These types of attacks are not new, but the scale and the organization behind them is, Avivah Litan, vice president and distinguished analyst at Gartner, told SCMagazineUS.com on Tuesday. Over the past six months, fraudsters increasingly have been mounting well-organized and systematic attacks that involve placing skimming devices on not just ATM machines — the most commonly targeted device — but also point-of-sale systems and gas-pump card readers.
Litan said she heard about the increase in skimming at a recent fraud conference attended by numerous financial services companies. There, she learned that skimming is currently one of the top problems with which banks are dealing.
Last summer, Chris Paget, chief hacker for H4RDW4RE, a security consulting company that specializes in hardware and radio reverse engineering and assessment, unknowingly encountered a rigged ATM at the Rio All-Suites Hotel & Casino in Las Vegas. As a result, Paget, who was in town to attend the Black Hat hacker conference, lost $200.
In his case, the ATM contained no signs of tampering and apparently was internally compromised. But Paget, best known for his research around RFID technology, said externally placed skimming devices are becoming more advanced.
"Skimmers are reaching the stage now where it's impossible to detect them reliably," Paget said. "In most cases, the externally attached devices are made well enough that they blend in perfectly unless you know what to look for."
According to a report issued early this month by Javelin Strategy & Research, nearly one in five debit or credit card fraud victims reported having their PIN information stolen in 2009 – which represents a “considerable increase” over 2008. The report also found that 10 percent of all fraud victims had cash withdrawn from their accounts via fraudulent ATM transactions.
And two weeks ago, the U.S. Secret Service in South Carolina issued a warning to consumers to be on the lookout for what authorities believe is an international operation to attach skimming devices to card readers, according to published reports. Authorities located roughly 10 skimmers at various ATMs, prompting the advisory.
In November, industry trade group the ATM Industry Association, which attributes $1 billion in annual global losses to skimming, called for tougher penalties for offenders.
The ATMs of major banks are being targeted with this type of fraud, and it is not only occurring in remote locations, Litan said. For example, skimmers have been placed on ATMs directly outside of bank branch locations in major U.S. cities. In addition, fraudsters have been systematically swapping out U.S. retailers' point-of-sale systems with their own devices, which have been crafted to steal consumer information.
Banks are taking this issue seriously because they generally have to pay the fraud costs associated with skimming, Litan said. Banks incur skimming costs because they are liable for card-present transactions, or those in which the card and the cardholder are physically present at the time the payment is processed.
As a result, banks have been putting in place additional fraud detection measures and have begun reaching out to clients to educate them in ways they haven't in the past, Litan said. However, it is often difficult to tune fraud detection systems so they don't inconvenience customers by rejecting transactions.
"It's a pretty sad sate all around that the average citizen is powerless to protect against," Paget said. "You can only hope that your bank protects you when you do eventually get scammed."
To increase the security of transactions, many countries have already begun or completed the transition to chip cards, which securely store a cardholder's account number and PIN on an embedded micro-computer chip that is virtually impossible to skim, Litan said. The transition here because of the cost and the high number of banks and retailers that would have to support the initiative.
But the United States may move to chip cards sooner than expected if current levels of skimming fraud continue, Litan said.