Card skimming attacks, the No. 1 ATM fraud that has long plagued financial institutions, are increasing in frequency all across the U.S., according to ATM manufacturers.
On July 23, NCR Corp. issued a security alert to draw attention to the growing problem in America and in Mexico. Rival Diebold also said it has observed a steady increase in skimming attacks in the U.S. for the last couple of years. Operators lose $50,000 per attack, according to industry members.
"This is a significant problem that is becoming more prevalent and we want to make sure customers are aware and take preventative measures they can and should take," said Owen Wild, director of security marketing at NCR.
These findings come on top of FICO reporting in May that debit card compromises at ATMs on bank property were 174% higher in January to April of this year, compared to the same period last year. Sure, not all of those attacks are skimming; but the credit-scoring and analytics firm said the vast majority of them are.
NCR believes the attacks are growing in the U.S. because it's an easier target. Wild said operators in America have yet to deploy as many anti-skimming technologies and techniques as other countries have. And many operators have yet to implement EMV chip technology at ATMs with the liability shift still at least a year away. (MasterCard's ATM liability shift date is October 1, 2016 and Visa's is October 1, 2017. However, most ATM operators accept both, which makes 2017 irrelevant for most, because they have to be compliant for MasterCard anyway.)
And criminals, of course, are always on the hunt for the weak link.
"Organized crime rings have P&L targets just like the rest of us," said Julie Conroy, a research director at Aite Group.
Skimming the magnetic stripe data at the ATM has long challenged banks but some of the attacks are getting harder to detect because the devices are smaller, while the criminals are becoming more sophisticated.
"We're getting to the point you can't call it skimming," said David Tente, executive director at ATM Industry Association. "It's more like cyberattacks."
And anti-skimming devices sold by ATM manufacturers are unable to defeat all the crimes, Tente said. One of the techniques is called "stereo skimming," for instance. In such an attack, the criminals can record the card data and jamming signal, the latter of which is supposed to thwart attacks.
But that is just one of many kinds of skimming techniques.
In an alert NCR sent to banks, credit unions, independent deployers and other industry partners, the ATM manufacturer urged operators to be on the lookout for bezel mounted card skimming devices. The alert read: "In this attack the skimming device is part of the false overlay bezel. This bezel is attached on top of the legitimate card reader bezel. In addition some form of device or method is also installed to capture the user PIN data."
There are numerous countermeasures to skimming attacks, including the way consumers are authenticated at the machines.
WSFS Bank, BMO Harris, and Wintrust Financial are among the institutions using technology from FIS that eliminates the need to insert physical cards into ATMs, for example. Rather, consumers use their mobile phones to identify themselves at the machines. These banks view the enhancement as protection against skimming fraud.
But the newer authentication method is hardly mainstream and it will take time for consumers to switch their ATM habits, if they do.
So others view the inevitable shift to EMV as another way to tackle the growing threat head on. Nearer-term solutions can include deploying anti-skimming devices into the machines and making sure branch employees are regularly inspecting the ATM for skimming devices, say observers.
But there isn't a cure-all.
"Crooks always find another way to get you," said Tente. "It never goes away. It just changes what it looks like.
"Skimming is still No. 1 fraud issue and it probably will be for a while. We won't get rid of the mag-stripe for some time."