ATM Skimming: How to Fight BackADT Director Highlights Steps Organizations Can Take
"It's taking a hard look at the reality that this crime is going to continue to grow," Pearce says in an interview with BankInfoSecurity.com's Tracy Kitten [transcript below].
Three simple solutions that aid in the protection of ATMs are decals, inspections and education. Decals, a more recent skimming solution, are designed to fit against the card reader slot of a bank's ATM with a public notice attached. "[It says] to be aware of what ATM skimming consists of, what it can look like, and if any part of this decal is obscured by any kind of foreign device, please call the following number," Pearce says.
Banks also have recorded images of what the ATM should always look like, and employees routinely conduct inspections of the machines to ensure they haven't been tampered with. Educating the bank's staff and customers is essential in preventing fraud from occurring as well, and the decals are a good start.
ATMs have technologies installed within them to detect and prevent skimming. These devices are usually internal, out of sight of customers and criminals, and serve two functions. They render the skimming card reader useless and they provide a detection technology that senses the presence of any massive device that would be placed in or around the card reader slot.
During this interview [transcript below], Pearce discusses:
- Card skimming and why criminals have made cards easy targets;
- Customer and employee education;
- Investments banks are making in skimming-prevention solutions and technology.
Pearce is a director of financial services for ADT Security Services. A 25-year veteran in the security industry, he is a frequent contributor to financial media on security and risk topics. He also directs the ADT Financial & Banking Symposium, an industry education forum that focuses on security and operational issues impacting financial institutions.
ATM SkimmingTRACY KITTEN: Before we jump into the line of questions, could you give our audience a little primer on card skimming? When I talk to sources in the industry about card skimming, we often include incidents that revolve around the interception of card details. Can you explain a little bit about how these new technologies are fitting into the overall definition of card skimming?
JOHN PEARCE: I'm happy to do that. You've picked up on an important point when it comes to the merging area of electronic crime in banking, retail and other areas. When it comes to the case of skimming, in particular card skimming, what we have to recognize is that there is a physical contact at the beginning of the skimming episode in which the magnetic stripe data, the personal financial data of the card holder, is actually skimmed by the skimming device and the PIN information contained by the miniature cameras that are placed in the vicinity of the ATM, just as surely as the card is legitimately used in the ATM to record the transaction. There is physical contact in the sense that the mag-stripe is the medium that allows skimming to take place. Bluetooth technology is the new method of distribution. The data is wirelessly sent to the cybercriminals around the corner who now are downloading up to twenty-five hundred transactions of video footage and PIN entries from PIN cameras, as well as the card skimming devices which are downloading all of the personal financial information from the card itself. That includes, in addition to the mag-stripe information, the CVC information, which is the verification code that's part of the card, the two-to-three digit code that we're asked to address when we make a retail transaction with the card. This is how the actual information is transferred. Bluetooth is just the current methodology to make that happen.
KITTEN: When we do a comparison to some of the old ways that these fraudsters were transmitting card details versus the new ways, how prevalent is the Bluetooth technology or wireless technology that transmits those card details?
PEARCE: Certainly wireless in particular. Bluetooth is much more prevalent these days. In here we're talking about three to four years ago as the old days. All that data was contained on the device itself, which made sure it was a larger device placed on the machine. Now with today's Bluetooth technology, the actual skimming devices can be much more miniaturized, smaller and more advanced with more capacity. Bluetooth is just a medium that pushes it out instantaneously to the receptacle, which is the laptop around the corner.
KITTEN: The smaller those devices are, the easier they are for the fraudsters to hide. One thing I wanted to ask you relates to some of these trends that you're seeing, as far as card skimming is concerned and some of the technologies that they're using. I wanted to talk about, not just what we're seeing in the United States, what we're seeing throughout the world when it comes to card skimming.
PEARCE: Card skimming, particularly ATM card skimming, has been taking place for the last eight to ten years. It principally started in Europe, where you've seen an extension of what we have in the U.S., based on the mag-stripe systems, versus the European systems. They've converted successfully in their card payment systems to EMV, or so called chip-and-pin technology. Since EMV, chip-and-pin technology has been instituted throughout Europe. There has been a decline over the last two years in skimming ratios and skimming attacks. Unfortunately, we're starting to see the ability for technology, at the criminal end, to pick up on that to create a greater resiliency against that skimming technology. Here in the U.S., where we are entirely mag-stripe based, we are at the vulnerability of the cybercriminals who recognize no time soon is the US going to convert its entire card payment system to something other than mag-stripe technology.
KITTEN: You've kind of answered my next question, which was what unique challenges do the U.S. markets face, especially when we take a look at the lingering magnetic stripe and some of the card technology that we're using here.
PEARCE: It's a unique challenge, for ATM managers at financial institutions in particular as well as retailers who manage their own ATM network's tab, as to how they balance outside of the crime, which is growing exponentially each of the last four years. They're realizing they're working in the same platform of magnetic stripe, so how they are getting through that is constantly coming up with new ways to train and orient their staffs and educate their customers as to the problem at the card reading and at the ATM. They need to deploy companies who create technology that can help overt and mitigate the process.
