ATM skimming detection minus the downtime: More than a myth?
ATM jackpotting malware makes for big headlines, but it's garden variety ATM skimming that makes up the bulk of ATM attacks — and financial losses — worldwide.
Many deployers are reluctant to try antiskimming solutions because they believe they'll have to choose between maximum uptime and maximum security, and that it's just wishful thinking to expect they could have both.
ATM Marketplace recently caught up with Marvin Bowers, vice president of sales for the global division of ACG, who explained why this is not necessarily the case.
Q: We know that new ATM malware is popping up, while ATM skimming is an age-old problem. What do your customers see as the big issue?
MB: What we hear from the marketplace is that far and away the biggest issue worldwide in ATM safety and security is skimming.
Q: What are some of the things FIs are looking for in an ATM skimming solution?
MB: FIs are interested in how they protect themselves and their customers. So the solution actually has to work, first and foremost — it actually has to do what it's supposed to do.
There are some manufacturers of third-party hardware that's really, really cheap and has no product support, and just really doesn't work.
The next most commonplace is [that] a lot of FIs rely on their OEM to provide something for them and all of the OEMs do that — really, really expensively.
And what we find almost across the board is that eventually that equipment becomes so troublesome that they either unplug it and buy something else or, even worse, just unplug it. …
FIs are really interested in protecting their machines. They're not interested in protecting their machines if it means that uptime at the ATM declines because the machine is down for hours or days due to the antiskimming product.
Q: Are most ATMs in the United States using some type of antiskimming technology now, or is the uptime issue such that FIs don't want to bother with it?
MB: I think it's probably something less than 50 percent of the machines that are actually protected. There are three main things you hear from FIs about why they are hesitant.
One is, "Well we know skimming is an issue, but we haven't been skimmed yet. It's not in our budget. So until we have a need for it we're just going to let it ride."
You hear more interest today than you did maybe a year ago. I suspect that a lot of FIs this year in their Q3 planning will start to plan for the rollout of some sort of antiskimming device.
The other thing you hear is, "Yes we know it's an issue. We have purchased a unit … and installed it on our machines. But our uptime used to be at 99 percent and it's now 94 percent and we're not sure it's worth continuing with that."
And then the third thing we hear is, "Wow! We got skimmed last week — can you get me a unit tomorrow?
Q: I know ACG some time ago developed its own antiskimming solution. What makes it different in terms of dealing with the detection problems you mentioned?
MB: We spent an unbelievable amount of time — years — building a product that first and foremost works and is meaningful for the protection of the FI and for the consumer, but that also does not take the machine out of service and require a service call to be brought back online in the event of a false alarm. It has had most of the issues programmed out of it that actually cause false alarms.
Originally we just came out with a basic unit and we used a little box plugged in behind a card reader. It only worked in motorized card reader solutions and it only provided jamming.
Then that sort of evolved into a version for motorized card readers that, not only did it jam, it also detected, so once the skimmer was installed or some other threat … you got an alarm that told you there was something wrong there and, at the same time, it continued to jam.
Then in order to bring that to the U.S. and make it viable and useful, we had to we had to develop a product for dip card readers.
Today, that product is very simple. When a threat is detected, it sends a signal through an alarm panel to whomever is monitoring the FI's alarm to let them know that there's a threat there.
It does not take the card reader or the machine out of service unless the FI asks for that, but it does immediately start jamming.
Q: What about deep insert skimming?
MB: In a motorized card reader there are a couple of ways that the criminal would insert a deep insert skimmer or a shimmer. They're either attached to the little holes on the rails of the card reader that left during manufacturing of the card reader, or they attach magnetically.
So the simple solution there is a small piece of antimagnetic metal or plastic that is inserted into the card reader. It's very simple but it does three things very well: One, it's thick enough that it closes up the space inside the card reader so it will not allow a skimmer or shimmer to be installed — there's no room for it; two, it seals up those manufacturing holes; and three it's antimagnetic. There's also a detect version for dip readers.
So it's basically just an add-on; it's a solution that keeps a criminal from being able to attach a skimmer inside the card reader.
This story sponsored by...