As a computer security researcher, Steve Manzuik says he’s “a little more paranoid” than the average person when it comes to his credit and debit cards. He’s familiar enough with skimmers — devices that mimic a card reader to swipe card data — to say he could probably make one, if he desired.
But even Manzuik, 42, director of security research at Duo Security, couldn’t escape getting caught by one. One morning in December, he got an email saying about $600 was withdrawn from his account at an ATM in Beverly Hills, Calif. Manzuik — at home in Las Vegas — immediately called his bank.
The bank canceled his card, and a new one arrived about four days later. Getting his money back took about a week and a half, he said.
“I was lucky I didn’t need that account,” said Manzuik.
Fraud involving skimming devices isn’t new but is on the rise, according to data from FICO Card Alert Service, which monitors transaction data for bank clients. FICO doesn’t release specific numbers but recently reported a nearly 550 percent increase nationwide in the number of ATMs compromised by criminals in 2015 compared with 2014.
Skimming is by far the most common way fraudsters obtain card data, according to FICO.
Each of those incidents took less time than in 2014 and affected about half the number of cards, which T.J. Horan, vice president of fraud solutions at FICO, attributed to criminals taking a “quick hit” approach.
There are a wide variety of skimming devices, but many involve a card reader that can be affixed on top of the genuine card slot to “skim” card details from the magnetic strip on the back of a card. Since debit cards typically require a four-digit personal identification number, an ATM with a skimming device also often has a false keypad or pinhole camera to record digits as customers punch them in.
A sharp-eyed customer might be able to spot a skimming device, but as they get smaller and more sophisticated, sometimes even a bank employee could struggle to notice the difference, said David Tente, executive director of the ATM Industry Association’s U.S. and Latin America chapters
Upgrades that will let ATMs read the chips in newer credit and debit cards, similar to those already being rolled out in card readers at store checkout counters, will likely cut down on use of tough-to-spot skimming devices, according to payment industry experts. But they said fraud could rise in the meantime as criminals try to wring more dollars from skimming before it becomes less lucrative.
“I think what we’re seeing is an indication it’s imperative we make the change,” said Doug Johnson, senior vice president of payments and cybersecurity at the American Bankers Association. “Criminals are realizing it’s a window that’s going away, and we need to make sure it does go away.”
FICO’s report found criminals were increasingly targeting nonbank ATMs, such as those in convenience stores and gas stations, which may be less closely monitored, Horan said. Nonbank ATMs accounted for 60 percent of all compromised ATMs in 2015, up from 39 percent the year before, according to FICO.
Customers are generally reimbursed for fraudulent transactions as long as they’re reported within 60 days.
The new chip technology, known as EMV, being rolled out at in-store terminals is also coming to ATMs. Liability for fraud is shifting from the financial institutions issuing cards to either ATM operators or the issuing institutions, depending on which has less up-to-date EMV technology.
Nearly 60 percent of U.S. ATM operators said they expected at least 75 percent of their ATMs to accept chip cards by the end of 2016, according to a survey by the ATM Industry Association.
All of Wells Fargo’s ATMs accept chip transactions. Chase Bank has been upgrading its ATMs, and many machines are already taking chip transactions, Holevas said.
Nationwide, 27 percent of ATM operators said at least half of their machines had been upgraded by the end of 2015, while 48 percent of operators said none of their ATMs were chip-ready, according to the ATM Industry Association survey.
Replacing an ATM costs about $2,000, but the cost of skimming fraud is a big incentive to upgrade, said Julie Conroy, retail banking research director with Aite Group.
ATM operators estimated losses from a skimming device placed on a single ATM ranged from $5,000 to $100,000 and averaged $650 per card, according to the ATM Industry Association’s 2015 Global Fraud Survey.
In countries that have already made the transition to chip cards and readers, ATM skimming fraud has declined, industry analysts said.
The European ATM Security Team reported a 27 percent drop in ATM skimming incidents between 2014 and 2015 but said losses from use of stolen European card data outside the region — largely in the U.S. and Asia-Pacific region — were the highest they’d been since 2008.
Issuance of chip-equipped debit cards has lagged behind that of credit cards, Conroy said. People who have already received one won’t reap the benefits of the more-secure chips at ATMs unless the machine is equipped with a chip card reader.
Even then, it will be possible to skim card details as long as chip cards also have the traditional magnetic stripe, Tente said.
“In many countries that have moved to EMV, they’ve seen counterfeit card fraud spike as crime rings realize it’s their last opportunity, so they’re going through stocks of cards and doing their worst while they still can,” Conroy said.
But she still expects to see a decline in skimming fraud for both credit and debit cards because there will be fewer ways to profit from skimmed card data.
A fraudulent skimmed card could only be used at merchants or ATMs that don’t accept chip cards, or online, where no physical card is required, Horan said.
That doesn’t mean skimming fraud will disappear entirely. Some fraud will likely move online, but industry experts said they’re also keeping an eye on newer forms of fraud involving malware, as well as less-sophisticated physical attacks. Thieves have used explosives to make off with an ATM’s cash contents or abducted entire machines. Another scam involves jamming the cash slot so users think the ATM has failed to dispense their money, which a thief can collect when customers leave to complain, Conroy said.
Since Manzuik’s card details were stolen, he said he’s more careful to shield the ATM keypad with his wallet as he types in his PIN. But even he doesn’t bother trying to spot skimmers on ATMs.
“Some are so small now you wouldn’t notice unless you were prying around to see if anything’s loose, which is suspicious behavior in front of an ATM,” Manzuik said. “I try to be as careful as I can, but I’m not doing anything silly or losing sleep over it.”
How to defeat card skimmers
Payments experts’ tips to protect yourself from skimming devices:
- Pay close attention to anything that looks out of place, such as a card reader that’s misaligned, not firmly attached or doesn’t let a card enter smoothly.
- Use ATMs you’re familiar with so you’ll be more likely to notice a change that could indicate tampering.
- Stick to ATMs in secure, well-monitored locations when possible.
- When typing in a PIN code, cover the keypad to thwart pinhole cameras.
- Check your transactions through an online banking app, paper statement or email and text transaction alerts to spot suspicious payments.