An automated teller machine skimming scam exposed last week is shining a light on the never-ending "arms race" in security technology.
NCR Corp. has said it widened the gap a year ago with the introduction of its tamper-resistant SelfServ line, which is equipped with a fraudulent device inhibitor — a design feature meant to thwart skimming devices that fraudsters affix to ATMs' card slots to glean card data. Skimmers are often paired with cameras to steal customers' PINs.
The fraud inhibitor is a translucent green, illuminated card slot that requires the card to be inserted so deeply that traditional skimming devices cannot read them. Earlier NCR models can be retrofitted with an inhibitor, and in the year since the feature was introduced, NCR has documented fewer incidents of skimming.
Last week, Sean Seibel, a customer of JPMorgan Chase & Co., found a device tailor-made to thwart NCR's inhibitor attached to one of the banking company's Manhattan ATMs. The NCR machine had been fitted with a skimmer made from "the exact same, matching translucent green plastic" as the inhibitor, Seibel said, and a camera was hidden behind a mirror.
Seibel said the skimmer was invisible to him until his card snagged on it. "I wouldn't have paid any attention to it if it was installed correctly," he said.
JPMorgan Chase would not discuss the incident but confirmed that a skimming device had been reported at the branch last Tuesday.
Rob Evans, NCR's director of industry marketing for the financial self-service group, said that skimming is "a perpetual challenge." The SelfServ products have several features "that make it tougher for a skimmer," he said. "I say tougher, not impossible." Evans said other translucent green skimmers have been found on SelfServ machines.
Though criminals might be expected to seek out easier targets, the prevalence of NCR's machines make them appealing, Evans said. "There are more of them to use as models and targets," he said. "If you can figure out a skimming solution that goes on them … you should have a pretty good haul."
To further combat skimmers, NCR has developed other anti-fraud applications. Its Intelligent Fraud Detection technology examines the electrostatic and infrared signature of an ATM's face to detect any modifications in the machine. Electrostatic scanning detects electronic devices such as skimmers, and the infrared technology picks up other modifications.
An enhanced card drive, or "jitter," alters the speed and angle of the card as it is inserted, scrambling and making useless any data a skimmer obtains.
The fraud inhibitor is standard on SelfServ ATMs, but jitter and Intelligent Fraud Detection are optional, and have gained only cautious acceptance, in part because they can lead to customer service issues.
Jitter is perceptible to customers, who might mistake it as a sign of damage, Evans said. And NCR is still tinkering with the threshold settings for Intelligent Fraud Detection to avoid triggering alerts for normal customer interactions and environmental electronic noise.
Customer education can smooth the introduction of a technology, he said, but "you're walking a fine line when you do that between informing the customer and scaring the bejeezus out of them."
Despite NCR's efforts to stem fraud through improved technology, "the expectation that we can fix this problem by good ATM technology … might be a little bit of a canard," Evans said. "So long as we're reliant on two-part authentication — card and PIN — we're going to continue to struggle here in North America."
A move to chip cards as in other countries would improve security, Evans said. Chips can store a brief transaction history, which can be compared to the card's account and used to determine if the card has been been duplicated.