How is ATM fraud still a thing?
With all the technology advances they’ve made, why can’t banks keep the ATM, a product of the 1960s, safe from attack?
The number of payment cards compromised at U.S. ATMs and merchants monitored by FICO swelled 70% in 2016. Compromises of ATMs and merchant devices themselves in the U.S. rose 30%, following a sixfold increase in 2015. (FICO monitors about two-thirds of all PIN-based debit card transactions in the U.S.; it does not separate incidents at ATMs from those at POS terminals.)
That’s not counting the ATMs that are hacked remotely through software, nor a rash of recent cases in which criminals used a power drill and a $15 homemade gadget that digitally triggers the ATM’s cash dispenser to empty the machines.
On Monday, Joel Abel Garcia, a member of an ATM crime gang that used secret card-reading devices and pinhole cameras on PNC and Bank of America ATMs to steal at least $428,581, pleaded guilty in a Newark, N.J., federal court to conspiracy to commit bank fraud.
“Over the past 24 months there has been a significant increase in ATM attacks involving credit card and card skimming at ATMs, and it is following the global pattern,” said Owen Wild, global marketing director for enterprise fraud and security for financial services at the manufacturer NCR.
One reason ATM fraud persists is that attacks are getting more sophisticated, as well as more frequent. ATM crime has always run an interesting gamut, from people physically picking up ATMs and loading them into their trucks, to attempts to blow up the machines, to skimming devices that are increasingly hard to detect to sophisticated malware that can dive into the software used to run ATMs and manipulate it to spew out cash at machines. The attacks are most easily done at unattended machines in remote locations and convenience stores.
Skimming — use of a card reader to steal information from a card’s magnetic stripe — remains the most common type of attack.
“Skimming technology has improved a lot,” said Michael Betron, senior director of product management at FICO. “I could go buy a Bluetooth skimmer for under $100 in an online marketplace. The cost has gotten lower, the ability to obtain it has gotten more widespread, and general know-how has increased.”
Card skimmers are not illegal in the U.S. until after they’ve been used in a crime. Anyone can buy an over-the-counter card reader that’s designed to be plugged into a POS device and therefore has a viable commercial use as well as an underhanded criminal application.
“But when I go on marketplace sites and I see devices that are being sold for the sole purpose of committing attacks on ATMs, whether mine or colleagues’ and competitors’, it’s infuriating,” Wild said. “Even if it’s not illegal, it’s not ethical.” NCR won’t even use such devices in testing, so as not to support that activity.
There’s still a low level of criminal prosecution of card skimming in the U.S. Law enforcement has “got their hands full,” Wild said. “They’re not ignoring it.”
Some countries have stiffened the penalty for this crime and the rate of card skimming attacks has dropped, Wild said.
The use of malware to steal from ATMs, though less frequent than skimming, has been steadily increasing since the first ATM malware appeared in March 2009, according to Sergey Golovanov, principal security researcher at Kaspersky Lab. The second ATM malware strain appeared in March 2012. Three new ones were created in 2013, another three in 2014, four in 2015 and eight new POS and ATM malware families were found in 2016. Already in 2017, researchers have seen three new malware types emerge.
“More criminal gangs are coming for the ATM,” Golovanov said.
There are two ways to install malware on an ATM, he said. The first, which Kaspersky calls a “black box” attack, is through the USB port, which is accessed by using a small key or breaking open the ATM. Criminals plug in a malware-loaded USB drive and open the malicious program, which instructs the ATM to dispense money.
The second way is for cyberattackers to infect the bank itself, by finding and installing malware on the computer that runs the ATMs. Then with scheduling software they dispense money through various ATMs, where low-level criminals called mules wait to collect the money.
“They’re criminals with hoodies and sunglasses, and they get an ATM assist fee,” Golovanov said.
ATM fraud is about 10 times more financially rewarding than branch robberies, said Doug Johnson, the American Bankers Association’s senior vice president of payments and cybersecurity. ATM theft can net a criminal $30,000 to $50,000, while the average bank robber gets only $3,000 to $5,000 on average before he’s apprehended.
Some in the industry theorize that criminals are cramming in as much ATM theft as they can before the machines become compatible with the EMV chip card standard. While skimming devices for magnetic stripe cards are easy to come by, devices that can intercept information being passed from a chip to an ATM have yet to be designed and manufactured. So fraudsters want to get as much use out of their skimming devices as they can.
“There’s an effort on the part of criminals to try to get ahead of that,” Johnson said. “There’s somewhat of a rush to get the card numbers and PIN numbers and compromise them before next year in October, when there will be much more compliance with chip cards.” Beginning Oct. 1, Visa will shift liability to ATM owners that haven’t upgraded; the cutoff for Mastercard was last October.
