Last month, the European ATM Security Team (EAST) published its latest European fraud report after another busy period in the world of ATM-related theft. While EAST acknowledged an improvement in the area of countermeasures, such as “chip & PIN” technology and “geoblocking” (limiting access based on geographical location), card skimming was reported in 18 countries, and defrauding of European accounts occurred in 43 countries and territories outside of the continent. Most of these losses were incurred in the United States, with Thailand and Indonesia second and third on the list, respectively. Also in July, 65 Romanian citizens were detained in relation to ATM fraud, and other forms of cybercrime, as part of an international operation, while a Spanish man was detained on Monday in southern Thailand after being apprehended with over 1,000 blank ATM cards and a trail of stolen proceeds estimated to be “tens of millions of baht.”
Although the sophistication of security measures continues to advance—as of today, credit card users in Australia must enter a PIN for in-store transactions—ATM fraud remains an ongoing concern in 2014. The issue is not new, as EAST was founded in 2004 and the U.S. Secret Service released data in 2008 that estimated an annual loss of US$1 billion (US$350,000 per day) for Americans due to ATM fraud. It is also worth noting that security experts have been forced to keep up with the rapid development of the technology that is used to fraudulently gain access to personal bank accounts.
The two essential factors required in the vast majority of ATM crimes are: the data stored in the black magnetic strip on the back of an ATM card, and the PIN. To obtain the data from the back of the card, skimming devices, which are installed where the card is inserted, are typically used. These devices have become smaller and more difficult to detect over time, and they can be mobile-based—meaning that the stolen data is relayed in a text message—or MP3-based, whereby the data is retrieved in audio form and later converted with specialized software.
A secondary component must then be used to obtain the PIN and a miniature camera, which captures footage of the ATM user entering the numerical sequence on the machine’s keypad, is most commonly used (footage seized in a U.S. case showed the ATM user reading the PIN aloud to himself). Cameras have been found hidden behind security mirrors that serve to alert the ATM user if a person is behind
them, and in false panels attached to the ATM with a customized pinhole for the camera. Keypad overlay devices, identical replications that fit on top of the original keypad, can also be used to collect the PIN, but investigations revealed that they can cost as much as US$12,000, leading to a much lower rate of use.
Keeping up with the pace
While the developments to overcome security countermeasures, and the rate at which they occur, can make for extraordinary reading, the inventiveness of ATM fraudsters continues to be a foremost concern for law enforcement. The “all-in-one” skimmer was identified in 2010 and has since proven popular. The unit consists of both the magnetic strip reader and PIN-retrieval camera, meaning that the user spends less time installing the device and also less money, as they can be purchased for a few thousand dollars. The following year, 3D printers were used to create skimming devices that eventually stole US$400,000.
Perpetrators have also devised alternative approaches to ATM fraud. “Card-trapping” and “cash claw” devices were publicly revealed in a 2012 EAST report, which identified use in five European countries. Card trapping involves the use of a device that prevents the card from being returned to the owner, thereby allowing the card and the recorded PIN to be used at another machine afterwards. (EAST was surprised by the high percentage of people who did not contact their bank at the time.) Cash claws target the cash-dispensing outlet of the ATM and either skim notes or prevent the entire cash amount from being released (a group in France stole 1 million euros with a fork-shaped tool that prevented the dispenser from closing).
According to his website biography, Brian Krebs is not from a technical background and stumbled into the field of computer security by accident, after his home network was “overrun by a Chinese hacking group.” Krebs, who wrote for the Washington Post for 14 years, runs the “Krebs on Security” website and is responsible for what may be one of the most comprehensive information sources on ATM skimmers and fraud. Krebs’ “All About Skimmers” series dates back to January 2010 and tracks the evolution of the skimmer, as well as the manner in which they are used and the behavior of ATM users.
In Krebs’ most recent post on skimmers, published in early July of this year, he explains that even with the implementation of chip & PIN technology in Europe—more than 90% of European ATMs are compliant with the technology—the continent is still vulnerable to skimmer fraud. Also known as “EMV” (short for “Eurocard, Mastercard and Visa”), chip & PIN cards contain a thumbnail-sized chip with a secret algorithm embedded into it, thereby making the process of card-duplication more expensive and complicated. While the addition of the chip has resulted in tighter security, the latest EAST report notes: “In countries where the ATM EMV rollout has been completed most losses have migrated away from Europe and are mainly seen in the USA, Asia-Pacific, and Latin America.” As of July 2014, the greatest amount of loss for European card issuers occurs in the Asia-Pacific region, followed by Latin America.
An ounce of prevention
It may be difficult to believe that the U.S. is yet to transition to chip & PIN technology, as authorities continue to deal with stolen ATM cards that are sent from Europe to the U.S. and Latin America for encoding. However, Krebs insisted on July 7 that the most effective way to protect yourself from ATM skimmers does not even require a specialized tool, an expensive purchase or a degree in computer security. While also exclaiming how surprised he is at the low rate of uptake, Krebs concludes his post with one simple and clear recommendation: cover the keypad when you enter your PIN.