It’s not as prevalent as phishing or simple theft of a credit or debit card, but ATM skimming is on the minds of New England bankers after a man with ties to the Russian mob allegedly skimmed card numbers and stole at least $400,000 from ATM customers in Massachusetts. Authorities say he used secretly installed card readers and spy cameras on ATMs in Massachusetts and New Hampshire, which allowed him to recreate magnetic strips from debit cards and withdraw money from people’s accounts over the past two years.
The latest instance of high-profile skimming didn’t affect Connecticut banks, but many are on the lookout for any signs of skimming on their own ATMs.
“This is something that the industry as a whole is focused on,” said Ted Josephson, vice president of banking and operations at Bridgeport-based People’s Bank.
People’s has about 240 ATMs and uses several measures to try to keep them free of fraud. Most of the bank’s ATMs are in branches, which makes it more difficult for criminals to set up skimming devices, since the staff is often there and familiar with the ATMs. Workers who service People’s ATMs are also trained to identify skimming devices, Josephson said. The bank has internal security practices that also help prevent skimming.
Skimming doesn’t just happen at ATMs, according to Mike Urban, director of operations for Minneapolis-based Fair Isaac Corp., a company that provides analytic solutions to businesses. It is more common to find it at other points of sale connected with customers’ personal identification numbers – commonly known as PINs – such as gas stations.
“There are hundreds of points of compromise for PIN-based skimming,” he said.
Skimming also can happen over the Internet. Phishing for bank customers’ card numbers and PINs is the most common form of skimming. Phishing is when a computer user sends e-mails – which often look like authentic e-mails from financial institutions – to e-mail users, requesting information that can lead to money stolen from accounts or even identity theft.
One ploy by phishers is to ask bank customers for their card numbers and PINs. The phisher can then recreate the card and magnetic strip with the card number and use the card at an ATM with the PIN provided. Banks that issue cards with CVV/CVC numbers – numbers integrated into the card’s magnetic strip that can be used as an extra form of verification – are virtually immune from that type of skimming, but not all banks and card providers use them, according to Urban.
“Literally hundreds and hundreds of institutions are getting hit with [that ploy],” he said.
ATM skimming is a growing concern, with several high-profile cases in the past year. The masterminds behind ATM skimming are often linked to organized crime, according to Josephson, and can use extremely sophisticated technology.
“This is something that is definitely a focus of organized crime,” he said. “They do it in a very sophisticated way.”
The Secret Service has a task force that focuses partly on skimming. But there are also casual skimmers, often young people who don’t work on a large scale and don’t have access to the most up-to-date technology.
‘A Huge Concern’
Devices used for ATM skimming vary from some that are fairly easy to spot to small strips or overlays that can sit at the entrance of a card reader that are nearly impossible for laymen to notice. With bank ATMs, the skimmer often will use a device that fits over a card slot. It is thin, so the card can still enter the machine and the user can then complete a transaction. The skimming device is often fitted with a radio transmitter that can immediately send the information from the card’s magnetic strip to a laptop.
That information allows the skimmer to recreate the card and its magnetic strip. But to simplify the subsequent withdrawal of funds, the skimmer also needs the PIN attached to the card. There are several ways to get the number. Some skimmers – like the man accused in Massachusetts – use small cameras aimed at the ATM’s keypad. They can later watch the tape, record the PINs and, using time stamps, match that information with the information taken from the card itself.
In addition, skimmers can use PIN pad overlays, which are similarly fitted with radio transmitters and can send the keystrokes to a laptop. Some skimmers also use fake face plates that they place on the front of ATMs.
In most instances, the ATM user can still complete the transaction, Urban said, and thus is unlikely to realize something is amiss.
Skimming is most common with non-bank ATMs. ATMs that are located in places like convenience stores are often hit because skimmers have more of a chance to install skimming devices. In those instances – and instances where a skimming device is used at gas station pumps – it is more common to see internal skimming devices, according to Urban.
Josephson cited an instance of skimming that happened several weeks ago in California, where authorities suspect a skimmer paid certain gas station attendants to look the other way when people came in to tamper with the card readers on the pumps.
Connecticut banks have several different ways of keeping skimmers from hitting their ATMs. Waterbury-based Webster Bank has a line of defense similar to People’s.
Webster’s maintenance and branch staff are trained to spot skimming devices or residue that might be left from their installation, according to Steve Russell, a vice president and the bank’s senior manager for electronic operations.
The bank also looks at the transaction count of every ATM each day, Russell said. If the transaction count is less than normal, the bank sends out a technician. The problem is usually that the ATM is malfunctioning, but the monitoring also could help catch certain kinds of skimming devices.
Ohio-based Diebold, which makes Webster’s ATMs, also has new technology in the ATMs themselves that can help detect tampering, Russell said.
Even smaller banks with only a handful of ATMs are paying attention to skimming. Barbara Wallace, assistant vice president of operations for Simsbury Bank, last year attended a seminar on the topic.
“It’s a huge concern,” she said.
The bank has four ATMs, all in or near branches. Although the number is relatively low, the bank is still vigilant in its effort to prevent skimming.
“These bad guys find so many ways to beat the system,” Wallace said.
The bank’s branch staff is trained to spot any tampering and the bank has distributed literature to its customers that addresses general ATM safety. Communicating with customers can be important in preventing skimming, Wallace noted.
Fair Isaac Corp. tells banks to educate customers about ATM skimming, just like many do for phishing. There are often signs that an ATM has been tampered with, such as visible double-stick tape, drill holes, dust or a device placed over the machine, Urban said.
“You need them to be wary of [where they use their cards],” he said.
Josephson agreed.
“It behooves us as consumers to make sure you’re using your card at a familiar place,” he said.
One of the most important pieces of information to get across to customers is that they are fairly safe if they use their card in a place they know well, like a bank branch, where the machines are well maintained.
“It’s being careful like you would anywhere else,” he said.
Another step banks should take to minimize losses – since the financial institution ultimately takes any skimming-related loss – is to have a system set up that lets them respond immediately to any cardholder reports of ATM modification, Urban said. Banks’ call centers should have communication scripts to deal with that and letters ready for sending to cardholders in case any cards are compromised.
It is also important for banks to report the losses to law enforcement, Urban said. They are often reluctant to do so because of the time it takes to compile all the necessary information, but if a district attorney is willing to aggressively prosecute skimmers, the banks should cooperate. The jail sentence for someone convicted of the crime often will correspond with how much money they stole.
Companies like Fair Isaac have programs that can help prevent skimming. Fair Isaac’s – which is called Card Alert Fraud Manager – tracks transactions at members’ ATMs and, when they see some that look like fraud, contact the bank. If it is fraud, the company can quickly identify where the cards were compromised and block the affected cards.