Threat Management, Network Security

Report: ATM fraud on the rise

Nearly one in five debit or credit card fraud victims reported having their PIN information stolen in 2009 – which represents a “considerable increase” over 2008, according to a report released Tuesday by Javelin Strategy & Research.

The report, which is based on a telephone and online survey of 8,168 consumers, found that 10 percent of all fraud victims had cash withdrawn from their accounts via fraudulent ATM transactions. Twenty-three percent of those who experienced fraudulent withdrawals left their primary financial institution.

Using an ATM machine can place consumers' data at risk in several ways, according to Adam Bosnian, VP of products, strategy and sales at privileged identity management solutions vendor Cyber-Ark Software.

Thieves may place legitimate-looking hardware skimmers on the face of an ATM machine that copy information from the magnetic strip of a card, for example. In addition, thieves could use spy cameras or Bluetooth wireless communications to obtain PIN numbers and credit card data, Bosnian said.

According to the Javelin report, ATM fraud is not only growing in prevalence, but also in sophistication.

“Skimming attacks, the most basic, are being replaced with attacks on the software inside ATMs and ATM networks,” the report states.

Often, these types of attacks are carried through the exploitation of legacy hardware and software vulnerabilities that are present in machines. In addition, attackers can use various hacking methods to gain access to an organization's network and obtain credit and debit card information in bulk, Bosnian said.

Despite the ample risks, consumers are not consistently being protected by their banks from ATM fraud, the survey found. However, certain banks – including Bank of America, Chase, Citibank and Wells Fargo – were found in the survey to be the best at covering fraudulent ATM withdrawals.

To protect consumers from ATM fraud, financial institutions should educate consumers about typical skimming techniques and offer zero-liability protection that includes PIN credit and debit card losses, the report said. 

In addition, ATM vendors should use “anti-skim” designs for their ATM surface and keyboards. Also, ATM vendors should use Payment Card Industry (PCI)-certified components to guard against common software vulnerabilities that can be exploited.

“It is expected that ATM PIN fraud will increase unless comprehensive layered security is used to mitigate the risk,” the report states.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.