What’s old is new again, sighed John Buzzard, an executive with FICO’s Card Alert Service. The occasion was the release of a new FICO report that tracks card fraud. The big trend: fraud is up, said Buzzard, and old-fashioned skimming at bank and credit union ATMs is leading the way.
“Criminals are attacking financial institution-owned ATMs,” said Buzzard, referring to the use of skimmers affixed to ATMs to gather magnetic stripe data. Usually there’s an associated pinhole camera to get PINs.
In an era dominated by technology anxieties – Zeus, DDoS and Chinese Advanced Persistent Threats for instance – it is sobering to be reminded that a lot of ongoing theft is skimming, which dates back 30-plus years and is technically about as simple as using a sheet of carbon paper to make a copy of a document.
Lately, crooks have had their eyes fixed on financial institution ATMs. Skimming at POS devices in fact dipped significantly from 2011 to 2012. In 2011 POS fraud accounted for 79% of incidents. In 2012 the POS share fell to 36%.
Bank ATMs meantime climbed to 46% of skimming incidents in 2012, according to the FICO numbers.
Card fraud is up in 20 states, according to the FICO data. Most of the East Coast saw significant jumps.
The state with the biggest year-on-year increase: South Dakota, up 26%.
An interactive map offers state-by-state data.
A new wrinkle: “We are seeing more amateurs involved in card skimming.” In a down economy the sizable returns seem to be attracting newcomers, elaborated Buzzard. “Would you rather make $30,000 in a year – or a day?”
Technology advances also may be luring in newcomers. Buzzard said the cost of the gear needed to skim keeps plunging – he estimated $3,000 to $5,000 would be ample to get started.
Then too, technology tweaks are making it safer for crooks to deploy skimmers. “If the criminal uses Bluetooth” – wireless data transmission tools – “to gather the data he has harvested, risk of detection is very low,” said Buzzard.
That’s because the two usual moments of vulnerability for a skimmer crook is when he installs the skimmer and then again when he takes it out. But if he is willing to abandon the skimmer onsite, that cuts his chances of arrest in half.
Those who are arrested – which occurs rarely – usually are “money mules,” said Buzzard, low-level criminals who are paid a percentage of the proceeds to harvest money. Of course, the amateurs also run risks arising from inexperience.
The criminal heads of the skimming enterprises tend to be well insulated, said Buzzard.
Mainly, too, skimming is easy pickings for crooks, suggested Buzzard. As financial institutions toughen one attack surface – making it harder to skim in the ATM card slot, for instance –
criminals migrate to other attack surfaces. He pointed to the rise in vestibule door skimmers, where crooks gather mag stripe data when consumers swipe their card to gain entry to an ATM behind a locked door.
Will the conversion to PIN and chip, EMV-compliant cards – supposedly slated to happen by 2015 – immediately end skimming? Buzzard doubts it. His guess is that will take a year or three beyond 2015 before most ATMs and similar devices are in fact EMV compliant.