CONTINUE TO SITE »
or wait 15 seconds

Article

What's in your ATM anti-skimming arsenal?

Our latest webinar replay examines new and emerging skimming threats — and the importance of an anti-skimming strategy that doesn't ask any single technology to safeguard against all of them.

March 15, 2016 by Suzanne Cluckey — Owner, Suzanne Cluckey Communications

"You don't bring a knife to a gunfight."

The same principle applies to fighting ATM fraud: The defense has to match the type of attack — and there are several types, potentially calling for multiple modes of defense.

In a free webinar on March 15, sponsored by TMD Security and hosted by ATM Marketplace, presenters Tom Moore and Robin Hamstra examined skimming methods — from the well-known to the just-emerging — and the anti-skimming technologies that are effective against them. 

Moore is managing director for TMD North America; he works with channel partners, manufacturers and deployers to evaluate and deploy security solutions. 

Hamstra is sales director for EMEA, and one of the original members of TMD Security. He works with clients to integrate fraud prevention measures into ATMs and self-service terminals.

Moore kicked off the session with a look at the effects of EMV migration on skimming crime. As promised, EMV has greatly reduced counterfeit card-related losses in the countries where it has been implemented. However, it has not ended EMV card-skimming there. Criminals continue to skim magnetic stripe data from EU bankcards and counterfeit them for use in non-EMV countries (most notably, the U.S., Indonesia and the Philippines).

The result: in 2014, a 20 percent increase in fraud losses from cards issued — and skimmed — in the EU and used abroad to steal a total of $309 million from non-EMV ATMs. 

"This trend is likely to continue until all regions have fully implemented EMV and the magnetic stripe has been removed from our cards," Moore said.

That won't happen any time soon. The discussion about mag stripe sunsetting has only begun in Europe, where virtually all ATMs are EMV compliant. It will be years yet before the world's largest bankcard market — the U.S. — reaches full compliance with the EMV chip standard.

Moore also reviewed the most common ATM skimming technologies for which the European ATM Security Team has relased standardized definitions and designations. These include:

  • M1 — overlay skimming devices for motorized card readers;
  • D1 — overlay skimming devices for DIP card readers;
  • M2 — throat inlay skimming devices for motorized card readers; and
  • D2 — throat inlay skimming devices for DIP card readers.

The last two are increasingly popular with crooks, Moore said. This can be attributed largely to the fact that they can elude detection by sensors on an ATM.

"Any anti-skimming solution that relies on detection should be thoroughly evaluated to make sure that the detection capability can be relied on," he said. "Better still, active anti-skimming solutions that are not triggered by detection can be considered."  

This includes jamming devices, which emit random electromagnetic signals that interfere with the skimmer's ability to record card data. Unlike sensors, they do not depend on detection, which makes them useful against both overlay and throat inlay skimmers.

Active-jamming devices offer the additional advantage that the ATM can safely remain in service (i.e., active) even with the skimming device present.

Active-jamming devices for motorized readers have been available for some time, however a solution for DIP readers became available only last year, when TMD introduced the only such device on the market.

"What makes it different from all other anti-skimming solutions for DIP is that it does not rely on the detection of a suspected skimming device to trigger it," Moore said. "This has never been possible before."

In the second half of the webinar presentation, Hamstra introduced newer and emerging threats, including deep-insert skimmers, eavesdropping, shimming, and a second-generation stereo skimmer.

In stereo skimming, the skimmer includes two read heads — one to read the jamming signal and another to read both the jamming and card data signals. Later, the jamming signal is "subtracted" from the recording of the card and jamming signal to render clear card data. In the "2G" implementation, an amplifier was used to make card data extraction easier.

In deep-insert skimming, the device (also known as an M3) is pushed deep into a motorized ATM card reader behind the shutter — far enough to escape interference from a jamming signal.

In shimming, the device is also pushed deep into the card reader — in this case with the objective to intercept or "sniff" data.

Eavesdropping takes several forms and can involve creating a hole in the ATM (later covered by a fake decal) in order to insert a device which is connected to the pre-read or read head or to the PCB or communications port. Eavesdropping can also be carried out externally in locations where network cables are exposed.

Moore and Hamstra both referred in their presentations to "ATM Skimming and Card Compromise: Modi Operandi and Countermeasures," a free white paper published recently by the ATM Security Association, an independent group focused on ATM security technology. TMD was instrumental in developing the document, along with a several other ASA members. 

"There is no one silver bullet" for preventing or stopping all ATM attacks the white paper emphasizes. Deployers are best off assembling a mixed arsenal of anti-skimming weapons determined by risk tolerance, probability and budget — and focused on delivering maximum security, availability and customer convenience.

Watch theon-demand replay.

photo istock

About Suzanne Cluckey

Suzanne’s editorial career has spanned three decades and encompassed all B2B and B2C communications formats. Her award-winning work has appeared in trade and consumer media in the United States and internationally.

Related Media

Security
Examining biggest ATM security issues and 4 strategies to prevent them
Security
Banking privacy: 5 benefits for banks, customers
Security
Protecting an ATM's hardware, software by slowing down criminals
On-Demand Webinar
A Masterclass in ATM Security: Global Best Practices and Trends
Presented by Diebold Nixdorf
Recent Posts
Bank of England softens tone on stablecoins, say they should be regulated
Ross, Pennsylvania Chase ATM set ablaze for alleged anti-government protest
America First Credit Union to open 8 branches in Arizona
4 strategies for Independent ATM Deployers
Bank of America to provide $12M for Hurricane Helene recovery


©2025 Networld Media Group, LLC. All rights reserved.
b'S2-NEW'