The following is an excerpt from "Anti-skimming Technology and EMV for the ATM," a guide available for free download after registration.

With increasing sophistication, criminals are able to mimic the appearance of ATM fascias, card readers and other aspects that fool all but the most observant users.

Not long ago, ATM skimmers were ugly, clunky add-ons that gave themselves away. They often didn’t fit right, and looked as if they were made in a basement workshop. But that’s not the case anymore.

“Some criminals are machining their skimmers and they are as good as the original manufacturer’s bezels,” said Steve Bruno, vice president of financial solutions development and support for Nautilus Hyosung America Inc.

Some ATMs have installed mirrors to ensure that no one shoulder surfs for the number. Most customers are well aware of that scam, and ATM etiquette has developed so that people in queue to use the machine stand far enough back to ensure privacy.

Because customer education has all but done away with shoulder surfing, thieves have adopted a more technological approach. A common way to snatch PINs is with a small camera, hidden from sight, with a view of the PIN pad.

In a skimming attack in New York, the criminals affixed a mirror to the face of the ATM, ostensibly to help guard against shoulder-surfing attacks. However, hidden in the mirror mount was a small pinhole camera aimed at the PIN pad. Customers were lulled into feeling they were safe at that ATM, thanks to the security precaution of the mirror.

Video surveillance and dispute management solution
ATMeye^.iQ video security management solution reduces the risks of fraud and vandalism, resolves conflicts with clients, and allows monitor security events 24/7 to whole ATM network remotely. Watch ATMeye.iQ video.

Depending on the extent of the upgrades and the size of the ATM portfolio, adding anti-skimming devices can be an expensive proposition. From a systemic view, fortifying one section of the ATM network may simply shift the problem to another area.

“It’s not a cheap solution, and one of the things that scares people away is knowing that the investment in adding anti-skimming features won’t totally stop the problem,” said Nautilus Hyosung America’s Bruno.

A number of ATM manufacturers, Nautilus Hyosung and Diebold among them, have adopted the CPK + 6000 series anti-skimming product range from TMD Security as upgrades for legacy machines. The CPK — short for Card Protection Kit — incorporates a variety of technologies to make skimming difficult for criminals.

Available for motorized and non-motorized or dip card readers, the CPK uses radio frequencies to create a protection shield around the card entry slot, which disables any device placed on the card reader. That way, the ATM can remain in service, but the skimming attack is denied.

The CPK is triggered by the Surface Detection Kit, which detects any foreign device placed over the card entry slot. The SDK can detect a variety of materials, including plastic, paper, iron and wood.

Once activated, the CPK can send an alarm to an alarm panel. It also will track the number of skimming attacks at that location.

Diebold Inc.’s Opteva line includes a technology that can recognize a skimmer placed on an ATM card reader.

“It uses a proprietary algorithm along with a sensor to detect skimmers of basically any size or shape or material,” said Terrie Ipson, marketing manager for ATM security solutions for Diebold.

Once a skimmer is detected, security systems also can send an alert. Depending on the system, the alert can be sent to a monitoring center, to a branch alarm or to dispatch local law enforcement.

The Opteva, and the Personas line from NCR, also include a feature called jittering. Rather than smoothly accepting the card, the machine’s intake feature starts and stops in a rapid combination sequence, or a jitter. Any magnetic-stripe information that is copied at the card reader is useless because of the back-and-forth motion.

Jittering alone is no longer sufficient to protect the ATM. Criminals are circumventing jittering by using the DSP. Also, when a customer removes his card from a terminal, the action is typically done in a smooth motion, without jittering, enabling criminals to copy data from the mag-stripe.

Jittering also does not protect swipe-card and dip-card readers. Wincor Nixdorf takes a common approach to stopping skimming by taking the machine out of service if an attack is detected. Many of its machines have a plastic anti-skimming insert in the cardreader slot.

The insert is designed to prevent tampering but does not restrict usage by customers. If the insert is destroyed or the machine is moved by force, the machine is taken out of service immediately.

Protecting against skimming attacks has become a battle of wits with organized gangs of criminals. Unfortunately, stopping the activity in one place may simply shift criminal activity to other locations.