How financial institutions can help curb ATM fraud in merchant locations
It’s no secret that fraud attacks on ATMs are on the rise. A 2016 FICO study revealed a 546 percent increase in compromised ATMs from 2014 to 2015, and another increase in 2016 by another 30 percent. While the majority of these attacks are occurring on non-bank owned ATMs, it is important that institutions continue to diligently monitor and fight fraud at their ATMs as well as provide guidance and enhanced security to their merchant customers who own or partner with the institution on ATM driving services.
This increase in ATM fraud likely stems from the implementation of EMV in the U.S. which shifts liability for fraudulent transactions on in-store transactions to merchants rather than card issuing banks. The shift has prompted a widespread adoption of EMV chip cards and the EMV-enabled terminals required to process them with the enhanced data protection and anti-fraud authorization protection that EMV provides. The State of Retail Payments 2016 Study by the National Retail Federation and Forrester Research showed that 57 percent of merchants have installed EMV equipment, including 76 percent of the 200 largest merchants accepting EMV chip cards.
As the window closes on fraud opportunities in-store, ATMs have become a more appealing target. The liability shift for EMV-compliant ATMs is still in progress with MasterCard’s deadline already passed, and Visa’s upcoming in October 2017, which leaves a significant number of ATMs in the U.S. without the protection of EMV. While bank-owned ATMs are generally leading the charge and have largely implemented EMV, merchant-owned ATM machines are lagging behind and many are vulnerable to fraud attacks.
ATM hacking methods
The most popular hacking method is a combination of skimming to capture the card data and hidden cameras to capture the PIN as the cardholder enters it. Sophisticated operations even time the data captured with the PIN entry to make it easier to match them and create counterfeit cards.
To accomplish skimming, hackers often duplicate the card acceptance slot bezzle with a very convincing if yet imperfect copy which fits snugly on top of the legitimate one. Once a card is inserted, the data retrieved from the magnetic stripe is recorded by the homemade electronics in the skimmer. Other skimmers are very thin and can be slotted inside the card reader and are nearly undetectable to the naked eye. Either method is often paired with a tiny camera inside a pin hole in the cash dispenser, which is placed at such an angle as to detect the user’s hand as they key in the PIN. You can see a detailed example of an ATM skimming operation here.
ATM hacking prevention
While the best way to prevent ATM skimming is for the user to cover the keys as they enter their PIN, there are technology solutions, operational best practices, and customer education material available that can help prevent or disrupt skimming from taking place.
Anti-skimming technology is one key way to prevent skimming from taking place at your institution’s ATMs. This technology uses various methods to help monitor terminals and notify your ATM monitoring service provider when a skimmer is detected. Jitter technology is one of the most popular anti-skimming measures and creates a “jitter” effect via stop/start motion to distort the magnetic stripe details on the card so a skimming device is unable to capture it in whole.
However, since jitter is not effective on “dip” reader style ATMs and has been widely used for over a decade, many experts feel that fraudsters have overcome the problem that jitter presents to skimming and need additional anti-fraud measures such as PIN shields and tamper detection.
Popular tamper and fraud detection methods include radio-frequency jamming which detects foreign objects added to ATMs with an electromagnetic field; vibration detection that can alert the institution if the ATM has been drilled to attach a skimmer or create a camera pinhole; light detection sensors in the card intake slot which alert when the device senses a change; and camera surveillance that can identify foreign objects placed on an ATM. These technologies are readily available through most ATM manufacturers and are supported by the majority of ATM processors and monitoring systems.
The role of financial institutions
While anti-skimming technology is the most effective way to help offset skimming, there are simple guidelines that institutions can follow to help ensure the security of ATMs.
- Establish daily practices within your branch to check ATM bezzles as part of the daily balancing activity.
- Tug or pull on the bezzle and visually inspect it for any abnormalities.
- Make sure that ATM locations are well lit and the security cameras are positioned in and around the ATM to clearly capture any fraudsters attempting to skim the ATM.
- Provide your ATM merchants with the education, awareness, and anti-fraud tools they need to protect their ATMs.
How Vantiv can help
Vantiv takes fraud very seriously, and we’re working closely with our vendor partners to address it. We support anti-skimming technology so that compromised ATMs can be shut down instantly to limit the damage. In addition to anti-skimming detection support, Vantiv is continuously working with our partners to review new technology and additional support to offset fraud at your ATMs. To learn more, please contact Vantiv or your ATM provider.