Don't look now, but criminals are moving beyond the ATM and unwary retailer when trying to steal your members' card numbers and raid their accounts.
The basics of skimming, the unauthorized on-site capture of debit card information at an ATM or other location is nothing new. Fraudsters, particularly overseas, have long attached devices to ATMs to capture the card numbers of unwitting cardholders while, separately, they have positioned small cameras to capture the cardholders' PIN numbers when they enter them. Or, conversely, a fraudulent waiter in a restaurant might use a device to capture card data when he or she takes the card to pay for the meal.
In general, the problem has been more widespread in Europe than in the U.S., with many perceiving it as a fringe or niche cause of fraud, particularly when compared to the massive losses attributed to card security breaches caused by hackers. But the $18 billion State Employees' Credit Union, headquartered in Raleigh, N.C. and other financial institutions in the area have discovered that thieves are beginning to take skimming to a new level.
According to the credit union and law enforcement sources, a group of thieves has been using gasoline pumps, particularly those at high-traffic service stations, as skimming sites. The thieves have been able to open up gasoline pumps and insert a device that captures card numbers while a camera positioned somewhere nearby captures cardholders' PINs. The fraudsters then use the captured card data to make fake cards to steal cash from the accounts through ATMs, many in other states.
Leigh Brady, senior vice president for education services for the credit union worked at coordinating SECU's public response to the fraud, and, even though she has been familiar with card issues, reported there were aspects of the scheme that caught her off guard.
"First of all, there is something called a 'universal key' for gas pumps, which was news to me," said Brady, explaining that the universal key allowed the thieves access to the insides of the pumps. She stressed that much of what the credit union and law enforcement believe about the criminals' methods remained theories since none of the criminals nor even one of the devices had yet been captured. For example, some law enforcement officials believe that the theft devices may be equipped with a wireless capability that let them transmit the stolen card data to a nearby computer, but no one knows for sure.
Brady reported that SECU believes the attacks had taken place at six service stations in the Raleigh area. All of the stations were in high-traffic areas located close by interstates, she added.
Brady reported that the credit union had begun to see accounts hit in the fraud around the second week of December as ATMs in North Carolina and neighboring states began to get hit. The thieves were also savvy enough to know to access the accounts for their full withdrawal limits immediately. Brady said more than 400 accounts had been raided so far.
SECU is the only financial institution in the area that has publicly commented on the attacks. "Of course we knew that the thieves weren't just stealing from our members," Brady said, "but none of the other banks in the area would say anything about what was happening, so we felt we had to go public about it to protect our members."
Brady explained that the credit union wanted to warn its members about the thefts and to educate all cardholders, both among their members and the general public about what to do to better protect their accounts from compromise. For example, cardholders could choose service stations that are not as busy or choose pumps that are within view of the service station's office. Brady said those pumps are thought to have been less likely to have been attacked. Other strategies could include using the other hand to cover up the PIN pad as cardholders entered their PINs in order to block any cameras, Brady suggested.
Card specialists were divided about whether the attack signals a higher profile for skimming attacks as a type of card fraud. Both Jim Gowan, chief operating officer at Credit Union 24, and Kimberly Hester, executive vice president with CO-OP Financial Services, suspected that it might be, pointing out that there had long been a race between thieves seeking to exploit weaknesses in payment systems and networks that work to protect them.
But Mike Urban, senior director for fraud solutions for FICO, said he doubted that the case signals a coming wave of skimming that is out of line of that seen in previous years. He also observed that other forms of card fraud, such as those accomplished by insiders at an organization, will still dwarf skimming as a source of card fraud. He discounted any theory that the industry's increased use of data security procedures had pushed criminals from hacking to skimming. "Those are two very different types of criminals," he said.