With all the technology advances they’ve made, why can’t banks and credit unions keep the ATM, a product of the 1960s, safe from attack?
The number of payment cards compromised at U.S. ATMs and merchants monitored by FICO swelled 70% in 2016. Compromises of ATMs and merchant devices themselves in the U.S. rose 30%, following a sixfold increase in 2015. (FICO monitors about two-thirds of all PIN-based debit card transactions in the U.S.; it does not separate incidents at ATMs from those at POS terminals.)
That’s not counting the ATMs that are hacked remotely through software, nor a rash of recent cases in which criminals used a power drill and a $15 homemade gadget that digitally triggers the ATM’s cash dispenser to empty the machines.
Earlier this month, Joel Abel Garcia, a member of an ATM crime gang that used secret card-reading devices and pinhole cameras on PNC and Bank of America ATMs to steal at least $428,581, pleaded guilty in a Newark, N.J., federal court to conspiracy to commit bank fraud.
“Over the past 24 months there has been a significant increase in ATM attacks involving credit card and card skimming at ATMs, and it is following the global pattern,” said Owen Wild, global marketing director for enterprise fraud and security for financial services at the manufacturer NCR.
One reason ATM fraud persists is that attacks are getting more sophisticated, as well as more frequent. ATM crime has always run an interesting gamut, from people physically picking up ATMs and loading them into their trucks, to attempts to blow up the machines, to skimming devices that are increasingly hard to detect to sophisticated malware that can dive into the software used to run ATMs and manipulate it to spew out cash at machines. The attacks are most easily done at unattended machines in remote locations and convenience stores.
Skimming — use of a card reader to steal information from a card’s magnetic stripe — remains the most common type of attack.
“Skimming technology has improved a lot,” said Michael Betron, senior director of product management at FICO. “I could go buy a Bluetooth skimmer for under $100 in an online marketplace. The cost has gotten lower, the ability to obtain it has gotten more widespread, and general know-how has increased.”
Card skimmers are not illegal in the U.S. until after they’ve been used in a crime. Anyone can buy an over-the-counter card reader that’s designed to be plugged into a POS device and therefore has a viable commercial use as well as an underhanded criminal application.
“But when I go on marketplace sites and I see devices that are being sold for the sole purpose of committing attacks on ATMs, whether mine or colleagues’ and competitors’, it’s infuriating,” Wild said. “Even if it’s not illegal, it’s not ethical.” NCR won’t even use such devices in testing, so as not to support that activity.
There’s still a low level of criminal prosecution of card skimming in the U.S. Law enforcement has “got their hands full,” Wild said. “They’re not ignoring it.”
Some countries have stiffened the penalty for this crime and the rate of card skimming attacks has dropped, Wild said.
The use of malware to steal from ATMs, though less frequent than skimming, has been steadily increasing since the first ATM malware appeared in March 2009, according to Sergey Golovanov, principal security researcher at Kaspersky Lab. The second ATM malware strain appeared in March 2012. Three new ones were created in 2013, another three in 2014, four in 2015 and eight new POS and ATM malware families were found in 2016. Already in 2017, researchers have seen three new malware types emerge.
“More criminal gangs are coming for the ATM,” Golovanov said.
There are two ways to install malware on an ATM, he said. The first, which Kaspersky calls a “black box” attack, is through the USB port, which is accessed by using a small key or breaking open the ATM. Criminals plug in a malware-loaded USB drive and open the malicious program, which instructs the ATM to dispense money.
The second way is for cyberattackers to infect the finacial institution itself, by finding and installing malware on the computer that runs the ATMs. Then with scheduling software they dispense money through various ATMs, where low-level criminals called mules wait to collect the money.
“They’re criminals with hoodies and sunglasses, and they get an ATM assist fee,” Golovanov said.
ATM fraud is about 10 times more financially rewarding than branch robberies, said Doug Johnson, the American Bankers Association’s senior vice president of payments and cybersecurity. ATM theft can net a criminal $30,000 to $50,000, while the average bank robber gets only $3,000 to $5,000 on average before he’s apprehended.
Some in the industry theorize that criminals are cramming in as much ATM theft as they can before the machines become compatible with the EMV chip card standard. While skimming devices for magnetic stripe cards are easy to come by, devices that can intercept information being passed from a chip to an ATM have yet to be designed and manufactured. So fraudsters want to get as much use out of their skimming devices as they can.
“There’s an effort on the part of criminals to try to get ahead of that,” Johnson said. “There’s somewhat of a rush to get the card numbers and PIN numbers and compromise them before next year in October, when there will be much more compliance with chip cards.” Beginning Oct. 1, Visa will shift liability to ATM owners that haven’t upgraded; the cutoff for Mastercard was last October.
