While ATM skimming scams are sure to continue leading up to the country's EMV migration next year, the time to take advantage of these schemes is limited for criminals, and they are without a doubt looking to leverage new attacks against money machines, experts say.
Angel Grant, senior manager at security firm RSA, told SCMagazine.com that variations in skimming devices, as well as tactics used to steal payment card data using the hardware, will likely be plentiful – and clever – a last hurrah for fraudsters, so to speak, as merchants prepare to implement the global Europay, MasterCard and Visa (EMV) standard by Oct. 2015, the date when fraud liability shifts from banks to retailers that haven't taken up the chip-and-PIN verification system.
In July, for instance, the European ATM Security Team (EAST) warned of fraudsters fitting ATMs throughout Europe with mini-skimmers, smaller versions of traditional skimming devices that more easily escape detection. With the stolen data, criminal gangs likely aimed to create bogus magnetic stripe cards for use in the U.S., or other areas slow to adopt EMV.
“The hardware in ATM skimmers has been a threat for awhile,” Grant said. “You often see them at point-of-sale terminals at gas stations, for instance, and we will see more of them in the course of the next year. They are going to capitalize on the fact that the U.S. has not migrated to EMV. And they know the window of opportunity is going to shrink over time,” she said.
Until the migration to EMV is complete, banks should encourage their customers to take some anti-skimming measures, that Diana Kelley, executive security advisor at IBM, said can thwart inevitable attacks.
“It's a very old school [concept], but covering up your PIN as you are entering it does help,” Kelley said, explaining that criminals often couple skimmed card data with PIN information recorded by pinhole cameras they've also installed.
“Do take a look at the ATM that you are using,” Kelley also advised. “Some of the skimmers are half hanging off of the ATMs and aren't as elegant as the ones you see in the news. And use the more heavily monitored ATMs, in a bank lobby for instance, versus one that's in an unmanaged location.”
Kelley also advocated additional measures for fraud prevention, such as the use of out-of-band authentication for ATM transactions, which might include a banking app that verifies whether cardholders are actually at ATMs flagged as dispensing money from their accounts. Many banks already offer basic email alerts notifying customers of various transactions, she explained.