ATM Skimming: 8 Tips to Fight Fraud

Banking Institutions Must Take Preventive Measures
ATM Skimming: 8 Tips to Fight Fraud
Despite the recent bust of an alleged skimming ring, ATM fraud is on the rise and shows no sign of abating.

But one industry expert has a list of incident response tips for financial institutions that want to fight back against ATM skimming attacks.

Mike Urban, Senior Director of Fraud Solutions at FICO (Fair Isaac Corporation, the provider of credit scoring), says all types of ATMs - and even pay-at-the-pump gasoline stations - are under attack by tech-savvy fraudsters.

"As I have seen, [fraudsters] pretty much go after anyone; it's not one manufacturer or one model," Urban says.

Several skimmers have been found at gas stations around the country in the last month, and these are where the criminals are placing readers to capture the PIN and the card number before the PIN is encrypted. "I predict we're going to see more of those," he says. "They are targeting the weakness of the mag stripe, and that will be something we have to live with until a better solution is developed."

The Skimming Trends
The current trend began slowly, says Urban. Several years ago, the targets were primarily off-premise ATMs. Criminals could buy ATMs, place skimming devices in them and collect card and pin information. But when changes such as the encrypting PIN pad and other advancements in technology changed how PINs were protected, criminals began focusing on financial institutions' ATMs.

Recent arrests show the criminals perpetrating these crimes are from Eastern Europe. "A lot of the techniques and a lot of the technology they are placing on the ATMs are coming from Eastern Europe," Urban says. "Those criminals have been targeting financial institution ATMs for years, primarily because those are the kinds that are deployed -- there aren't as many stand-alone ATMs in Europe."

Criminals placing skimming devices will target an attack for a day, a weekend, or a short period of time. They usually go to other ATMs of the same model/make to attack, that fit the look of the skimming device. They are much more sophisticated than previous skimming devices, he explains. "They also use the same paint coatings, so they are getting access to that information somewhere -- those compounds that generally aren't available at a local hardware store. You can't go in and order ATM gun metal grey paint. There is a real industry around the creation of these ATM skimming devices."

Urban says he's seen the Internet forums that offer the specially made devices. "I've seen examples of the IRC chat rooms where these devices are offered for sale. They usually are offered at about $2000 apiece, and they are very sophisticated, much more like a part of the ATM than ever before."

The Challenge for Banking Institutions
Many financial institutions don't invest in real-time fraud monitoring of PIN-based transactions, Urban says, because traditionally risk has been lower. His advice: Institutions need to take a hard look at where they're going to spend monitoring money. "By now I mean getting ahead of the curve before the fraud starts to happen, and get PIN-based card transaction monitoring in place."

In terms of thwarting attacks, Diebold's "jitter" technology has been effective, Urban says. With this approach, the card is drawn back and forth as it is pulled into the ATM reader. "It is best out there now, because it breaks up the card going in and out of the machine," Urban says. "Even if a skimmer was placed on the outside, they would only get parts of the stripe, not all of it at same time -- they would only get pieces of it as it goes forward and backward."

But even this technology advancement won't stop a determined criminal. It is a cat and mouse game, and from what Urban sees with increased skimming in the UK and Canada, "We're going to see significant increases in skimming."

Incident Response Tips
Action items for banking institutions include:

  • Have a Plan -- for what you do if you find a skimming device on one of your ATMs.

  • Document the Plan -- listing everything that should happen, people to be contacted, actions to be taken.

  • Educate Your Branch Employees -- If a device is found, all employees should know what and what not to do. Educate branch employees and third-party vendors, as well as ATM servicers. Make sure they are monitoring the outside of the ATMs for residue or devices that actually are on the ATM.

  • Inspect All Locations - frequently, checking the facia and surroundings around the ATMs, making sure nothing has been added or moved.

  • Set ATM Standards - including visual standards for all ATMs in all branches. Keep it standard. Take a photograph of each ATM, inside and outside. Show employees what it should look like, so ATMs can be quickly examined to see what may be out of place. "It sounds like a bit of overkill, but a picture is worth a 1000 words," says Urban.

  • Don't Touch Skimmer If Found -- Contact law enforcement if a device is found on the ATM. Tell employees to not touch it or pick it up or pull it off the ATM. Secure the area with bank robbery tape until law enforcement arrives.

  • Be Vigilant At All Times -- Increase your checks on ATMs, especially if you've heard of ATM skimming in your area. If there are reports of ATM skimming, increase the number of checks. Even if there are no reports, have employees check ATMs in off-hours and over weekends, which are prime times for skimmers to be put on ATMs.

  • Contact Other Institutions -- Share information with local and regional institutions about what's happening at your branches and make sure they share information with your institution.

About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing cuinfosecurity.com, you agree to our use of cookies.