Despite the concerted efforts of financial institutions around the world, ATM skimming fraud continues to be a growing problem. Skimming occurs when criminals "skim," or steal, data from the magnetic stripe on an ATM card during a transaction, usually without the cardholder's knowledge.
Skimming is a technologically sophisticated crime, requiring a technologically sophisticated response.
The criminals must devise and place an electronic card-reading device on an
ATM, and observe the customer's PIN in some fashion, usually with a small camera,with a false PIN pad or by simply looking over the user's shoulder. With that data, crooks can withdraw cash from that customer's account, clone new debit and credit cards and sell the personal information to other criminal organizations.
The total scope of ATM skimming fraud is difficult to track. Nearly 70 percent of financial institutions who responded to a survey conducted by anti-fraud firm Actimize said they had experienced an increase in ATM/debit card fraud claims in 2008 compared with 2007, and those numbers were expected to increase in 2009. High-profile security breaches have focused attention on the issue. For instance, President Barack Obama cited the RBS WorldPay breach, in which thieves withdrew $9 million in 30 minutes, as the type of crime targeted by the United States' cyber-security initiative.
Recent headlines include New York City's Sovereign Bank losing more than $500,000 to skimmers, while a Romanian farmer was jailed in Australia for skimming $33,000 in that country.
What's distressing is those are only the losses that have been reported. The unknown, or at least unpublicized, losses are likely much larger. No financial institution is immune. Losses due to card skimming occur essentially everywhere ATMs are deployed around the world.
The European ATM Security Team (EAST) reported an 8 percent rise in ATM-related fraud attacks in 2009, in addition to a 149 percent rise in similar fraud attacks during 2008. Card trapping rose by 209 percent — increasing from 701 incidents in 2008 to 2,166 incidents in 2009 — while the total number of skimming incidents reported decreased by 1 percent over the same period.
However, despite the increase in incidents, EAST reported a 36 percent drop in ATM-related fraud losses in 2009, with total reported losses of €312 million ($400 million US), down from €485 million ($622 million US) in 2008. Annual losses due to card skimming have fallen for the first time since EAST began tracking them in 2004, down from €484 million ($620 million US) in 2008 to €310 million ($397 million US) in 2009.
ATM skimming, however, remains a primary security issue in the European Union despite the wide launch of EMV/chip-and-PIN technology, EAST officials say.
The ATM Industry Association launched an international anti-skimming forum to support the industry's response to the threat.
"Just over 4,500 of the 11,360 ATM crimes recorded on our global Cognito crime data management system for the 2005-2008 period involve skimming," Mike Lee, CEO of ATMIA, said in announcing the forum. "It's probably the most widespread crime type we face."
Protecting against skimming attacks has become a battle of wits with organized gangs of criminals. Unfortunately, stopping the activity in one place simply shifts criminal activity to other locations.
In the fight to stop skimming, one often-overlooked factor is that skimming is essentially a two-part crime. First, the customer's card data is stolen. Then, usually at a later time, the stolen data is used to withdraw cash or buy goods, often in another city, another country or online. So the thieves have to be technologically savvy enough to consummate both transactions, or have partners that can use the data.
Ultimately, stopping or even significantly slowing skimming activity will require attacking both steps in the process. Back-office systems that monitor card-usage patterns can help to detect fraudulent activities, stopping the payouts using the data from the skimmed cards.
"Banks have to protect the data from getting stolen, but the most significant measure that banks can take is to step up fraud detection systems to stop the payouts," said Avivah Litan, vice president and distinguished analyst at Gartner Inc., a Stamford, Conn.-based technology research and advisory company.
Litan promotes a multilayered approach to security that encompasses the entire ATM payment chain. But it's not that easy.
"Banks should buy new ATMs with anti-skimming devices, issue new cards with fingerprint technology and have back-office fraud systems that detect suspect patterns of behavior," she said. "But unfortunately, I don't know any banks that can afford to do all of that right now."