April 12, 2016
By Kevin Woodward
A migration of sorts appears to be under way among criminals targeting electronic payments as evidence surfaces that ATMs, especially those not owned by banks, are being targeted. In 2015, there was a 546% increase in ATM compromises, says Fair Isaac Corp., the company known as FICO.
Based on data FICO collects from its debit network clients, the increase is the highest ever measured by the company in more than 20 years. FICO says it monitors transaction activity at hundreds of thousands of ATMs as part of its Card Alert Service for issuers. Because of contractual stipulations, FICO says it cannot release the actual data behind the 546% increase.
“It’s evidence of a weak point in the system being uncovered and criminals taking advantage of that,” T.J. Horan, FICO vice president of fraud solutions, tells Digital Transactions News. It’s especially so for non-bank operated ATMs. In 2015, these machines accounted for 60% of all ATM compromises, up from 39% in 2014, Horan says.
At the same time, the number of debit card compromises dropped in 2015 compared with 2014, he says. “Fraudsters and criminals are turning their attention to ATM locations, particularly the nonbank-owned ATM locations.”
Why that is happening now may be for several reasons, Horan says. The physical security may not be as strong in some locations, with cameras lacking or the machine placed out of sight of a store clerk. Others may not have the latest software updates or encrypted connectivity in place, Horan says. “Another thing is perhaps consumers in these types of environments aren’t as aware of evidence of a skimming device,” he says.
Advanced technology, too, may play a role. In the past, criminals had to retrieve skimming devices in order to obtain the stolen card data. Now, with Bluetooth devices and other wireless connectivity options, they remotely get the data, Horan says.
Another trend FICO picked up on is that criminals appear to be cutting the time they focus on a particular ATM. FICO’s data found that the average duration of a compromise decreased from 36 days in 2014 to 14 days in 2015. “We believe this is a statement that organized criminals have figured out that quick hits on compromised locations are easier to do,” Horan says. With the advent of Bluetooth-enabled skimming devices, “they can get what they want and move on to the next machines.”
What steps might curtail these compromises? Improved physical security of the ATM is a start, Horan says. The increased use of cardless ATM transactions—when the consumer uses an issuer’s mobile wallet to stage an ATM transaction on his smart phone and bypasses inserting a card into an ATM—is a start, too. “The investment banks have made in that technology will help reduce fraud in the long term,” he says.
EMV debit cards may help, but not until the magnetic stripe is removed from all cards, Horan says. EMV is a dual-authentication technology to ensure the card is valid and the card reader, whether attached to an ATM or point-of-sale terminal, is valid. Eventually, a chip-only environment will develop, but the fallback to the mag stripe means weak links will persist, Horan says.
SPECIAL FEATURERead Digital Transactions Online