In the world of ATM skimming, thieves typically hit the same machine over and over until they are stopped.
After enduring a number of hits in 2015, the $2.3 billion, Folsom, Calif.-based SAFE Credit Union implemented multiple, effective anti-skimming measures and shared its tips for other credit unions.
Skimming, which accounts for global losses that exceed $3 billion annually, according to ATM company NCR, is a growing problem for credit unions in the U.S. Skimming groups work in waves, hitting financial institutions in a single region before moving on to their next territory.
The thieves store card data using a magnetic stripe reader, which is usually part of a hidden camera designed to record the PIN sequence from an unsuspecting customer at a compromised machine.
Vigilantly inspecting machines is not enough to stop the crimes, SAFE found.
"We tried that and it is difficult to inspect our 82 ATMs often enough to detect when skimming devices are placed," Henry Wirz, president/CEO for SAFE, said.
He noted a gang working along the West Coast recently hit SAFE along with other banks and credit unions.
"If they are ever successful, they'll keep hitting the credit union until they get stopped," he warned.
The average loss resulting from each ATM skimming incident is more than $40,000, according to multiple sources.
"I can say that is pretty accurate," Dave Pope, chief information officer/SVP of IT for SAFE, said of the number. "The ATM business is not profitable. It used to be, but not anymore. It's a convenience for your members and an advertising medium more than anything else. We had many different defenses in place, but we were still attacked and ultimately found out we were still vulnerable."
So, SAFE put together a plan to disable thieves' skimming capability.
"If you have an ATM sitting outside accessible to the public, sooner or later it will be attacked," Pope said. "That is the posture we've taken."
Pope suggested the best way to protect the ATM environment is through a collective effort from both a logical and physical standpoint. The credit union worked closely with its ATM provider, NCR, to implement best security practices including the NCR Skimming Protection Solution.
Pope explained, "The device detects when a skimming device is placed, shuts the ATM down and alerts us. We have completely defeated the skimmers."
To fulfill the logical end of the defense effort, Pope said credit unions must protect the computer inside every ATM, which typically runs on Windows 7.
"That means having a firewall, virus protection and regular patching," he said.
SAFE took the additional step of using a white listing, which hardens the Windows environment. If somebody tries to hack in and run a program that isn't on the white list, it won't work.
Pope also recommended credit unions protect the ATM's Basic Input Output System so that it may only boot from the hard drive within the computer by using a strong password that is changed regularly and setting up a unique user ID for every ATM.
On the physical side, Pope stated credit unions should do the following:
-
Install cameras and alarms on their ATMs. "Most of the bad guys don't care if their picture is caught on a camera," Pope said. "But you still need them."
-
Perform physical inspections. Pope strongly recommends credit unions inspect branch ATMs daily for skimming devices. "Physically reach out and twist the card reader mechanism. If it wiggles and comes loose, you have a skimmer," he advised.
-
Install PIN shields and cash trap inhibitors. PIN shields limit where crooks can place cameras. "If you can make it harder for them to get a camera on that machine, you'll add one more hurdle," Wirz explained, adding thieves prefer drive-up ATMs because they usually don't hold PIN shields due to driver accessibility. In addition, skimmers sometimes place devices that prevent a full cash withdrawal from dispensing, then return to grab the remaining bills.
-
Install anti-skimming solutions such as NCR's SPS. These devices detect, in most cases, a bezel placed over the existing card reader.
"We had anti-skimming protection, which we purchased from a third party," Pope said. "However, when we were initially skimmed, it did not work. We thought we were protected." Wirz added, "[The original devices] were about $2,500 apiece. We have more than 80 machines so it was a significant investment for us. And they were defeated by lighter, translucent devices."
SAFE recently switched over to NCR's SPS, an advanced anti-skimming device. When it detects the fake bezel, it sends a signal to shut down the ATM. It also drops a shield in the card reader, preventing card insertion, and sends an alarm to the monitoring service.
Since implementing NCR's NPS, SAFE has detected and thwarted skimming without impacting members in any way.
"Card skimming in the U.S. has spiked over the last year, and it's because it's still one of the last markets to fully move to the EMV transaction and use of the smart chip," Owen Wild, director of security marketing at NCR, said. "However, it has always been a problem. We see it in all areas of card acceptance in the U.S. payments market today."
NCR's SPS, which has been available since 2013, also uses jammers to generate multiple random signals, preventing any attempt by a criminal to isolate and record data from the magnetic stripe on the card. It prevents even the smallest skimming devices from capturing card data.
"If the sensor detects that something is in the card reader that should not be there, it renders the device useless," Wild noted.
One of the newest trends in Europe and Mexico involves thieves breaking into ATMs' cabinets and placing skimming devices inside. NCR's SPS fights this technique by detecting a bezel overlay inserted over the existing reader or an item placed inside the cabinet. It also defends against attempts to tamper and disable the anti-skimming functionality.
"Customers that have deployed these solutions have seen skimming reduced to almost nothing," Wild said. "Regardless of these successes, we've already seen new forms of attack vectors involving software and network attacks. So we continue to enhance our solution portfolio and send guidance out to our customers."
Some of the newer trends SAFE noticed in the Sacramento area involve taking cash dispensers and blow torching them open. Bolting cash dispensers down or using GPS tracking devices can deter these types of attacks, according to the credit union.
Another type of non-technical, non-ATM-related theft uncovered by SAFE involves fishing – not as in phishing emails, but as in reeling in night deposit bags. Criminals will drop a weighted line with sticky tape attached into the night box to try and catch the deposit bags. In response, SAFE retrofitted its night boxes with serrated teeth that snag and cut the string before the deposit bag is lifted into the thief's waiting hands.
Wirz said he believes credit unions should talk to elected leaders to toughen anti-skimming laws. For example, he said, it should be illegal to sell skimming devices, which are readily available online. Wirz also said he believes placing a skimming device on an ATM, or having one in possession, should be a felony. In California and many other states, it is only a misdemeanor; in most cases, it only turns into a felony when crooks steal IDs and create fake cards from the information skimmed.
Credit unions can help one another by sharing information, reporting incidents to the Secret Service and joining the Financial Services Information Sharing and Analysis Center.
"So if an organization is attacked, the rest of us know that," Pope said. "The best way to tip each other off is to use a program like the FS-ISAC."
Wirz concluded, "The truth is, the bad guys share a lot of information amongst each other. That is how they keep perfecting their devices, and how they figure out who has defenses and who doesn't have defenses. If credit unions and banks do not share information, we're going to be picked off one by one."
© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.