Hotspot ATM Locations for FraudKITTEN: I know that ADT often focuses on branch security, working with financial institutions, but I did want to ask a question about ATM skimming, because we often times in the industry make a difference between on premises, or in-branch ATMs, and those ATMs that are located off premises or in retail locations. I think the perception in the industry often times is that retail ATMs are perhaps less secured. But in reality, the ATMs that happen to get hit most often are the ones that have the highest transaction volume. Those that have the highest transaction volume are often times the ATMs that are located on premises, actually in-branch locations. How do you help to explain that to the industry, or how do you help to get that information out to the industry, and what types of measures are you seeing institutions, retailers, or both take to help combat fraud in some of these ATMs?
PEARCE: That has been an important distinction between retail and branch ATMs in the past. Unfortunately, the cybercriminals don't make the distinction. Their keen interest is in their business people at the end of the day, so they are always going for the greatest return on their investment whenever they are skimming the inventory. They are looking, as you pointed out, for the highest volume, high transaction ATMs, which they don't care whether they are at an airport ATM, mall ATM or a drive-up ATM in a banking operation. They are looking for the greatest application of their technology, which according to the Secret Service is netting an average of at least thirty-three thousand dollars in losses per skimming transactions for ATM, which is a significantly increased figure from just two or three years ago. What banks in particular are starting to do is recognize, train and orient their teams and staffs against the problem.
Fighting FraudKITTEN: And how are retailers and bankers working together to curve fraud, or what measures are you seeing bankers take to educate retail locations about ATM skimming?
PEARCE: We are starting to see a variety of educational aspects taking place, particularly from the banking institutions. It's not only just the training and procedures of their branch teams. In many cases they are instructed to conduct individual ATM inspections on a daily basis. They will have actual recorded images of what the fascia of the ATM is to look like so they can quickly do a personal inspection of the ATM area. They will use a surveillance system which is trained just on the ATM in the vestibule area. Most recently I've seen in terms of education the usage of decals that are public disclosure decals from financial institutions. They are designed to fit snuggly against the card reader slot of the bank's ATMs with a public notice to be aware of what ATM skimming consists of, what it can look like, and if any part of this decal is obscured by any kind of foreign device, please call the following number. So it's a very good deterrent, not only to prevent the crime, but also to educate the card holders on the nature of the crime among ATMs.
KITTEN: I would like to take a step back and look at the overall fraud picture from a higher level. Where does card skimming fraud fit into this overall fraud picture that financial institutions are dealing with in today's market place?
PEARCE: Electronic fraud is the fastest growing part of the white collar/blue collar trend among financial institutions. We've already reported that the Secret Service reports at least a billion dollars in fraud related losses, which makes it one of the highest and certainly fastest growing components of electronic crime. I'm also looking at some other reports that explain that card skimming is considered a top three concern in terms of severity of losses. Gartner, which is a great market research firm, reported that at mid-year 2010, fraud from counterfeit debit cards, which was principally initiated by skimming attacks, was up 100% from the year before. This all strongly suggests how this is exponentially a growing problem among our ATM networks and any of our mag-stripe card-based outlets.
Fraud Solution TechnologiesKITTEN: What solution technologies are out there, and what do you see banks and credit unions investing in to help curve these fraud trends?
PEARCE: There are a number of technologies, a combination of detection and prevention technologies, that are installed within the ATM, out of sight of the user and criminal, which serve two functions. One is to help prevent the crime from taking place by rendering the skimming card reader useless unless against the downloading of data, and the other is to provide a detection technology that senses the presence of any massive device that would be placed in or around the card reader slot. Those two forms of detection and prevention are from a technology standpoint, the center piece of a good anti-skim program. It's also aided in fact that we have to bundle and add more layers of security, and there in lies the importance of video surveillance to help go back and sync up to the crime so that law enforcement can be aided in the investigation. This is a very difficult crime to investigate. It eats up a lot of soft costs that the banks' security departments have to exert against it because it's such an invisible, almost flooding, crime. Is it your card? Is it my card? Is it your ATM or my ATM? Whose ATM is it? It's very difficult to investigate, but surveillance helps us pinpoint the nature and the identity of the criminal, and helps to start bringing some of these cybercriminals to justice.
It's been reported that the Secret Service has experienced over 5,000 arrests in the last four years for skimming attacks alone, and I think this just speaks to the nature and the growth of the crime.
KITTEN: And in closing, I'd like to go back and talk a little bit about the history of skimming. It's something that's been around for quite some time relative to some of the new emerging fraud threats that we've seen in the online environment. But as we look out to 2011 and we watch this type of skimming fraud evolve and change, what do you see as being the top ATM skimming concerns, threats and trends that financial institutions should be concerned about?
PEARCE: The top threat has to be the increased use of technology. As that advances from the cybercriminal's standpoint, it makes it increasingly difficult to mitigate. Crime as you know reaches its own level of resistance, and the cybercriminals are really stretching the boundaries of the kinds of attacks that they're able to execute against mag-stripe conditions, particularly in the U.S. It has to be a situation in which our major ATM enterprises and our major banks have to spend. And they are spending more time in orienting their staff and their teams and using technology to counter the explosion of this crime, because invariably it comes back to impact relational conditions with our customers.
It's taking a hard look at the reality that this crime is going to continue to grow. What are the steps that can be taken through technology, training and other education solutions to help mitigate and curve the crime?