ATM Fraud In The Age Of EMV
by Bill Prichard, Senior Manager, Public Relations and Corporate Communications, Co-op Financial Services
By all measures, skimming is an ATM epidemic.
FICO reports that ATM skimming increased by nearly 550 percent from 2014 to 2015. According to U.S. News & World Report, as much as $2 billion a year may be lost to ATM skimming. And ATM Industry Association research cited by the Chicago Tribune estimates that losses incurred when a skimming device is placed on an ATM average $650 per card and can cost up to $100,000.
While credit unions, banks and other ATM owners and operators continue to migrate their machines to EMV technology, the question remains: Will EMV ultimately solve this very serious problem?
“EMV has the potential to significantly curtail ATM skimming nationwide,” according to Terry Pierce, senior product manager at Co-op Financial Services. “However, fraud is a moving target. And when our industry implements solutions to address one risk, we typically see fraud resurface somewhere else. Criminals who are determined to commit fraud will find a way to do so.”
Thieves have other tricks up their sleeves
Pierce said that, as pervasive as traditional magstripe card skimming is, it is not the only threat to ATM security. And EMV transactions are not entirely without risk.
“Shimming is a relatively new form of ATM skimming that enables fraudsters to capture EMV or chip card transaction data,” she said, adding that the shimmer itself is inserted into an ATM to intercept data exchanged between the EMV card and card reader.
“This chip card data can be used to create operational magstripe cards,” she said. “The good news for credit unions is that fraudulent transactions resulting from shimming can be detected and stopped with proper authorization processes in place.”
Sniffing the network
According to Pierce, another tactic used to commit ATM fraud is network sniffing. “Sniffing technology taps into ATM network cables and captures the card data via sniffing of network communications to the host,” she said. “At the end of the day, the intent of these attacks is to create a magtripe card. And as long as fraudsters can also capture PINs with keyboard overlays and hidden cameras, they have all the information they need.”
While most incidents of ATM fraud involve stealing card data, some fraudsters go straight for the cash inside.
A recent article authored by fraud expert John Buzzard reports that ATM ram raids — in which the ATM itself is stolen by criminals — are “still incredibly popular in Europe and Australia, but they show up in the U.S. as well.” He said that the ATM Industry Association calls ram raids a leading threat to ATMs worldwide, second only to card skimming.
Buzzard’s article also highlights an even more alarming trend — the increasing use of solid explosives and explosive gases to gain access to an ATM’s cash dispenser. He notes that nearly 500 such attacks were reported in Europe in 2016.
Hitting the jackpot
However, a criminal doesn’t need a forklift or detonator to drain an ATM of its cash. “Logical attacks, while rarer, can devastate financial institutions,” said Pierce. Also called jackpotting, these attacks can be launched from malware that infiltrates an ATM network — or from a piece of hardware known as a “black box” that is placed inside the ATM and connected directly to the cash dispenser.
“Both methods enable the fraudster to alter the technology driving an ATM’s cash dispensing system,” said Pierce. “As a result, a criminal sitting in a remote location can reprogram an ATM — or an entire fleet — to spit out enormous sums of cash on demand.”
And, she said, jackpotting is costing the industry millions. According to a Group-IB report, a single gang of criminals recently used the technique to steal more than $25 million from European banks.
“To protect against logical attacks, [financial institutions] need to have whitelisting or blacklisting solutions implemented that prevent criminals from hijacking their machines,” she said. “And only authorized personnel should have access to these solutions. Encrypting hard disks is also vitally important.
“While ATM fraud continues to evolve, security technology is quickly advancing as well. [FI]s should maintain close relationships with top ATM manufacturers such as NCR and Diebold to ensure that they are fully informed on emerging threats and that they also have the right technologies and solutions in place to protect against them. And [consumers] need to be educated on security best practices as well so they can safely enjoy all the convenience your ATMs provide.”