Alert: ATM Skimming Up in U.S.

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.databreachtoday.com/alert-atm-skimming-up-in-us-a-8432

A new security alert from ATM manufacturer NCR Corp. warns that ATM
skimming attacks in the U.S. are on an upswing. The trend likely is being
fueled by the migration away from magnetic-stripe technology toward EMV
chip technology.

ATMs of all makes and models have seen increases in skimming attacks in
recent months, according to the alert, which NCR issued July 23. Other ATM
manufacturers, including Diebold Inc. and Wincor-Nixdorf AG, did not
respond to Information Security Media Group's request for comment.

As U.S. banks and credit unions phase out magnetic-stripe cards and replace
them with chip cards, and U.S. merchants upgrade their point-of-sale
terminals to accept chip transactions, fraudsters are going to work
overtime to ensure they can capture as much card data as possible from
mag-stripes to perpetrate counterfeit card fraud. ATMs will increasingly be
targeted, experts predict, because the vast majority of ATMs in the U.S.
won't even begin their migrations toward EMV for another two to three years.

To help ensure their ATMs are not compromised by skimming devices, security
experts advise banking institutions to keep their anti-skimming services
and technologies up to date; invest in skimming-detection software and
services that alert them when an ATM has been tampered with; and make
training employees on how to readily detect skimming devices on ATMs a
priority.

NCR's Alert

NCR says it issued the alert about upticks in ATM skimming attacks after
receiving numerous reports from banking institutions about ATM compromises.

"As a result of our investigations with law enforcement, we have seen that
[skimming] devices that have been used in the U.S. have been bezel-mounted
card skimming devices," the alert states. "This false-overlay bezel is
attached on top of the legitimate card-reader bezel."

Many of recent skimming attacks also have involved the installation of
small cameras near the ATMs PIN pad to capture PINs as they are entered for
cash withdrawals, the alert notes.

NCR says the attacks law enforcement identified in the U.S. had compromised
older versions of third-party anti-skimming devices, not devices issued by
the original equipment manufacturer.

"Skimming has been the No. 1 form of attack on ATMs for many years," says
Owen Wild, NCR's global director of security solutions. "Even though we
have seen some regional variations, we have, and continue to view it, as
the most relevant form of attack or potential attack. What now stands out,
however, is that we have seen much more interest in anti-skimming solutions
from customers as a result of the increase."

Owen says tracking exact figures for incidents of ATM skimming is
difficult; most manufacturers base trends on information they receive from
bank and credit union customers.

But according to FICO's Card Alert Service, skimming at U.S. banking
institution ATMs increased 173 percent in the first quarter of this year,
compared with the same period a year ago. Skimming attacks waged against
U.S. ATMs at off-premises locations, such as convenience stores and hotels,
also increased, up 317 percent for the same period, FICO notes.

By comparison, FICO found that skimming attacks waged against point-of-sale
terminals in the U.S. dropped by 81.3 percent from the Q1 2014 to Q1 2015.

ATMS: Easy Targets

ATMs, because they are unattended, self-service devices, can be easy
targets. Fraudsters can, with relative ease, attach skimming devices to the
fascia of ATMs without anyone noticing.

Many banking institutions have invested in security technology that alerts
them when the fascia of one of their ATMs has been manipulated or
disturbed. But experts say they also need to make sure ATMs are regularly
inspected.

One fraud executive with a leading regional banking institution in the
Midwest, who asked not to be named, tells ISMG the uptick in ATM skimming
attacks appears to be impacting some regions of the country more than
others.

"Our ATMs [which are all Diebold] are equipped with anti-skimming devices,"
the executive says. "They are supposed to alert us if something is placed
over the card reader. So far, we have not had an issue, but I am sure it is
coming. We also ask our banking center staff to check our ATMs regularly."

NCR's Wild notes that the ATM manufacturer recommends the deployment of
current anti-skimming solutions. "But further protection recommended
includes protective PIN shields [which prevent pinhole-sized cameras from
capturing PINs as they are entered on the keypad]. Practice recommendations
also include advising banks to train service personnel and staff to
regularly inspect for skimmers."

Why the U.S. Increase?

U.S. card issuers are quickly ramping up their EMV rollout efforts. The
fraud liability shift date for EMV - the date when fraud that results from
a mag-stripe transaction will be shifted to the issuer or merchant that is
not compliant - is October 2015. But the liability shift date for ATMs and
pay-at-the-pump fuel dispensers is not until October 2017.

That means skimming mag-stripe transactions at ATMs and self-service fuel
dispensers is likely to continue increasing for at least the next two
years. And controlling that risk will be challenging.

While some European markets have blocked all mag-stripe transactions to
control counterfeit card fraud, blocking mag-stripe transactions will never
be a viable solution for the U.S., he explains.

"I attribute the increase in skimming attacks in the U.S. to several
factors," Wild says. "First, there is a larger deployment of ant-skimming
devices in certain regions. Second, some countries have been more proactive
in deploying other measures that make using cards outside of the host
country [such as blocking mag-stripe transactions] more difficult. And
third, the redemption of stolen card information is much easier in non-EMV
countries, such as the U.S."

Until all POS devices, ATMs and pay-at-the pump fuel dispensers have been
upgraded to accept EMV chip cards, all U.S. chip cards must maintain
mag-stripes.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!