Security alerts

Card Reader Skimming Attacks

Dear valued customers:

NCR Atleos has received reports of card skimming attacks across the US. In these attacks, criminals add devices to ATMs that read and capture magnetic stripe data from cards as they are used. Additionally, a PIN capture camera is often installed to record PIN entries. The stolen magnetic stripe data is then used to create cloned cards, which are subsequently used to withdraw funds from the victims' accounts.

Key points

• The most common method of skimming is a technique called Deep Insert Skimming (sometimes referred to as M3 or D3 skimming). This method applies to both motorized and DIP card readers. Prevention requires specific hardware countermeasures on the ATM. Deep Insert Skimming is prevalent because many ATMs in the USA are not protected against this specific form of skimming.
• Card skimming is not a viable attack against chip cards. Skimming losses can be prevented by card issuers who decline all fallback (magnetic stripe) transaction authorization requests from chip cards. Most card issuers outside the USA already decline magnetic stripe transactions, leading to a sharp decline in card skimming outside the US.
• Card skimming is also not a viable attack against contactless chip cards. Cards that are tapped at the ATM instead of inserted cannot be skimmed. NCR Atleos recommends enabling contactless transactions and encourages financial institutions to educate and incentivize cardholders to use tap instead of inserting their cards.

Recommendations:

• NCR Atleos strongly recommends implementing comprehensive skimming protection for all ATMs in the US. This includes adding Deep Insert Skimming protection to ATMs that already have fascia skimming protection.
• Enable contactless transactions and educate cardholders to use tap instead of inserting cards.

If you have any questions or concerns, please reach out to your NCR Atleos representative.

Thank you for your continued partnership,

NCR Atleos Security Team