ATM skimming alone is responsible for $350,000 of fraud daily exceeding a billion dollars in losses annually.
A recent news report of a skimming scam in Long Island, N.Y., netted thieves more than $200,000 from ATMs at five branches.
Skimming today is far more sophisticated than in the past. Skimmers can include blue tooth and texting technology that send the data to the criminal anywhere. Keypads can be compromised by devices that overlay the exiting pad and transfer the data remotely.
ATM scams and fraud go beyond skimming to crimes that are very physical such as ram raiding to remote malicious software hacks.
During the Black Hat conference a hacker demonstrated how he forced three ATMs to dispense funds by exploiting the machines' weaknesses in the computers that operate the ATMs. He purchased machines online and discovered that the physical keys were the same for all ATMs of that type made by that manufacturer. He used the keys to unlock a compartment of the ATM that had standard USB slots. He then inserted a program he wrote for one of the machines, commanding it to dispense all of its vault cash.
Bankinfosecurity.com published "7 Growing Threats to Financial Institutions."
- Skimming; Hardware readily available online that is attached to the face of ATM records user card information and pin codes. In this case you may still be able to perform a transaction.
- Ghost ATMs; A card reader is blocked off and replaced with hardware that supersedes the machine and records all your data without allowing a transaction. The machine reads "Can't complete transaction."
- Dummy ATMs; In some cases an ATM is bought off of eBay (do a search) or elsewhere and installed anywhere there is foot traffic. The machine is set up for one purpose; read data. The machine might be powered by car batteries or plugged in the nearest outlet.
- Ram Raids; ATMs built into a wall or stand alone are being rammed by a truck and/or wrapped with chain and pulled out then loaded onto a truck. Once removed the thieves blow torch the machine taking the cash. This is a hot topic in Mexican banks, buy certainly happens everywhere. A bank would be smart to install battery backed GPS in any machine.
- PIN ID's; Sophisticated criminal hackers break into a database or skim magnetic strips. They then go to an online banking site with a hacking software that plugs in various well known PINs. These PINs might be consecutive numbers, people names, pet names, birthdates, or other various simple pass phrases people use. When it finds a match it gives the criminal access to your account.
- Automated PIN Changes; Criminals go through the banks telephone banking system to change the customers PIN. They may try to change the customers ANI (Automatic Number Identification), a system utilized by telephone companies to identify the DN (Directory Number) of a caller. This might be accomplished via "Caller ID Spoofing." They use publicly available data on the card holder such as name, card account number and last four digits of the social security number to "verify" them as the banks customer.
- SMS Attacks; AKA Smishing or Phexting - phish texting. Customers receive a text from a bank on their Smartphone requesting login information.
- Malware or Malicious Software; Researchers found a virus that specifically infects ATMs and takes over the machine logging card numbers and pins.
To help combat ATM skimming, ADT unveiled the ADT Anti-Skim ATM Security Solution, which helps prevent skimming attempts and detects skimming devices on all major ATM makes and models.
ADT's Anti-Skim Solution is installed inside an ATM near the card reader, making it invisible from the outside. The solution detects the presence of foreign devices placed over or near an ATM card entry slot, without disrupting the customer transaction or operation of most ATMs. It can trigger a silent alarm for command center response and coordinate video surveillance of all skimming activities. Also, the technology helps prevent card-skimming attempts by interrupting the operation of an illegal card reader.How to protect yourself from ATM skimming;
- First and foremost; Pay attention to your statements every two weeks. Refute unauthorized transactions within a 30-60 day time frame.
- Pay close attention to everything you do at an ATM. Look for "red flags", anything out of place, your card sticks, odd looking configurations on the ATM, wires, two sided tape.
- Use strong PINs, uppercase lower case, alpha and numeric online and when possible at an ATM and for telephone banking.
- Don't reply to phishing or phexting emails. Just hit delete.
- Don't just use "any" ATM. Choose ATMs at locations that are "more secure" than in the middle of nowhere. Do not drop your guard if the ATM is at a bank branch.
Follow Robert Siciliano on Twitter: www.twitter.com/RobertSiciliano