Crime Rings Often Behind Skimming Attacks
Credit unions hit by ATM skimmers are likely victims of multi-tier crime rings recruiting young people online and paying them for their efforts, according to a defense attorney specializing in Internet crime and technology law.
Meg Strickler of Conaway & Strickler in Atlanta said skimming outbreaks, such as the recent one in Wisconsin, which involved over a dozen devices, are often part of bigger criminal enterprises.
Be sure to register today for Data Breach Defense, the free CU Times cybersecurity virtual conference on Oct. 6. Find out the latest credit union liability and risks, as well as security measures you can take to ward off cybercriminals.
Building the Pyramid
“What usually happens is someone says, ‘You can make $800 by going into the bank and withdrawing $1,000,’ or, ‘Take $1,000 out; I'll give you $800,’” Strickler explained.
Skimmers often don’t know each other personally; the recruiting is often via the Internet, she said.
“The people tend to go after 18- to 25-year-old women who are college kids,” she added.
Sometimes people enter the fray after dating someone who knows higher-end criminals, she said.
Strickler said criminals even pay people $20 or $40 to assemble a skimming device and then sell or mail them.
“It's a pyramid scheme where the lower guys are making $800 while the guys in [other countries] are making billions of dollars in 10 minutes,” she said.
“They're just being manipulated and screwed with and used,” she said. “The criminals abuse that part, too. They're like, ‘OK, let's go get those people to do the low-end crap.’”
The temptation is real, she said.
“You work at McDonald’s for minimum wage, making nothing,” she said. “Go ahead and use this device and scan everybody's credit card for a day. Do it for a day and I'll give you $500. That's hard to say no to.”
The trouble is, skimmers get caught. ATM cameras make it easy for police to broadcast suspect photos. Sometimes social media is the foil, she said, because criminals often use it to show off new purchases.
“They seem so comfortable out there,” she said. “They think they're safe. But only the really high-end people are safe.”
Law enforcement can easily pierce through fake Facebook accounts, for example, but “the high, high, high-end people are able to bounce off different servers and you can't track them,” she said. “So again, the low-end people get caught; the high-end don’t.”
Strickler said many low-end criminals become informants, but they almost always serve prison time – three to seven years is common.
Will Regulation or EMV Matter?
In the Wisconsin cases, police suspect criminals made several skimming devices from genuine ATM parts.
“It seems to me there should be something that should prevent them from buying stuff that looks like a real card reader,” Madison Police Public Information Officer Joel DeSpain said in an interview.
But a simple Google search reveals how easy it is to purchase ATM parts, and there are no real regulations preventing anyone from buying them, one expert told CU Times.
On some websites, the listings are brazen.
“They even post ‘I have fake ATM skimmers, just contact me at this email address,’” Strickler said. “Even if we did regulate it, I don't know how that would fix anything. Let’s pretend we go ahead and regulate the heck out of it, no more ATM parts. Well, you’ve got the 20-year-old kid who’s also majorly tech savvy. He'll figure out how to emulate the entire technological aspect of it and then go one step further, and it’ll tie your shoes even.”
“In many EMV-compliant countries, skimmer fraud has significantly declined but physical attacks have increased,” according to a study last year by Pace University and the Association of Chartered Certified Accountants.
“A physical attack could be a gas attack, a bomb or a truck used to physically rip out the ATM,” the study said. “Other schemes like card trapping, cash trapping, transaction reversal fraud and currency fishing are also on the increase in a number of countries in the European Union, and we should anticipate similar challenges in the United States with the introduction of EMV.”
Or as Strickler put it, “It will stem the flow a bit. People will get savvy, and then it’s off to the races we go again.”