When members face card fraud abroad, many CUs unequipped to respond
An overseas vacation can nosedive quickly once a debit card has been compromised, creating problems not only for members, but also for their credit unions.
Credit unions are adding features, such as allowing members to freeze a debit card once fraud is detected, to help stop criminals and better serve consumers. Still, providing these additional features can be difficult for small institutions with limited budgets and resources.
“Nowadays with the state that we’re in with the adversarial actors that are preying on banks, we need to invest more into the security of ATMs,” said Limor Kessem, global executive security advisor at IBM Security.
Every dollar of fraud cost banks and credit unions roughly $2.92 in 2018, which was a 9.3% increase year-over-year, according to Rippleshot, an analytics firm that detects card fraud. In 2017, 6.6 million people were subjected to debit card theft, according to Javelin Research & Strategy.
The type of fraudulent attack depends on a criminal’s sophistication. Standard techniques such as skimming – where a thief fits a skimming device into a card reader of an ATM or gas station pump and secretly stores the information – are still fairly common despite the rise of EMV, commonly known as chip cards. This technique is often coupled with a miniature camera installed offsite to obtain footage of a consumer entering their PIN information.
Another trend is ATM wiretapping, which involves drilling a hole into an ATM and threading a skimmer into the actual ATM itself, said Jack Lynch, chief risk officer at PSCU. This method is more discreet compared to an external skimmer placed on a card reader.
There are also devices known as "shimmers," which are a newer version of the skimmer that can read data from EMV debit and credit cards. Shimmers sit between the chip on a card and the chip reader within an ATM and can record the chip’s data. Though data derived from shimmers are unable to clone new chip-based cards, they still are able to recreate a magnetic stripe card.
“Today we’re seeing an explosion in tactics and techniques and you're looking at $2 billion in losses coming out of the ATM space,” Lynch said.
ATM manufacturers have responded by disrupting attempts to retrieve the stolen information. For instance, thieves can collect their stolen data wirelessly through any device with Bluetooth technology, which uses low-power radio waves. Manufacturers prevent this by interrupting the radio waves.
These types of crimes can happen at home or abroad but if a member is defrauded while traveling overseas, it can be more difficult for the credit union to help. To combat this, some credit unions, such as Navy Federal Credit Union, are equipping their members with more options when they have been a victim of fraud.
Navy Federal has implemented new technology to allow members to flag fraud faster, said Parker West, manager of debit card projects and analysis. For instance, the Vienna, Va.-based credit union offers the ability for members to freeze their debit card instantly with its mobile app if they don’t recognize a purchase.
It also helps that the $97 billion-asset credit union has 27 branches and 53 in-network ATMs overseas. If a member's card is breached, he or she could visit a branch for help. And for those traveling beyond its branch network, Navy Federal will overnight a card to a member in needed, West said.
However, smaller credit unions have more limited resources and no branches overseas.
“There are levels of sophistication that smaller credit unions may not have access too, but larger financial institutions are very active and very proactive when trying to stop the skimming issue because they know it’s a reflection on their brand and it’s upsetting,” said Steve Scarince, associate managing director within cyber risk at Kroll.
Still, there are steps smaller credit unions can take to protect themselves and members. To stop sophisticated attackers, financial institutions can turn to their vendors to ensure proper maintenance and software updates to ATMs. Many ATMs run on old interfaces, such as Windows XP, which opens institutions up to more risk since outdated technology is easier to penetrate.
Kessem also recommends working with white hat hackers, or ethical professional hackers who can assist with cybersecurity needs.
Credit unions, including Navy Federal, of all sizes can help educate their members about potential issues of traveling abroad and precautions they can take. For tip is encouraging consumers to avoid using ATMs in remote locations since these are less likely to be monitored and are easier for criminals to tamper with. Credit unions should also advise members traveling abroad to bring a several credit and debit cards in case one is compromised.
“You have to constantly update the firmware, the security because the criminals are taking the ATMs, cooking them in labs, and figuring out ways to break into them and install malware and steal cash at the time,” Lynch said. “It’s incumbent on credit unions that ATMs have to be part of their infrastructure.”