The U.S.’s slowness to adopt the EMV standard has made it more vulnerable than many other countries, Wild said. It also has a lower penetration of anti-skimming solutions. All of which attracts criminal activity.
“Crime tends to migrate to its weakest link,” Wild said.
When all U.S. ATMs are EMV-compatible, it is hoped, ATM fraud will subside.
“Once all fallback magnetic stripe transaction support is removed from the systems, then the U.S. should see a drop similar to what was experienced in Europe,” said Nick Billett, senior director of global research and development and head of ATM security at the manufacturer Diebold Nixdorf. Fraudsters will then focus on card trapping — where an inserted device grabs a card and never lets it go, so the perpetrator can do something with it later — which is more difficult.
However, universal adoption of EMV is not a given. It’s not driven by a regulation or a mandate, but by a shift in the liability for fraud from card issuer to device purveyor. It’s up to each ATM owner to decide whether or not to upgrade to an EMV-compatible machine.
“Fortunately the banks and credit unions have seen there’s no viable business case for them to not do it,” Wild said. “But when you look at the economics for small and midsize business, it becomes a different story.”
Many machines are likely to support stripes and chips for a long time. And even when all ATMs support EMV, it’s only a matter of time before criminals figure out how to intercept the communications between card chips and machines.
“Oy, yes, there will always be the next thing,” Wild said.
The two major U.S. ATM manufacturers offer anti-skimming products.
Diebold has a special card reader that can be put on existing ATMs called ActivEdge. It forces users to turn their cards 90 degrees to insert the longer edge — most skimming devices are made to work the usual way, with the shorter edge sliding in. The reader also encrypts data passed between the card reader and the PC driving the ATM. Diebold also offers technology that can detect and prevent skimming.
NCR offers a skimming protection solution that is designed to detect the presence of a skimmer on the ATM bezel or in the ATM insert and notify the system to take an action, such as disable the ATM. It provides internal devices that protect the card reader itself from vandalism or being accessed to skim the data, and that encrypt communication between ATMs and host networks. Its newest ATMs have a card reader that’s flush mounted on the front ATM panel, so anything attached to the front of the ATM would stand out. The card reader itself is small, making it difficult to use an insert.
For its part, the ABA in February added the ability to report ATM fraud in its branch robbery database, which Johnson describes as a Google Maps for bank heists. The database populates geographic mapping software that shows where the attacks occur. The database also tracks the timing of each event, the losses and the make and model of the compromised machine.
Banks would typically use the database to determine if their customers have been affected by an attack at another bank’s machine, and to decide which security measures to deploy at each ATM and branch location.
It could also be used to predict criminals’ movements.
“These skimming criminals tend to run in packs,” Johnson said. “We can see whether a gang of skimming criminals are moving from one geography to another — driving up Interstate 95, for instance.” Banks could be alerted that their ATMs along the route are at heightened risk.
In a pilot test, the ABA is giving some law enforcement agencies access to the branch robbery database, and it has plans to do the same with its ATM crime data.
The ABA and its members continually compare notes on ATM fraud their attempts to counteract it, Johnson said. ATM manufacturers and The Financial Services Information Sharing and Analysis Center send advisories about the latest threats to ATMs.
Is the industry doing enough?
But banks aren’t diligent about keeping their ATMs up to date, said Golovanov. (The banks with the largest ATM networks, Bank of America, Wells Fargo and Chase, all declined requests for interviews.)
“It’s too expensive for the banks,” Golovanov said. “So big banks are not updating all the ATM networks once a year. Usually banks will update ATMs once in five to 10 years. During these years, ATMs are vulnerable to attacks from malware or black-box attacks.”
Banks tend to weigh the cost of updating their ATMs against the cost of losses or insurance.
“The banks decide what is more profitable — to update several thousand ATMs, for example for several hundred thousand dollars, or to buy insurance from this type of attack,” Golovanov said.
They often are more worried about ATM uptime. If something goes wrong during a patch update to ATM software, an ATM might go offline and the bank could lose money and customer loyalty.
When a patch is released, the bank will typically test it for several months before implementing it across a network.
Johnson acknowledged that manufacturers, banks and law enforcement could make more effort to try to stop ATM crime.
“We could always do more,” he said. “I think that’s the nature of cybersecurity and these kinds of threats. It’s eternal vigilance. You’re never done.”
Editor at Large Penny Crosman welcomes feedback at firstname.lastname@example.org.