbed headlines in recent months. Last June, four men were charged for their alleged involvement in a $1.5 million ATM skimming scheme that targeted Citibank and JPMorgan Chase ATMs in New York, Chicago and Miami. And 28 suspects were indicted in November for their alleged connection to an organized credit-card skimming ring that recruited waiters and waitresses at high-end restaurants in Manhattan to collect card details from American Express accountholders.
Card skimming itself is relatively simple. "It's very low-tech," Urban says.
Top Skimming Trends
So what are the top card-skimming trends financial institutions and financial-services providers should be on the lookout for in 2012? Industry experts weigh in to offer their domestic and global perspectives.The top six trends to watch:
- ATM attacks;
- Network hacks;
- Crime rings aiming for retail;
- Skimming at self-service points of sale;
- International fraud migration; and
- EMV in the U.S.
ATMs: The No. 1 Target
In 2011, debit fraud losses for the first time outpaced losses associated with credit fraud. The reason for tipping of the fraud-loss scales: skimming.
Julie McNelley, research director and fraud analyst at Aite Group, says increases in ATM skimming are primarily to blame for increases in debit fraud. "The dollar amount per skimmed ATM averages $50,000," she says -- much higher than losses associated with skimming at points of sale. [See Skimmers Busted by Fraud Detection .]
ADT Security Solutions in early 2010 estimated financial losses per ATM-skimming incident averaged $30,000. Now, as the average loss to ATM skimming has jumped $20,000, it's clear card fraud and skimming are increasing. And the industry can expect more fraud losses in 2012 as global crime rings enhance their networks and improve their techniques to exploit lingering magnetic-stripe technology.
ATMs are typically the last to be upgraded from a hardware perspective.
Alan Walsh, vice president of banking for Wincor Nixdorf AG, says malware will be a growing concern. "In ATMs, I think with the transition from OS/2 to Windows, you're using an operating system that's very common, and you always run the risk of getting a virus when you use a common operating system," he says. "There's a reason updates are being issued every day."
More Network Hacks
Institutions and retailers need to focus more attention on locking down their networks. Now that more networks and systems are connected, as institutions and businesses work to achieve enterprise-level data management, they increase their risk of exposure. If a system is compromised, fraudsters can easily access every server, POS device, ATM, PC and network that's connected to that system.
The widespread deployment and use of common and well-known operating systems, such as Windows, compounds the problem. Fraudsters know how to get in, and with evolving malware, it's getting easier for them to wage successful attacks.
The industry also can expect more point-of-sale fraud, especially as hackers perfect their abilities to tap networks through maintenance and service ports. "Hacking remote access for servicing POS will be the criminal hackers' next breakout money-making venture," Siciliano says. "They are just now getting good at it and realizing it's much lower risk than applying skimming hardware."
Advances in wireless communications also will reap greater skimming crime rewards in 2012. Network security holes aside, skimming schemes themselves will become easier, as wireless communications and Bluetooth technology have made it increasingly easier for fraudsters to remotely transmit card data once it's been skimmed.
Crime Rings Aim for Retail
John Buzzard of FICO's Card Alert Service says card compromises connected with skimming attacks are extremely volatile. Quickly identifying at-risk cards is the only way to thwart significant losses. "There is a growing compression of both ATM and POS card compromises concurrently all over the U.S.," he says. "We tend to pay attention to the majorly publicized stories; but it goes without saying that financial institutions all over the U.S., and particularly in the northeastern U.S., have suffered greatly at the hands of organized card skimming."
Pointing to 2011's skimming breaches at Michaels and Save Mart/Lucky Supermarkets, Buzzard says open communication between retailers and card issuers kept fraud losses and card compromises in check. "Once the fraud starts to occur, it just makes everyone's job easier when the retailers take a transparent and proactive approach," he says.
Those attacks have illustrated how critical the need for retailers to invest in real-time fraud monitoring is. The incidents also prove retailers have an incentive to move toward the Europay, MasterCard, Visa standard. "At least 50 percent of the card-present fraud is charged back to the merchants," Urban says. "They are now motivated to make a move to EMV because they won't see those chargeback charges. And there is more authentication with the chip, so that will help fraud as well."
A Security Soft Spot
As the Lucky's breach and countless others that target self-service payments devices, including pay-the-pump gas terminals, prove, any terminal that accepts credit and debit cards will be targeted by fraudsters. Even ATM vestibule doors, which read debit swipes for entry, are compromised with ease. [See HSBC ATM Skimmer Arrested.]
Lachlan Gunn, who heads the European ATM Security Team, says self-service payments terminals, including parking-ticket dispensers, pay-at-the-pump terminals, and railway or ticket machines, are more often getting hit by skimming. In Europe, these unmanned terminals are more of a focus for fraudsters than even ATMs.
But despite the fact that EMV and anti-skimming measures have displaced ATM attacks in those markets, ATM fraud continues. During the last six months of 2011, Europe saw upticks in low-tech ATM-fraud schemes, such as cash-trapping. Cash trapping, like it sounds, prevents bills from being dispensed. European ATM deployers are addressing the trend with physical ATM inspections and investments in enhanced tampering-detection technology.
Geo-Blocking and International Backlash
Despite innovative moves to curb card fraud in Europe, skimming remains a global problem. Even as fraud migrates and different global regions progress in their adoption of EMV, losses associated with skimming continue to escalate.
This year, Gunn expects more fraud migration and increasing losses, especially in the United States. Part of that migration will be spurred by steps European countries are taking to shut off mag-stripe acceptance as a way to reduce financial losses associated with skimming.
Some European deployers are shutting off mag-stripe reads all together to avoid having the information skimmed from an EMV chip-based card.
More European institutions in the Single Euro Payments Area have announced plans to block mag-stripes. To date, only Belgium has issued a national policy, but Gunn says more banks are issuing their own policies. "I do see various banks doing geo-blocking," he says. "You either block the cards in or you block the cards out."
If a European cardholder wants to use his EMV card in the U.S., she will need special permissions to allow the mag-stripe to be read.
The United States can expect skimming to increase. Why? Fraud will migrate from other parts of the world, where card security is more sophisticated.
Compliance with EMV in western Europe and parts of central and eastern Europe over the last five to 10 years initiated the migration of fraud. Now that EMV is the standard in neighboring Mexico and Canada, hits to U.S. card issuers and acquirers will be substantially higher. Card fraud linked to skimming will be the catalyst.
EMV in the U.S.
Movement toward EMV compliance, to address growing card fraud, is not far off for the United States. Visa and MasterCard have both issued soft dates for a U.S. movement toward EMV. MasterCard set an April 2013 deadline for all U.S. ATMs to be EMV compliant; and Visa announced compliance dates of 2013 and 2015 for U.S. merchants.
Last week, Visa provided EMV guidance and suggested EMV adoption best practices for U.S. merchants and card issuers.
In 2013, the responsibility for fraud losses will shift from the EMV card issuer to the acquirer. Given that stipulation, 2012 will see an increase in EMV activity, says Chuck Somers, vice president of ATM security at Diebold Inc.
"They need to look at brand reputation, and then prioritize the vulnerabilities they assess and address them in the order their risk analysis deems," Somers says.