Until the day when every payment card includes an embedded chip on the front side and excludes a magnetic stripe on the back, ATMs will remain targets for skimming, and criminals will remain busy tinkering with ever more sophisticated devices for stealing card data and user PINs.
Even as the U.S. wades through EMV migration, ATM operators are beginning to see evidence of a new kind of skimmer, which ATM security experts have called "the biggest skimming threat facing the global ATM industry."
This threat, deep insert skimming, replaces card reader bezel overlays that can be identified by a practiced eye with a highly sophisticated device that's invisible to even the most experienced ATM tech.
As explained in a live webinar presented last Thursday by ATM Marketplace and sponsored by TMD Security, a provider of anti-skimming solutions, deep insert skimming, first identified just a few years ago, is rapidly gaining popularity with criminals.
Claire Shufflebotham, global security director at TMD, described what makes deep insert skimming a serious threat to ATM operators:
"Firstly the criminal inserts the deep insert skimmer from the front of the ATM, through the card slot, with no access needed to the ATM," She told webinar participants. "This means the skimmer cannot be seen from the outside."
Once hidden so thoroughly, she said, the device can be left in place to skim cards for days or even weeks — depending on the life of the battery.
Secondly, Shufflebotham said, because the deep insert skimmer is placed so far inside the ATM, it not only escapes visual notice, but it also lies outside the effective range of traditional jamming and detection technologies.
"This means all ATMs are at risk, and all cards that have a magnetic stripe on them, including EMV chip cards, can be compromised in this way," she said. And "all" means virtually any make and model of ATM, and both motorized and DIP-style card readers.
Shufflebotham said that deep insert devices have followed the usual path of skimming technologies, which usually surface first in Europe and then gradually make their way west to the United States. She showed photographic examples of deep insert skimmers found in London (where they made their debut), as well as devices discovered elsewhere in the U.K., and in Germany, Ireland, the Netherlands, Norway, Sweden, Turkey and North America.
The skimmers shown during the presentation exhibited a few variations — in some, data storage was on the device itself; in others it was remote (in one case, integrated with an external camera and equipped with Bluetooth for card data collection). But all shared the common characteristic of undetectability.
Having impressed the audience with the seriousness of the threat from deep insert skimming, Shufflebotham turned the presentation over to Tom Moore, TMD managing director for North America, to discuss ways to combat the technology.
Moore introduced what, to date, appears to be the only deep insert skimming defense, a deceptively simple metal part developed by TMD and dubbed the Card Protection Plate.
According to Moore, the first CPP was developed to stem a plague of card skimming incidents at gas pumps in Europe, and the massive losses that resulted. The first installation was completed in the Netherlands in April 2013.
"Since then we have installed over 13,000 CPPs in Europe on self-service terminals, 12,000 on fuel pumps and 1,000 on ticket machines," he said. "The good news is that there have been no successful deep insert skimming attacks on those self-service terminals since CPP was installed. That's why, as deep insert skimming moves on to ATMs, we have now developed the CPP for ATMs too."
Moore walked the audience through a look of the various features of the CPP, which fits inside the card slot of the reader, filling the space so that there's just room for the ATM user's plastic card — and not enough for both the card and a deep insert skimmer.
Moore explained that, for all its seeming simplicity, the CPP actually is a painstakingly designed solution with a number of ingenious features, which he pointed out in his photo presentation. He explained that the patented design had to meet several demanding criteria:
- it had to be designed so as not to interfere with normal transactions. "The payment card needs to be able to enter and exit freely, without getting stuck. This includes older cards that may be worn at the edges";
- It had to be quick and easy for an authorized tech to install and remove, while remaining all but impossible for a criminal to displace; and
- it had to be maintenance free even in harsh environments where it would be exposed constantly to the elements.
Moore said that TMD had developed a number of configurations for the CPP corresponding with popular ATM makes and models, and that the company provides demo plates to deployers who want to test its effectiveness.
For a closer look at deep insert skimming devices and defenses watch the on-demand replay of the free 1-hour webinar.
/ Suzanne’s editorial career has spanned three decades and encompassed all B2B and B2C communications formats. Her award-winning work has appeared in trade and consumer media in the United States and internationally. She is now the editor of ATMmarketplace.com and BlockChainTechNews.com