In Boston, law enforcement officials arrested three men in January accused of being part of an international crime effort to steal money from ATMs around Eastern Massachusetts.
In Florida, one man was arrested this month, and federal officials are seeking three others, in an ATM-skimming scheme that targeted several machines around the Tampa area and netted criminals thousands of stolen dollars.
In Europe, the European ATM Security Team reported a 129 percent increase in card skimming incidents in 2008 over the previous year. A total of 10,302 cases were reported.
Stories about ATM skimming schemes have become common in news headlines lately. According to the Secret Service, the crime is responsible for about $350,000 of monetary losses each day in the United States and is considered to be the number one ATM-related crime. Trade group Global ATM Security Alliance estimates that skimming costs the U.S.-banking industry about $60 million a year.
What is skimming?
According to the ATM Industry Association, card skimming, which can also occur on other types of point-of-sale devices, is defined as 'the unauthorized capture of magnetic stripe information by modifying the hardware or software of a payment device, or through the use of a separate card reader.' Crooks often also capture PIN data and then create dummy cards in order to drain a victim's account. The funds are often not taken until several months later, according to Terrie Ipson, an ATM security expert with Diebold (Read about how one ATM skimming scheme was foiled at last year's DefCon conference).
"A lot of skimming attacks are conducted by highly-organized groups," said Ipson. "The card [data] could be held for several months."
The effects of this crime have implications for both consumers, who lose their money, and businesses, who often suffer a blow to their image, or even their reputation for security, if one of their machines is affected. ATM security experts urge customers using machines, and businesses maintaining them, to develop secure habits, and be on the look out for the following scams and tactics often used in skimming schemes:
Look for fake readers placed over card slots
Ipson recommends using an ATM you are familiar with so you know what it should look like and check it to make sure that it is solid and sturdy. Criminals often place fake readers that look like real ones over the slot where the card is placed or swiped. This captures the card information. But if you have your eye out for them, they are sometimes easy to spot.
"Put your hands on it and see if you can wiggle it," advises Ipson.
Criminals will sometimes also place signs that say "No Tampering" in machines to discouraged concerned users who sense something amiss from trying to explore further. Other fake machinery may also include a PIN pad placed over the real one in order to capture PIN information (Read about a Russian plot that involved hacking ATMs with trojan software).
Cover your PIN
Another way skimmers get PIN info is by installing small, hidden cameras somewhere inside the machine. They can be in the wall, or even hiding inside marketing materials, like pamphlets which appear to be innocently sitting off to the side.
Ipson says a good habit to get into is covering your PIN with your hand, even when you are alone. This may prevent a camera from detecting it and may also stop another type of scam: Shoulder surfing, which is done by a person who lurks nearby that is part of the scam who records your PIN for later use.
Avoid overly helpful people
Another way crooks get PIN numbers is by hanging out near or inside an ATM and offering help when the unit fails to "work." The scam involves capturing the card and the victim is perplexed as to why the machine is having problems. A helpful bystander will offer to help and ask for the person's PIN. Of course, once they have it, the card is as good as theirs.
Monitor accounts regularly
Failing all else, if you are hit by a skimming scam, your best defense is awareness of your own financial accounts. Regular monitoring will keep you on top of any suspicious activity that may occur as the result of a compromised account. Reporting fraudulent activity as quickly as possible gives you the best possible chance to recovering your losses.
Read more about data protection in CSOonline's Data Protection section.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.