The (ATM) Skimming of America
By now, it would seem every American who touches a keyboard has been scared silly by reports of online fraud and the risks of doing business over the internet, but an even more insidious electronic threat has made its way onto the national landscape – ATM skimming.
Yes, never mind the murky world of viruses and trojans and hijacked web browsers. Many of today’s cyber crooks are compromising consumers by way of the ATM, and while industry estimates vary, some put total card skimming losses at $8 billion a year.
There is a solution in the offing known as the “chip card,” and even as the developing world has widely deployed this technology, the U.S. lags behind as ATM fraudsters step up their game.
Skimming involves tampering with the ATMs by attaching counterfeit card readers and pinhole cameras in order to pilfer credentials. The alterations are so convincing the ATM users have no idea they are literally giving away the keys to their account. Once the stripe data is captured and the PIN disclosed, the criminal merely cuts cards of his own and, after collecting numerous accounts, withdraws funds or makes multiple debit purchases, often in a single, sustained campaign of withdrawals known as a cash out.
Not only is there an underground trade in skimming devices, but criminals can now fashion their own readers, thanks to the advent of 3D printing. This new technology literally puts manufacturing in the hands of hobbyists, who often target the same make and model of ATM in order to reuse their parts.
A recent report by FICO, a financial analytics service, claims that ATM fraud increased in 20 U.S. states last year, with California and Florida hit particularly hard. One reason, notes FICO, is the low cost of skimming devices and their availability to the amateur market. Of course, “amateur” is a relative term in the card fraud game, where international skimming gangs are often involved, notably from Romania and other former Soviet countries.
The bank card industry, seeking to put a stop to these rising losses, is moving aggressively to deploy an embedded smart chip technology that will replace the iconic magnetic strip in use since the 1960s. Known as EMV (Europay, MasterCard and Visa), the card relies on an encrypted, dynamic verification value that changes with each transaction, thus depriving the skimmer of credentials that can be used in multiple machines.
Nearly half the world’s payment cards are chip enabled, and while even the best security technology can be circumvented by motivated criminals, the EMV chip has demonstrated promising results. In Europe, where its use is most prevalent, EMV technology has led to a 63% decline in ATM thefts.
This does not imply that the chip card thwarts every known card exploit, such as online purchasing fraud, but smash and grab credential theft has decidedly decreased in geographies where the technology is used.
The EMV chip has been slow to catch on in the U.S. Some industry analysts suspect it is because retailers have not been motivated by a compelling business case in terms of fraud costs versus implementation costs.
Assuming there are some 400,000 ATMs deployed nationwide, each with an upgrade cost of roughly $2,000, the price of retrofit alone will come in at just under a billion dollars, and replacing over a billion debit and credit cards could be anywhere between $2 and $10 a copy.
If the costs have stymied any serious national resolve toward EMV implementation, there are numerous other implementation problems that involve configuration and testing of the verification networks. The most difficult technical hurdle deals with the Application Identifier, the piece of code that determines which path the transaction will follow. This is a problem unique to the U.S., where the law requires the consumer to have the choice of two unaffiliated payment networks for ATM transactions.
In trying to force something of a tipping point toward EMV adoption, Visa and MasterCard have published compliance mandates to ATM owners and point of sale retailers that their technology must be compliant or they will be liable for the cost of the fraud. In as little as three years, EMV will be less of a choice and more of a business imperative if the liability mandates come to pass.
The prevailing worry among analysts and authorities is that the further behind the U.S. lags in EMV deployment, global skimming gangs will direct more of their effort and attention toward this comparatively vulnerable market.
Whether or not the U.S. becomes the global epicenter for card fraud remains to be seen. Either way, there are forces in play that may soon make the magnetic stripe a museum piece and give ATM consumers a fighting chance against a low-tech attack that has found an unfortunate foothold in this country.