Protecting against ATM card skimming during the holiday season
While the frequency of card skimming attacks worldwide is diminishing, it remains a pervasive threat to ATMs located in countries where magnetic stripe data is still accepted. Despite ongoing efforts to combat this type of fraud—which involves capturing magnetic card data and PINs from ATM users—it continues to result in significant financial losses for financial institutions (FIs), ATM operators and retailers. With card skimming crime rising during peak holiday periods, we take a closer look at its impact and how to reduce the risk of falling prey to this type of fraud.
Protecting against card skimming fraud is an all-year-round challenge, but with spikes in incidences around peak holiday periods in line with a marked increase in cash withdrawals for gifting, gratuities and purchases at holiday markets, it’s a good time for FIs, ATM operators and retailers to review and ramp up their ATM security measures and efforts.
Most bank cards now issued are chip cards which contain two different technologies that can be used at ATMs, a magnetic stripe which is encoded with the cardholder’s Primary Account Number (PAN), card expiry date and check digits; and an electronic chip which can communicate interactively with the ATM. The functionality of this chip is standardized according to specifications by Europay, Mastercard, Visa (EMV).
EMV is the global standard for card payments introduced in the early 2000s to enhance security and reduce fraud. The EMV chip contains secret information which never leaves the card, and this is used to create a unique cryptogram each time the card is used. EMV chip data therefore cannot be used to create a cloned card, but EMV chip cards are still vulnerable to magnetic skimming if the card issuer continues to accept magnetic data.
According to the European Payment Terminal Crime Report 2023, card skimming has decreased dramatically and is almost non-existent in markets as a result of the compliance to the EMV controls. In comparison, in countries where magnetic stripe data use is still allowed—including the US—card skimming remains a persistent threat.
The FBI estimates that card skimming now costs cardholders and banks over $1 billion every year. Card skimming can also have severe reputational consequences for FIs, ATM operators and retailers. Skimming incidents at a specific ATM can damage its reputation, discouraging future use. However, the broader impact of card skimming attacks is a decline in consumer confidence in the entire ATM channel, potentially resulting in decreased ATM usage and financial losses.
The role of technology in combating card skimming
Technology has played a crucial role in combating card skimming. The introduction of EMV chip technology has significantly reduced the risk of skimming by phasing out the use of the magnetic stripe. Additionally, for markets where magnetic stripe data is still used, advanced ATM security features such as bezel-mounted skimmer prevention and reduced card slot gaps have made it more challenging for skimmers to be installed.
However, as technology continues to evolve, this affords new creative opportunities which can be used by international gangs to develop new skimming techniques. The latest skimming technique which has become widespread is known as deep insert skimming. This technique uses ultra-thin electronic technology to construct a skimmer which can be embedded deeply within the ATM card slot.
Deep insert skimmers are unaffected by bezel mounted anti skimming technology, and are virtually impossible to detect by an ATM user. When a customer inserts their card, the skimmer reads the magnetic stripe data on the card and stores the data on a memory device on the skimmer. The cardholder’s PIN is typically captured using a covert camera concealed on the ATM. When the deep insert skimmer and camera are retrieved from the ATM, card and PIN data can be extracted from the devices and used to create cloned magnetic stripe cards. Deep insert skimmers have been created to fit both motorized and Document Insertion Processor (DIP) ATM card readers.
Related: Six ways financial institutions can guard against the latest cyberattacks
Measures to protect against card skimming
Robust ATM security measures are vital all year round, but with cash withdrawals peaking in the holiday season, extra vigilance is always recommended. Here are some steps that ATM operators can take to mitigate the risks:
- Frequent inspections and maintenance: Undertake frequent checks of your ATMs, CCTV and surveillance equipment to help identify and address potential vulnerabilities. Place covert cameras where they have a view of the PIN pad and can be spotted by knowledgeable inspectors.
- Advanced ATM design: Ensure you are operating with the latest anti-skimming technology that offers protection against deep insert skimming. Ultra-thin deep insert skimmers can only be prevented using recent detection technology.
- EMV compliance: Ensure that ATMs are EMV-compliant as this protects against skimming when magnetic stripe use is discontinued. Partner with a provider that has ATMs equipped with EMV card readers and an ATM network that is fully EMV compliant.
- Customer education: Provide your customers with information about how to protect themselves from skimming, such as using contactless payments, covering their PIN, regularly checking their account for any unauthorized transactions and being vigilant for anything suspicious around the ATM. If you offer contactless payment, promote this service to your customers.
- Transaction monitoring: Be vigilant in looking for anything suspicious in your transaction monitoring software reports i.e. significantly higher values or volumes of consecutive cash withdrawals. This may be indicative of the use of cloned cards. Invest in robust transaction monitoring capabilities for peace of mind.
The future of card skimming prevention
Card skimming remains a persistent threat to ATMs if card issuers continue to accept magnetic stripe. As technology continues to evolve, so too will the methods used by fraudsters. It is essential for ATM operators to stay ahead of the curve by investing in advanced security measures (e.g. deep insert detection technology), training staff on how to identify and respond to potential threats and staying informed about the latest skimming techniques. By taking these steps, operators can help protect their customers and minimize financial losses.
Top tips for card skimming protection
Tactical protection
- For magnetic stripe cards, protection must be deployed across all areas that card data exists in the ATM, i.e. bezel skimmers, deep insert skimmers, eavesdropping skimmers, software skimmers and communication skimmers.
- Deploy anti-skimming detection such as bezel anti skimming, deep insert detection, eavesdropping resistant card readers, communications encryption, malware protection and TLS1.2.
- Be prepared to update protection as new technology enables new attacks.
Strategic protection
- Card issuers can eliminate the problem by eliminating the use of the magnetic stripe for domestic ATM authentication.
- Block ATM fallback on chip/EMV at the issuer host, not at the ATM.
- Promote the use of contactless EMV.
- Update issuer fraud detection engines to detect magnetic stripe use at foreign ATMs.
- If magnetic stripe use is detected, consider out-of-band confirmation techniques e.g. send a text message to the cardholder.