CONTINUE TO SITE »
or wait 15 seconds

Article

Are you keeping ATM security threats in check?

It's your move: Download the free guide, 'ATM Fraud and Security 101,' a primer on the latest criminal threats and strategies for preventing them.

December 3, 2015

Protecting ATMs from against thieves is an endless game of chess: Criminals come up with new attack methods, deployers counter with new deterrents; ATM-makers add new security features, crooks invent new ways to get around them.

            Get the free guide now

It can be hard to keep up.

To help financial institutions and independent deployers identify and mitigate current threats, ATM Marketplace has developed the new guide,  "ATM Fraud and Security 101," and is offering it for free download as a service to our readers.

The 32-page guide includes up-to-date information about: 

  • attack methods;
  • security upgrades and compliance; and
  • fraud prevention technologies.

In addition, it provides recommendations and a helpful overview of ATM security providers and products. 

Following is an excerpt from the introduction to the guide.

The U.S. is experiencing a surge in ATM fraud before the country migrates to EMV.

MasterCard and Visa have established deadlines for shifts in counterfeit card fraud liability for U.S. acquirers who don't upgrade their ATMs and POS terminals to meet EMV specifications.

The deadline for merchant POS terminal EMV migration is October 2015; MasterCard and Visa have set October 2016 and October 2017, respectively, as deadlines for U.S. ATMs. (In addition, U.S. fuel dispensers face an October 2017 EMV migration deadline.)

After these deadlines, if an EMV card is used fraudulently at an ATM that doesn't support EMV, the acquirer will be liable for the issuer's fraud losses. ATM deployers who do not migrate to EMV risk being shut out of their acquirer's network.

Lack of EMV readiness

According to an August 2015 atmAToM.com blog by Darryl Cornell, president and CEO of Long Beach, Mississippi-based ATM vendor Triton Systems, many U.S. merchants aren't upgrading to EMV, despite the fact that processors are mostly ready.

"A July 2015 Wells Fargo/Gallup Small Business Index survey found that only 49 percent of small merchants (under $20 million) are even aware of [the October 2015] EMV POS liability shift deadline," Cornell wrote.

"Nearly 70 percent of merchants aren't ready [for EMV], and over half of those unprepared merchants will either be late to the EMV party or have no intentions of upgrading their POS terminals. Presumably, these same merchants are also not in a hurry to upgrade their ATMs or fuel pumps. Given that accumulated chargebacks can take as long as 90-days to work their way through the system, look for the first howls of merchant liability shift pain in December 2015."

According to Cornell, vendors are reporting that nearly all new ATMs sold in the U.S. in 2015 have been equipped with EMV card readers.

"Most banks are moving forward with their EMV upgrade programs, which in many cases were accomplished along with Windows 7 upgrades," Cornell wrote. "However, anecdotal reports indicate that fewer than 10 percent of retail ATMs are currently EMV-ready. While there has been movement on the part of larger IADs to begin purchasing upgrade kits and replacement units, most IADs plan to wait until 2016 to begin upgrading their own terminals.

"Even if this does happen, convincing merchants to upgrade or replace their owned ATMs will likely prove to be heavy sledding. Look for a serious contraction in retail ATMs beginning in late 2016 as sponsor banks, processors and IADs pull the plug on non-EMV terminals rather than chasing merchants for fraud losses."

US fraud data

In May 2015, U.S.-based credit scoring and fraud analytics software firm FICO warned that cardholder data theft at U.S. ATMs had reached its highest peak in more than 20 years.

According to FICO, between Jan. 1 and April 9, 2015, debit card data theft rose by 174 percent at U.S. bank-owned ATMs compared year-over-year and by 317 percent at nonbank ATMs.

However, during the same period, card data theft at POS terminals in merchant locations dramatically declined by 81 percent, FICO said.

"We're seeing a lot of fraud in the U.S. as criminals try to exploit the lack of EMV protection before it is implemented in the U.S., and before the liability shift at the point of sale takes effect," said Martin Warwick, FICO fraud chief in Europe, the Middle East and Africa. "Having EMV will make the mag stripe data less appealing to criminals."

Canada

Triton's Cornell wrote in an ATM Marketplace blog that Canada saw positive results from its migration to EMV.

