ATM Fraud: How to Fight Back

Credit unions offer access to some of the most sophisticated ATMs in the world, but like other financial institutions, they are still battling a nagging problem: Skimming. Among credit unions, it’s the third most prominent type of fraud, according to a recent survey by CO-OP Financial Services, and many don’t expect those skimming attempts to let up anytime soon. Here’s what two industry pros said credit unions can expect in 2019 and what they can do now to help stem the skimming.

What to Expect

1. More sophisticated skimmers. The general recipe for skimming devices still involves two main ingredients: A mag-stripe reader and a camera. But those ingredients are getting smaller, easier to install and harder to detect, said Steve McCarthy, general manager at the Chicago-based Convergint Technologies, which provides financial security services.

Criminals have concocted so-called deep-insertion skimmers that communicate wirelessly and can evade detection by ATMs that are set up to sense when someone has attached something to the outside of the machine, he said.

“They can actually insert it through the card-reader slot and place it on the inside, so when the card goes inside they’re capturing [card data]. So now the manufacturers are scrambling to come out with a solution to detect that as well,” he said.

2. Skimmers to outpace shimmers. Skimmers intercept the transmission of data between card readers and magnetic stripes, but there’s a new game in town: Shimmers, which intercept the transmission of data between EMV chips and ATMs, Ryan Rackley, managing director at Cornerstone Advisors in Scottsdale, Ariz., said.

“Shimming’s just a new way to get that data,” he said.

The primary motivation, he noted, is to capture data from the EMV chip and use it online or to clone magnetic stripe cards for use at ATMs and merchants that still accept mag-stripe transactions.

“There are still several merchants out there,” he said. “My local convenience store still has tape over its EMV reader.”

However, in terms of threat size, shimming still pales in comparison to skimming, McCarthy noted. “I’m hearing much more feedback about fraud that’s happening with skimming,” he said.

3. Lots of false alarms. Major ATM manufacturers do incorporate technology that detects foreign objects or substances on the outside of card reader slots, McCarthy noted.

“They do a pretty good job of detecting that,” he said. “The problem is there are a lot of false reads.” That can create enough false alarms that credit unions and their ATM service providers can become desensitized to the alerts.

“If someone puts their hand there and leans on it, or someone sticks a piece of gum … there’s just a lot of false reads,” he explained. “You try to make it sensitive, but you don’t want to make it too sensitive.”

4. A direct hit to debit. The CO-OP Financial Services survey reported that 72% of respondents used their debit cards to get cash from an ATM in the last year. But for members, more risk at ATMs and points-of-sale can translate to less debit card use, it said.

“Most credit unions believe that card-not-present fraud will continue to be the primary channel where fraud will occur, with greater emphasis coming from data stolen through skimming,” the report said. “As cardholders experience fraud on their debit card in digital channels they become less likely to use their debit card for online and mobile purchases. This can impact the long-term growth of debit cards as the growth of transactions in card-not-present scenarios outpaces the growth of card present purchases.”

What CUs Should Do Now

1. Enforce daily ATM checks. A quick 30-second inspection every day can increase the chances of catching skimmers early, according to Rackley.

“Go out there and physically inspect the machine. It’s not that difficult to figure out if you’ve got a camera pointed at your ATM that shouldn’t be there. Everything’s smaller and smaller and harder to detect, but a good banker just knows. If you do it every day, you’ll be able to spot if you’ve got a loose bezel around the card slot,” he said.

2. Invest in modern technology. “Work with your ATM service provider and make sure you’ve got the latest technology from the manufacturer,” McCarthy said.

McCarthy said new camera-based analytics technology could soon detect whether a person is bending down near an ATM, lingering too long or demonstrating other suspicious behavior, for example.

“Those analytics are getting better and better quickly,” he said. “I don’t think any of them have a final solution yet, but it’s right around the corner.”

“If you follow the technology, what typically happens is the big banks with thousands of ATMs typically deploy first,” he added. “However, I’ve seen a lot of technology investments where credit unions will invest prior to the banks.”

Credit unions should also be sure to capitalize on fraud detection settings in their analytics tools that can help detect skimmers faster, Rackley added.

“For example, if you’ve got a fraud rule and it’s applied into your ATM transaction set where you can realize, hey, I’ve just got a ‘bad PIN’ notice on four different ATMs on the same card within a 10-mile radius, I’m going to give that number a call,” he said.

3. Start imagining life without mag stripes. Getting rid of the magnetic stripe is easier said than done, but skimmers largely exist because magnetic stripes exist. “We’ll have mag stripes on the back of cards for another decade at least,” Rackley noted.

“In my mind, [criminals will] try and get [card data] whenever it’s available as long as that mag stripe data is still on that card and there are points-of-sale and ATMs that accept and will process a mag stipe-based transaction,” Rackley said.

Eventually, though, criminals will stop skimming when the bounty isn’t big enough to make the crime worth the effort, he added.

“It’ll continue to grow until it doesn’t work anymore,” he said.