Article

The games fraudsters play - and how to beat them at the ATM

Security expert offers a checklist of 20 items to consider when planning an anti-skimming project across an ATM fleet.

February 6, 2014 by Suzanne Cluckey — Owner, Suzanne Cluckey Communications

The richest, most consumerist, plastic-happiest nation on earth does not have EMV systems in place. But even in countries that do, most banks still issue cards with a mag stripe on the back — chockfull of accountholder data just waiting be skimmed, striped onto counterfeit cards, and used to empty U.S. ATMs.

So, EMV or no EMV, skimming is still everyone's problem.

Dave O'Reilly knows how big a problem. As chief technologist at Fraud Technology Research Solutions, an Irish company dedicated to increasing the security of financial services, he is well acquainted with the numbers.

"In 2012 skimming was one-third of the fraud incidents at the ATM, but it was 98 percent of the losses because each individual skimming incident is so big in comparison with each card trapping and cash trapping," he told members of a workshop audience last month at Wincor World. "It really dwarfs the others as a problem. The average cost of a skimming incident including investigating and cleanup, is about $70,000."

FTR doesn't make or sell anti-skimming devices, rather, the company helps FIs determine which of the solutions already on the market best suit their security goals and risk tolerance. This work takes into consideration all of the three known types of skimmers:

Digital — "the oldest type of skimmer," these use a custom electronic circuit; a specific read head and a storage circuit specifically designed to capture, interpret and store magnetic stripe data.

The device can be applied to an ATM as a fake bezel or hidden inside the machine by means of a hole drilled through the exterior armor.

Analog — these skimmers use components from an MP3 player — often a Walkman, O'Reilly said. "They break it open, take out the circuitry, disconnect the microphone and attach a magnetic read head where the microphone used to be."

When a magnetic stripe passes over the read head the skimmer records the electrical signal, or "voice" generated by the mag stripe data, which is later decoded and striped onto a fake card.

Stereo — this analog variant uses two read heads to defeat the jamming signal from an anti-skimmng device. One read head captures the jamming signal and the card data; the other captures the jamming signal only. Subtract the latter from the former and what's left is the card data.

The only apparent attemt at stereo skimming to date was a rudimentary device recovered from an Irish ATM, O'Reilly said, though it was "far from the best way to make a stereo skimmer." He would know, since FTR has built and tested one.

"[I]n certain cases where we weren't able to recover data with analog skimming, we were able to recover data with this technique," he said. "It's conceptually not that large a leap from analog skimming, so it's most likely only a matter of time before it's discovered in a broader sense."

FTR has identified 20 criteria for evaluating technologies designed to combat skimming threats. These fall under five subcategories:

Deterrence— How does it work? Can it be broken off and replaced with a skimmer? "Can you take the ATM out of service simply by a drunk guy standing on it and stomping on the anti-skimming technology?"

Operation— Is detection camera based? Metal detector based (if someone inserts their card while holding keys, will the machine shut down)? How effective is the jamming signal? Is the solution subject to tampering, say by cutting around the bezel and pushing it inside the machine, then applying a skimmer bezel? Can it be monitored?

Integration— What's involved in adding the technology? What if it relies on USB port and your older ATM doesn't have one? Will it require software upgrades? What

Investment Protection— Does it have to be "binned" if a new skimming technique comes along? Can features such as sensors be added later? Does it support all ATMs? Does it come with extras like anti-card trapping and anti-cash trapping features?

Commercial— Can it be affordably implemented fleet-wide? Is it available now? How soon will it be available? Does it come with vendor support?

anti-skimming criteria

O'Reilly also enumerated the benefits that accrue when an FI selects the right solution for its needs:

increased security
improved efficiency
reduced cost of fraud
customer retention
market differentiation
regulatory compliance

There are solutions that can eliminate skimming altogether, including contactless cards and one-time mobile app-generated text or QR codes. But these have larger implications, O'Reilly said.

"The decision to do something like that would not be the fraud department's decision; they're very large strategic decisions ... But they're coming; absolutely they're coming."

And, of course, all banks could eventually issue chip cards without the mag stripe on the back. However, considering that today's cards still have raised characters in order to be backwardly compatible with carbon imprint machines that have hardly been seen in 20 to 30 years ... It'll be awhile before anti-skimming devices become equally obsolete.

Read more about security.

photo: calsidyrose

About Suzanne Cluckey

Suzanne’s editorial career has spanned three decades and encompassed all B2B and B2C communications formats. Her award-winning work has appeared in trade and consumer media in the United States and internationally.