Citing statistics from Interac, Canada's domestic debit card scheme, Cornell wrote that Canadian domestic debit fraud at ATMs averaged nearly CA$2,400 ($1,822) per terminal in 2009.

"By 2014, two years after Canada's migration to EMV, that figure had been slashed to a mere CA$33 ($25) per terminal," he wrote. "An interesting aside is that all non-EMV ATMs were turned off by Interac in December 2012 — a reduction of nearly 1,000 terminals."

Europe

In July 2015, the European ATM Security Team published the second of three European fraud updates for 2015. The report was based on ATM crime statistics gathered in June 2015 from 19 countries in the Single Euro Payments Area (SEPA), and from two non-SEPA European countries.

Card skimming at ATMs was reported by 17 countries, with decreases reported by seven countries and increases by two, EAST said. Six countries reported card data compromise through wiretapping or "eavesdropping," in which criminals cut a hole in the fascia by the card reader, insert a device that is then connected to the card reader, and cover the hole with a fake decal.

In its July report, EAST said that the trend of skimming-related losses occurring outside of EMV chip liability shift areas continues. These losses were reported in 49 countries and territories outside SEPA and in 10 within SEPA. For the first time, Indonesia was the top location for such losses, displacing the U.S. The Philippines ranked third.

Fourteen countries reported cash-trapping attacks, and seven reported incidents of transaction reversal fraud, which involves an error condition being created at the ATM, which makes it appear that cash won't be dispensed, EAST says. This forces a re-credit of the amount withdrawn back to the account when, in fact, the criminal gets the cash through the insertion of a device or by manual manipulation of the ATM dispensing mechanism.

Four countries reported ATM malware incidents, which involved ATM cash-out or "jackpotting" (see Chapter 2 Malware, page ?). In two countries, these were first-time occurrences.

Nine countries reported Ram raids and ATM burglary. Eleven countries reported explosive gas attacks; two also reported attacks on ATMs using solid explosives.

The UK

In 2014, the percentage of fraudulent transactions occurring outside of the U.K. on debit cards issued within the U.K. rose by 25 percent, according to a FICO study cited by ATM Marketplace.

In a study of 52 million active U.K. debit cards, FICO said it found that fraudulent cross-border transactions accounted for nearly one-third (31 percent) of all fraudulent transactions in 2014, compared with 23 percent in 2013.

Citing an "unprecedented spike in fraudulent U.S. ATM cash-outs," FICO said the U.S. accounted for 47 percent of all fraudulent cross-border transactions on U.K. debit cards in 2014. But while it ranked first for the number of fraudulent cross-border transactions on U.K. cards, the U.S. ranked only third for cross-border transactions on U.K. cards overall.

While 24 percent of debit card transactions occurred at ATMs, 12 percent of fraudulent transactions came from ATMs, FICO found. Still, ATMs topped the list of merchant categories for fraudulent debit card use.

FICO's Warwick said that an "alarming" rise in cross-border fraud demands new technology, such as proximity location services that can identify whether the customer's mobile phone is in the same place as the transaction in progress.

The cards in FICO's sample represented 5.6 billion total transactions worth 306 billion pounds ($474 billion), a 5 percent increase in spending compared to 2013. Total fraud losses for the cards in the sample decreased 7 percent to 156 million pounds ($242 million).

Download the free guide to continue reading.

photo istock

Included In This Story

Triton Systems

Triton FI based products • NO Windows 10™ Upgrade • Secured locked down system that is virus/malware resistant • Flexible configurations - Drive-up and Walk-up • Triton's high security standards • NFC, anti-skim card reader, IP camera and level 1 vaults are all options • Triton Connect monitoring • Lower cost

Request Info
Learn More

Related Media

Security
Examining biggest ATM security issues and 4 strategies to prevent them
Security
Banking privacy: 5 benefits for banks, customers
Security
Protecting an ATM's hardware, software by slowing down criminals
On-Demand Webinar
A Masterclass in ATM Security: Global Best Practices and Trends
Presented by Diebold Nixdorf
Recent Posts
Eurasian Bank selects Diebold Nixdorf's self-service software
First National Bank to open 30 branches
Replacing the ATM: Pros and cons of new vs. remanufactured
Romanian man arrested for alleged cash trapping ATM scheme
U.S. Bank resumes crypto custody services


©2025 Networld Media Group, LLC. All rights reserved.
b'S1-NEW'