Security

How to fight back against ATM fraud

ATM fraud via skimming and other techniques is on the rise. How can operators fight back?

How to fight back against ATM fraud Image via Adobe Stock

Oct. 3, 2023 | by Elliot Maras — Editor, Kiosk Marketplace & Vending Times

Payment solutions providers have made significant progress in preventing fraudulent transactions in the past year, but operators of self-service equipment cannot afford to become complacent, especially as criminals come up with increasingly sophisticated ways to target ATMs.

Diebold Nixdorf's Intersect Program in Las Vegas showcased a range of solutions now available for ATM operators, but the importance of sustained vigilance against fraud and theft was highlighted during some of the educational sessions.

That same week, several instances of physical attacks against ATMs made headlines, as if to underscore the importance of keeping up to date on security tools.

During one session, nearly a third of the audience (31%) reported experiencing skimming attacks while 69% reported physical attacks against ATMs, according to onsite audience polls during the event at Caesars Palace.

Panelists agreed both types of attacks — skimming and physical — are increasing in the U.S.

A panel of experts addressed ways for ATM operators to combat attacks against ATMs. Panelists are, at left, Ken Justice of PNC Bank, Nilesh Shah of Citibanamex, Shanna Palmer of TwinStar Credit Union and Ryan Kelley of Diebold Nixdorf Inc. Photo by Networld Media Group.

Skimming on the rise

Skimming occurs when devices illegally installed on ATMs, POS terminals or fuel pumps capture data from a customer's card. Criminals use this data to make fake credit or debit cards to steal from victims' accounts.

"Skimming can happen in any location, between gas pumps, POS and ATMs," said panel moderator Ryan Kelley, fraud manager at Diebold Nixdorf, during the session. This is true despite significant progress that card and payment equipment manufacturers have made in safeguarding customer credit card data.

One reason ATM operators need to be vigilant about skimming is that foreign organized crime organizations have flocked to the U.S. to attack equipment that has not been updated with EMV capable payment terminals, Kelley said.

Skimming is mainly happening in the U.S. because other regions such as Europe and Latin America have completely adopted EMV fraud prevention technology.

Kelley showed company data indicating increases in skimming attacks on POS devices and ATMs from Q3 2022 to Q4 2022. The attack data was broken out for gas pumps, POS devices and ATMs from Q3 2022 to Q2 2023.

Gas pumps had far and away the most attacks, but the number of gas pumps attacks has decreased each quarter.

The change in the share of attacks by location type reflects the changing strategies of the criminals, Kelley said.

"They're not just skimming the ATM, they're skimming everywhere," he said.

Foreign crime gangs

Panelist Ken Justice, senior vice president of physical distribution technology at PNC Bank, agreed foreign criminals do most of the skimming, which is why skimming stopped temporarily when U.S. airports closed during COVID.

"When international travel started again, so did skimming," he said. "It's back and in a pretty big way."

And while credit card issuers have improved fraud protection with EMV, skimmers have also upgraded their technology, using smaller devices that are difficult for cameras to capture, Justice said.

"The (skimming) technology itself has tended to shrink," he said.

Another problem is that magstripe (non-EMV) cards, which are more vulnerable to skimming, are still in use. Many legacy card readers can use near-field communication technology to accept magstripe transactions.

In response to skimming attacks on the company's older terminals, Justice said the company is seeking ways to send an alert when a "fallback" transaction takes place. A fallback transaction happens when a terminal cannot read a chip card and "falls back" to a magnetic stripe transaction.

"If someone else had counterfeited your card, skimmed your data and was trying to use the counterfeit card, it wouldn't have a chip on it, it would be a magstripe 'fallback' transaction," he said.

The company is exploring ways to send an alert in such an event. "You would get an alert," he said. "You would have the ability to respond."

Involve law enforcement

Meanwhile, Diebold Nixdorf Inc. has worked PNC Bank to take action against skimmers and has provided information to authorities.

"We captured some of these that ended up in Secret Service hands," Justice said.

Kelley agreed it is important to deny magnetic stripe fallback transaction authorizations.

"When you do contactless cards with NFC readers, you can do it with magstripe data…that's bad…or you can do contactless EMV," Kelley said.

"While you're starting to approach NFC transactions, cashless transactions, do not do magstripe data for your contactless transactions. Make sure you are using contactless EMV.

"All of your ATMs at this point should have EMV capability," Kelley said. "They (companies in Europe and Latin America) have found ways to manage to not have to use fallback."

Fraudsters upgrade their technology

While EMV chip enabled cards help prevent identity theft, criminals have not thrown in the towel. "Shimming" is an updated version of skimming that reads the chip card information rather than the magnetic stripe, allowing the card to be faked or illegally sold.

Cards with dynamic rather than static data are still better protected from shimming.

Chips with dynamic data allow for controls to be put in place, Kelley said. If a charge is made using a card with dynamic data and the same data shows up for a far away transaction, fraud can be determined.

"We know that card didn't go from Las Vegas to L.A. in 40 seconds, so there's some control put in place there by monitoring transactions," he said.

Physical attacks on the rise

Meanwhile, physical ATM attacks are also increasing.

Panelist Shanna Palmer, payments manager at TwinStar Credit Union, said one of its ATMs was pulled through a branch wall into a parking lot using a chain at 5 a.m. The chain broke, leaving the ATM in the middle of the street.

Another ATM was robbed by thieves using a blowtorch to destroy the bolts holding the machine in place.

In response, the company has installed gates around ATMs.

The company has also installed burglar alarms on all ATMs that are publicly accessible and has also updated its surveillance cameras to provide better images of burglars.

While torch attacks are increasing, the U.S. has thus far been spared the ATM explosions that have plagued Germany, Kelley said.

Stronger safes are also an option, but installing stronger safes can result in bigger explosions.

"The explosion gets bigger, people get hurt," he said.

One measure companies can take is to support legislation that increases penalties for ATM attacks.

ATM attacks are regarded by the government as property crimes and are not felonies, Kelley said, although this varies by state. There is a bill proposed to make ATM attacks a federal crime which could have a penalty of 20 years in jail.

"The criminals do pay a lot of attention to the penalties," Kelley said.

"I think you need a menu of options. I think you need to assess site by site what you're dealing with."

ATM security assessments include: