Fraud fighters have spotted a new form of ATM skimming device that is so small it's easy for the human eye to miss.
The European ATM Security Team, a nonprofit organization that collects information on ATM fraud, reported this month that one of its country member representatives had discovered these so-called mini-skimmers. The fraudsters behind them are likely to send the stolen card data to the United States, where the information is easier to use since the EMV chip-and-PIN card security standard has not been adopted here. (Old-fashioned magnetic stripe cards are much simpler to create than newfangled EMV cards.)
Illegal skimming devices have long been placed into ATMs by crooks to steal card information obtained from the magnetic stripes. They're often used in conjunction with tiny cameras the criminals use to capture cardholders' PIN numbers. The new, sleeker device model poses an added risk to banks simply because it's hard to spot.
"The smaller the device, the more invisible it will be to consumers, meaning even those with a discerning eye would have trouble detecting the device," says Julie Conroy, research director at Aite Group.
To be sure, EAST reported only one member country spotting the sleeker fraud device in use. But the observation is a reminder that fraud tools — like most technologies — continue to get better with age.
"While most card skimmers are made to sit directly on top of the existing card slot, these newer mini-skimmers fit snugly inside the card reader throat, obscuring most of the device," writes famed security blogger and expert Brian Krebs on the mini-skimmer device discovery.
The report comes as manufacturer rivals Diebold and Wincor Nixdorf have partnered to create an ATM security association that will, among other thing things, provide information on recognized attack scenarios and potential threats in addition to advising members on how to the curb the crimes. Banks worldwide are invited to join the initiative to help prevent a threat that's plagued them for decades: A machine filled with cash is like catnip for criminals, and skimming has been the No. 1 way crooks steal data from consumers using the machines. Each attack, according to NCR, costs a bank $50,000 in losses.
Indeed, ATM card skimming scored high on the top security threats of 2013 for banks, according to the most recent Verizon Data Breach Investigations Report.
Skimmers are getting a big boost from 3D printers — which are printing everything from handguns to card skimmers, Verizon says.
"You can bet that if someone is able to make a plastic gun, card skimmers become almost trivial. These can be made without any major fabrication facility," says Chris Novak, managing principal of the risk team at Verizon Enterprise Solutions. "3D printers can be purchased legally online or in various electronics stores. Consumers can 'print' whatever they want from the comfort of their living room. And if that wasn't easy enough, the design plans for tons of items are already available online, so the most difficult task may be deciding what colors to use."
And the U.S. is more at risk: Unlike many other countries, it has yet to transition all cards to include fraud-fighting EMV chips, and criminals are looking for easier targets.
As Krebs put it: "Naturally, ATM hackers in Europe will ship the stolen card data over to thieves here in the U.S., who then can encode the stolen card data onto fresh (chipless) cards and pull cash out of the machines here and in Latin America."
The EAST report highlights a problem ATM manufacturers have observed.
Skimming "is becoming more sophisticated and more organized," says Owen Wild, director of security marketing at NCR. The ATM and digital banking software company has observed on service calls in the U.S. that ATM skimmers are getting smaller. "The [EAST] report validated a lot of what we have captured internally."
At the same time, ATM manufacturers say there are preventative measures banks can and do take that will help address the broad skimming problem — regardless of how small the devices are.
NCR, for example, introduced an anti-skimming tool in early 2013 designed to block criminal "listening" devices that capture card data and alert the bank when such a threat is observed. Like any security tech, it's meant to be used as part of a layered strategy.
"There will always be exploits," says Wild.
Aite's Conroy, meanwhile, says her firm has observed an increasing use of tech deployed by banks to combat skimming fraud through a number of methods, including using video cameras with behavioral analytics that alert security personnel if people are standing for an unusually long time in front of an ATM.
Such upgrades come as regulators have urged banks to strengthen their ATM fraud defenses in recent months.