How to Mitigate the Risks of ATM Skimming
Nearly half (46 percent) of all card skimming reported by the FICO Card Alert Services occurred at bank-owned ATMs in 2012 – a vast jump over 2011, when 79 percent of skimming occurred at point-of-sale terminals.
Twenty states saw increases in credit card fraud last year, including seven on the East Coast: Main, Massachusetts, New York, North Carolina, Pennsylvania, Vermont and Virginia. South Dakota showed the greatest increase in credit card fraud – the local rate jumped nearly 26 percent.
Mark Solomon, CT Chapter President of the International Association of Financial Crimes Investigators (IAFCI) and a 19-year veteran of law enforcement in Connecticut, is assigned to a task force that investigates ATM skimming incidents. James “Gator” Hudson, Det. Sgt., Ret., and VP of CrimeDex Services joined Solomon to discuss why this crime trend is on the rise and what security executives should do about it in this Online Exclusive with Security magazine Editor Diane Ritchey.
Ritchey: Why has there been this sudden increase in skimming?
|Photo courtesy of Mark Solomon|
Solomon: The sudden increase in ATM skimming in the U.S. is directly attributed to the global shift towards Chip and PIN technology. Criminal organizations involved in this activity have been running out of places to skim due to the fact that EMV technology is being implemented around the world. Since the United States has been slow to adopt Chip and PIN technology, the criminals are taking advantage of this delay and are focusing their attention on the United States.
Hudson: Mark is right about Chip and PIN in the rest of the world. Another reason is the “dumbing down” of what used to be a high-tech crime to a level where many criminals can do it. It reminds me of the counterfeit check explosion of the 1990s. If you remember the movie “Catch Me If You Can” about Frank Abagnale, in the 1960s check counterfeiting was an art and a science. Frank even traveled to France to use special printing presses. Then in the early 1990s it became possible to print counterfeit cashiers and payroll checks from a laptop PC, cheap software and check paper available at the office supply store using a portable ink jet printer. Every 19-year-old methamphetamine addict high school dropout could do it, and did!
Today the equipment and knowledge to perform ATM skimming is widely available on the Internet. Almost anyone can do it. From a Tom Clancy novel when terrorists are discussing making a nuclear weapon, “What is the work of genius the first time is the work of a tinsmith soon thereafter”.
Ritchey: Why should security executives be concerned about this issue?
Solomon: ATM skimming should be on the forefront of security executives, because these attacks are increasing exponentially. Here in the U.S., groups tend to target the weakest link in the chain and will target those institutions that are not prepared or do not have a plan in place to combat ATM skimming. Using the latest anti-skimming technology, coupled with the education of your frontline employees as well as having an anti-skimming plan is critical to all financial institutions where these attacks can occur.
|Photo courtesy of James “Gator” Hudson|
Hudson: Any industry that involves payments needs to be concerned. For example, ATM skimming obviously impacts the financial services industry directly at banks and credit unions. But the same technology is finding its way into the credit card processing equipment that retailers use to accept payments, and when a breach occurs it’s the retailer who has to make good on the losses, not the financial institutions. Any industry that relies on electronic payments has to be concerned that they will be the next target, such as hospitality and health care.
Ritchey: Beyond technology, what else do you suggest that security executives do to mitigate the risk of skimming?
Solomon: Beyond technology, training your employees in recognizing the signs of a past or active skimming incident is vital. Employees of financial institutions are the second most likely individuals to locate evidence of an active or past skimming incident. The timely identification and reporting of the incident – both internally and to law enforcement – will help the chances of arrest and minimize losses to your institutions. Knowing what to look for and how to proactively respond to past and active skimming incidents will increase your chances in successfully thwarting many ATM skimming attacks.
Hudson: Mark is spot on for financial institutions. I would add that in the retail/hospitality/healthcare industries to make sure employees are trained to think of their credit card processing pads as important devices that no one should be messing with, even if they appear to be from an approved vendor. Verify who they are and verify with your security department before allowing anyone access to card processing equipment.