The U.S.’s slowness to adopt the EMV standard has made it more vulnerable than many other countries, Wild said. It also has a lower penetration of anti-skimming solutions. All of which attracts criminal activity.
“Crime tends to migrate to its weakest link,” Wild said.
When all U.S. ATMs are EMV-compatible, it is hoped, ATM fraud will subside.
“Once all fallback magnetic stripe transaction support is removed from the systems, then the U.S. should see a drop similar to what was experienced in Europe,” said Nick Billett, senior director of global research and development and head of ATM security at the manufacturer Diebold Nixdorf. Fraudsters will then focus on card trapping — where an inserted device grabs a card and never lets it go, so the perpetrator can do something with it later — which is more difficult.
However, universal adoption of EMV is not a given. It’s not driven by a regulation or a mandate, but by a shift in the liability for fraud from card issuer to device purveyor. It’s up to each ATM owner to decide whether or not to upgrade to an EMV-compatible machine.
“Fortunately the banks and credit unions have seen there’s no viable business case for them to not do it,” Wild said. “But when you look at the economics for small and midsize business, it becomes a different story.”
Many machines are likely to support stripes and chips for a long time. And even when all ATMs support EMV, it’s only a matter of time before criminals figure out how to intercept the communications between card chips and machines.
“Oy, yes, there will always be the next thing,” Wild said.
The two major U.S. ATM manufacturers offer anti-skimming products.
Diebold has a special card reader that can be put on existing ATMs called ActivEdge. It forces users to turn their cards 90 degrees to insert the longer edge — most skimming devices are made to work the usual way, with the shorter edge sliding in. The reader also encrypts data passed between the card reader and the PC driving the ATM. Diebold also offers technology that can detect and prevent skimming.
NCR offers a skimming protection solution that is designed to detect the presence of a skimmer on the ATM bezel or in the ATM insert and notify the system to take an action, such as disable the ATM. It provides internal devices that protect the card reader itself from vandalism or being accessed to skim the data, and that encrypt communication between ATMs and host networks. Its newest ATMs have a card reader that’s flush mounted on the front ATM panel, so anything attached to the front of the ATM would stand out. The card reader itself is small, making it difficult to use an insert.
Too expensive for banks?
But banks aren’t diligent about keeping their ATMs up to date, said Golovanov. (The banks with the largest ATM networks, Bank of America, Wells Fargo and Chase, all declined requests for interviews.)
“It’s too expensive for the banks,” Golovanov said. “So big banks are not updating all the ATM networks once a year. Usually banks will update ATMs once in five to 10 years. During these years, ATMs are vulnerable to attacks from malware or black-box attacks.”
Banks tend to weigh the cost of updating their ATMs against the cost of losses or insurance.
“The banks decide what is more profitable — to update several thousand ATMs, for example for several hundred thousand dollars, or to buy insurance from this type of attack,” Golovanov said.
They often are more worried about ATM uptime. If something goes wrong during a patch update to ATM software, an ATM might go offline and the bank could lose money and customer loyalty.
Only so much CUs can do
Credit unions may occupy a smaller slice of the financial marketplace than for-profit banks, but ATM fraud remains a significant problem for the movement.
Robert Jarosinski, senior consultant in risk & compliance solutions for CUNA Mutual Group, said credit unions and CU advocates are “very concerned” about ATM fraud and ATM skimming, and that the key to alleviating such wrongdoing lies with a faster transition from magnetic-stripe cards to chip-embedded EMV.
For the moment, Jarosinski estimates a “majority” of credit unions have embraced EMV – but for some, the cost, labor and time required for full implementation continue to pose an obstacle.
Jarosinski believes most CUs are doing the right thing by monitoring and proactively preventing such ATM fraud, but worries arise when members use their cards in other venues outside of their ATM networks.
“The credit unions can do all they can to safeguard their ATMs and check for skimming devices, but they can't control what other ATM owners, merchants, gas stations, etc. do,” he observed. “In those instances, they can only defend against the fraud that will be coming by having a good fraud management system, looking for patterns of fraud and hoping their members are monitoring their statements. In the meantime, having EMV cards will help in instances where the fraudster uses it at a non-EMV ATM so the credit union at least has chargeback rights”
According to Bill Prichard, senior manager of public relations and corporate communications for CO-OP Financial Services, payment card skimming at ATMs, gas pumps and point-of-sale terminals has been on the rise for the last two years as the credit union industry (along with other FIs) has transitioned to EMV. As a result, criminals have been racing to commit crimes before new technology makes it more difficult.
“To augment the security protocols ATM providers are undertaking, credit unions can help members understand how to detect and protect against card skimming,” he said.
Editor at Large Penny Crosman welcomes feedback at firstname.lastname@example.org.