What happened to the good ole days when the magnetic stripe was king? Remember … those were the days when you didn't have to worry about ATM devices that skim or trap. In today's techie world, those days are long gone, and the mag-stripe's life is nearing its end.
Keep up-to-date on the latest ATM news.
Sign up for free, twice-weekly e-mail alerts
Technology advances have made the fraudster's job incredibly easy - creating and attaching or inserting a skimming or fishing device is fast and cheap. And since the mag-stripe has been around for three decades, fraudsters have had plenty of time to figure out how to compromise it, said Rob Evans, director of industry marketing for Dayton, Ohio-based NCR Corp.
For the last five years, Evans said, the use of foreign devices on ATMs to copy mag-stripe data has steadily increased in the United States. According to statistics collected by North Canton, Ohio-based Diebold Inc., global annual ATM fraud losses are estimated to be about $2.5 billion. In the United Kingdom, for instance, ATM fraud jumped 85 percent in one year, and ATM fraud losses in the country now cost about £61 million (U.S. $107 million) a year, according to BBC reports.
But the majority of U.S. deployers have only recently begun to take notice. Evans and Claire Shufflebotham, director of NCR's global security research and development organization, said card compromises at the ATM have hiked in the last six to eight months. And the two expect the spike to continue upward before it tapers off.
"NCR expects to see this surge continue as virtually every market around us migrates to chip-based cards for increased security for the cardholder," Evans and Shufflebotham wrote in an e-mailed response. "As well as the move to chip where fraud has been highest (in parts of Europe, Asia Pacific and Latin America), ATM deployers are starting to put other complementary security features in place to reduce fraud … which means that as criminals find it harder to beat, they will move on to easier targets."
The fraud shift
I think EMV is the only solution for skimming. But if one country does not have EMV, like the U.S., then you still need to use mag-stripe. ... if the mag-stripe is used, the card can still be compromised.
-- Cees Heuker of Hoek, Security and Logistics Support Specialist, TMD Security
Card fraud has historically been a bigger problem overseas. But now that the rest of the world is making the shift to the Europay/Visa/MasterCard standard, fraud is expected to explode in the U.S. (Read EMV: When will it hit the United States?)
Rather than at the ATM, card compromises in Europe took off at the POS in the '90s. But the experience proved that mag-stripe data is easy to copy. Since the shift to smart chip-based cards in Europe, drops in card fraud at the ATM and POS have been noticeable. According to Diebold, since France began issuing smart cards for ATMs nine years ago, ATM fraud has fallen approximately 90 percent.
The U.S. is the only country that isn't migrating toward EMV, which will hold chip-based technology back in the rest of the world. Until the whole world makes the shift, the mag-stripe will be hanging around for a while. Even if the U.S. initiates its migration tomorrow, most insiders agree it will be at least 10 years before the mag-stripe can be put to bed.
And that's good news for the fraudsters, said Cees Heuker of Hoek, a security and logistics support specialist for Curacao, Netherlands Antilles-based TMD Security. TMD, which opened its doors in October, manufactures devices that prevent fraudsters from skimming and fishing mag-stripe information at ATMs.
TMD's card protection kit blocks a skimming device from reading mag-stripe data, which keeps the FI from having to shut the ATM down for a period of time while the suspected compromise is investigated. The device can be attached to any ATM with no software upgrades, Heuker said.
The technology is catching on throughout the world, but not in the U.S. In fact, the majority of TMD's clients are in Europe. "We have more than 1 million transactions today that are protected by the CPK. It's all about protecting the ATM … from skimming and Lebanese loops," he said.
EMV, Heuker of Hoek said, will be the solution, once the whole world is onboard. "I think EMV is the only solution for skimming. But if one country does not have EMV, like the U.S., then you still need to use mag-stripe … so you will have mag-stripe and chips. But if the mag-stripe is used, the card can still be compromised."
The manufacturers' solutions
Manufacturers also are adding protections. Those with a strong global presence like NCR and Diebold have been working on security solutions for the last few years.
NCR is working with its global customers to provide holistic security solutions, Evans and Shufflebotham said. "The objectives of NCR's holistic security programs are to deploy technologies and business practices which secure the consumer, negotiables, transactions and cards. Each of these requires software, hardware, and business applications unique to their vulnerabilities in the ATM environment. … The most effective approach to security is to address the environment in total versus a piecemeal approach. … Criminals look to the path of least resistance, and we have seen criminals migrate from country to country to find softer targets."
The company's patented Intelligent Fraud Detection solution detects fraudsters' attempts to tamper with ATM components, including card readers and cash dispensers. "ATMs already make use of sensor technology internally, but this is a radically different solution with expanded detection capabilities for external foreign objects," said Andrew Orent, vice president of NCR's Financial Solutions Division, Americas region. "It is one step in a holistic approach that ensures no one point in the cash management cycle is perceived as more vulnerable than any other point."
Both Diebold's Opteva and NCR's Personas lines detect tampering and are equipped with light sensors on card readers and dispensers that flash to let users know the ATM has not been tampered with.
Jittering - a feature on Opteva and Personas - is another way manufacturers are protecting cards from compromise. Jittering affects the card's intake. Rather than smoothly accepting the card, the card's intake feature starts and stops in a rapid combination sequence. Any mag-stripe information that is copied at the card reader is useless because of the back-and-forth motion.
Anna Istnick, Diebold's senior product marketing manager for self-service terminals and ATM security, said long-term method testing is key, since fraudsters, if given enough time, always find ways around security technology. "There's a lot going on with devices that fit on to the ATMs to detect a foreign device - like radio frequency technology. But you have to be sure it can be operational in the real world. It needs to be tested and applicable to the environment where you're going to place it."
Digital video surveillance is a literal way to keep an eye on the ATM. Companies such as Chino, Calif.-based DVR.com are putting out video that can be burned to CDs or DVDs, said Orlin Cohn, DVR's technical manager. But, Cohn added, many FIs are still using outdated video-tape surveillance.
"Traditional videotape is more widely used in banking and on ATMs," he said. "The reason is because companies are not aware this technology exists. … Anyone who has ever had an incident or emergency and had to retrieve video footage for law enforcement will agree that it is a very cumbersome experience. Pushing buttons back and forth, searching, trying to locate the exact moment that something happened was nearly impossible."
Digital video, on the other hand, can be burned to CD or DVD, is time and date stamped and is easy to retrieve. It's not that expensive either, said Cohn.
But staying abreast of security technology is a challenge for many FIs and deployers.
The ATM Industry Association is working to get its hands around ATM security. It's taking a lead role in educating the industry about security breaches and fraud. The industry's Global ATM Security Alliance now has a virtual fraud library, which is part of Cognito, GASA's global ATM crime data management system. (Read also: ATM scams added to GASA's fraud library and GASA opens online ATM fraud library)