Bill Budde is the Vice President of FI Strategy for Hyosung. In this role, he helps banks and credit unions make decisions about branch transformation technology and unlock the value of those investments. Prior to joining Hyosung, Bill worked at JPMorgan Chase in both the Retail Banking and Merchant Processing business units, developing and implementing many self-service capabilities.
Fraud of all types is on the rise, and ATM fraud is no exception. Banks, credit unions, processors, and ATM providers have devoted significant resources to hardening the entire ATM environment and making all kinds of fraud more difficult. Measures such as point-to-point encryption, whitelisting, and device pairing have added extra layers of security to ATMs, making attacks like jackpotting and man-in-the-middle significantly more difficult. Cards have also become more sophisticated, with EMV chip and secure contactless data storage and communication. Unfortunately, while this updated card technology has provided secure methods for data exchange, the most vulnerable part of the card – the magnetic stripe – remains. With unencrypted data still stored on the magnetic stripe of the vast majority of cards, attempting to steal, or “skim”, this data in order to fraudulently use it has become a preferred attack method for fraudsters everywhere.
By some estimates, skimming attacks are costing financial institutions and customers up to $1 billion a year. With such attacks on the rise, protecting against skimming has become a priority for many financial institutions. Since skimming is typically accomplished using a rogue piece of hardware installed on an ATM, the first line of defense is generally at the card readers themselves. The latest ATM card readers have the option to include functionality designed to make it harder to effectively skim cards, such as foreign object detection, minimum insert width, and data jamming. It is important to remember, however, that skimming is a constantly evolving threat, and while hardware defenses can reduce the threat, they aren’t foolproof. Adding operational and environmental steps, such as regular visual inspections by associates or 24-hour lighting and video monitoring, can further improve effectiveness.
Unfortunately, while advanced card readers and operational processes make skimming more difficult, they do not completely prevent it. Such anti-skimming strategies rely on attempts to detect the presence of skimmers or reduce the likelihood of skimmers being effective. While implementing these strategies at an ATM can be successful at the point of implementation, many times it can feel like bailing water out of a leaky boat. Cards may not be skimmed at that particular ATM, but they can still be skimmed at any other location where a card is used, such as independent ATMs, gas pumps, or points of sale.
Another category of anti-skimming strategies rely on reducing or eliminating the value of any data acquired by skimmers, which both deters future skimming from taking place as well as reduces potential fraud exposure related to skimming. One great investment in this area is improved transactional fraud detection capabilities. Specifically, better identification of transactions that are outside a cardholder’s typical behavior will more quickly identify when a cardholder’s information is being used to make fraudulent purchases. This reduces the possible usage of customer data stolen through skimming activities.
Taking this strategy one step further, turning off magnetic stripe fallback transactions further reduces the potential uses of skimmed data. Typically, skimmers copy the data on a card’s magnetic stripe, since that data is unencrypted and is easily readable, and then writing it to a blank magnetic stripe on another card. Using data acquired this way would require an ATM or point of sale to allow magnetic stripe transactions after an attempt to read the card’s encrypted EMV chip has failed. By not authorizing such magnetic stripe-based transactions, the potential use of skimmed card data goes down dramatically. Similarly, using secure contactless card reads eliminates the insertion of the card into the card reader altogether, preventing a skimmer from being able to read the data on the magnetic stripe.
Ultimately, the elimination of the magnetic stripe on cards will strengthen the security of cardholder data and further reduce skimming potential. With the other data elements on the card containing strong encryption, the removal of the one element that holds unencrypted data will make it significantly more difficult to get meaningful data from skim attempts.
In short, there is no “one size fits all” answer to answer the threat of skimming. As with most fraud attack vectors, no one measure is truly preventative, and an approach that layers multiple protections will increase overall effectiveness. To learn more about how you can better protect yourself and your customers, you can contact us to have a detailed conversation.
