A Stubborn Scheme

Chip cards were supposed to make it harder to commit fraud at the point of sale and at ATMs, but card skimmers haven’t gotten the memo.

If you think EMV cards have put a big dent in card skimming, think again. In October, the U.S. Attorney’s Office for the Southern District of New York indicted 18 defendants alleged to have participated in what the indictment described as “a wide-ranging international ATM skimming and money-laundering operation.”

The case is a stark reminder that as long as magnetic stripes remain on EMV cards, it doesn’t matter how many EMV cards are issued or EMV-enabled point-of-sale terminals and ATMs are deployed. Skimming will remain a serious problem.

Worldwide skimming losses total more than $2 billion annually, according to the ATM Industry Association. The defendants indicted in New York allegedly made off with more than $20 million. Many of the victims either had their account data stolen and resold, or had their bank accounts drained.

“Skimming is still a significant problem, though down from pre-EMV levels,” says Sam Ditzion, chief executive of Tremont Capital Group, an investment-banking firm specializing in the ATM industry. “Magnetic stripes still exist on EMV cards, so the data on the mag-stripe can still be captured and the card cloned.”

Magnetic stripes aren’t going to disappear from the back of EMV cards issued in the United States any time soon, what with the deadline 10 months away for gas stations to install EMV card readers at the pump. Factor in the numerous mom-and-pop merchants still holding out on EMV compliance—plus a false sense of security among these merchants that they are too small for skimmers to target—and it’s easy to see why stamping out skimming fraud can only be a frustrating experience.

None the Wiser

Skimming is a technique by which criminals insert a device containing a microprocessor and memory card into an ATM or POS terminal. The device lifts, or “skims,” the account information off the magnetic stripe and into the skimming device, which is collected later by the fraudster. Over the years, advances in skimming devices have made them smaller, more efficient, and harder to detect.

Other advances, such as the ability to transmit card data from a skimmer to a mobile device using a cellular network, have further exacerbated the problem. This scam allows criminals to gather cardholder data in real time, which means they can start using the data immediately, as opposed to after it is retrieved. The data is transmitted via text message.

But the big advantage to leveraging cellular networks for skimming is that criminals no longer have to risk detection by retrieving the skimmer to download the data. Instead, the device is left in the card reader when the criminal is finished with it, and the merchant or ATM deployer is none the wiser.

Now skimming is moving in waves toward gas stations and other merchants that have yet to install EMV card readers, payments experts say. Owen DeWitt, president of FlintLoc Technologies LLC, a Lampasas, Texas-based provider of anti-skimming technology, estimates that about 80% of in-pump card readers at gas stations and convenience stores have been breached by skimmers at one time or another.

“Skimming is not an equal-opportunity type of fraud,” says Russ Haecker, EMV business beader for Wayne Fueling Systems, which is part of Dover Fueling Systems. “Criminals are going to focus on gas stations that have not upgraded the in-pump card readers.”

In April, about 30% of all gas stations in the United States were estimated to have EMV card readers, to be testing them, or to be starting to install, according to industry experts (“Where EMV Spells Headache,” May 2019). Those figures are a strong indication a substantial portion of gas stations won’t be ready to meet the 2020 deadline. The bulk of the non-compliant stations is expected to be c-stores.

A survey conducted earlier this year by Conexxus Inc., an Alexandria, Va.-based technology-standards body for convenience stores, showed that, of 26,000 stores, about 70% had not deployed EMV card readers.

“Unfortunately, it’s looking like a substantial percentage of c-stores will not meet the EMV deadline,” says Linda Toth, director of standards for Conexxus. “While we are working to educate c-store operators about the risk of skimming, criminals are targeting [stores that have] non-compliant fuel dispensers.”

While gas stations remain vulnerable to skimmers at the pump, the good news is that most stations have deployed EMV card readers inside the convenience store, which has substantially cut down on skimming, Haecker says.

Get Ready for Shimming

Skimming attacks at fuel-pump card readers typically occur in one of two ways: by installing a skimming device within the in-pump card reader or by attaching a skimming device over the mouth of the card reader that mimics the look of the card reader.

The former method is becoming more common because internal skimmers are harder to detect than external skimmers. Criminals can breach a fuel-pump card reader by inserting a skimming device through the printer door, for example. Overlays, by contrast, can typically be spotted by a visual examination of the card reader.

ATMs can be breached internally, as well, typically by drilling a hole through the machine to insert a skimming device on the magnetic heads of the card reader. The hole left at the point of entry can be camouflaged with a sticker displaying the logo of the ATM deployer or manufacturer, says Marcelo Castro, principal product manager for security at ATM maker Diebold Nixdorf.

Attaching an external skimming device on a fuel pump or ATM tends to be the easier option, as the device is typically glued on. The overlay intercepts the card before it passes through the card reader and gathers account data without the consumer realizing she has been scammed.

Cost Issues

ATM deployers and POS terminal makers have been shipping EMV-compliant units for years, which has helped thwart skimming fraud up to a point. But criminals have found a way to pull cardholder data even from an EMV card. The technique is called shimming.

A shimmer is a wafer-thin device inserted into the mouth of an EMV card reader that eavesdrops on the communications between the chip card and the card reader. While EMV chips make the transaction data less useful to attackers by introducing dynamic data unique to each transaction, shimmers can still grab the primary account number and the cardholder name, which can be used to commit card-not-present fraud.

“Poorly designed e-commerce sites that don’t use proper security validation techniques, such as asking for the security code off the back of the card, are vulnerable to this type of CNP fraud,” says Steve Bowles, regional security officer, North America for terminal maker and payments provider Ingenico Group.

Skimming may be more common at ATMs and gas stations, but it’s by no means confined to those scenarios. It can also take place in environments where the card leaves the customer’s hand, such as restaurants and bars. This is a practice common in the U.S. “It’s easy for a scammer to copy the card information quickly while it’s in their possession,” Bowles says. “As more pay-at-the-table solutions are adopted, this will prove to be less of a threat.”

Companies like Ingenico have made anti-skimming technology standard on new devices or made anti-skimming upgrades available. Anti-skimming technology on the POS terminal side includes point-to-point encryption, which masks card data in the terminal as the card is inserted.

ATM manufacturers are also rolling out anti-skimming upgrades. Diebold Nixdorf, which says about 97% of ATM card fraud losses are due to skimming, has developed ActivEdge, a card reader that requires cardholders to insert their debit card cards into the reader long edge first, rather than short edge.

Changing the entry of the card prevents external skimmers from reading mag-stripe data and skimming it once the card has been inserted. Communication to the ATM’s central processing unit is also encrypted to prevent the capture of a card’s track data.

But challenges remain. “It’s not hard for criminals to find the components they need to build a skimming device online, because by themselves, those components are not illegal to sell,” says Diebold Nixdorf’s Castro. “Even with an EMV-compliant ATM, financial institutions still need to take further steps to prevent skimming.”

One issue with anti-skimming upgrades, says FlintLoc’s DeWitt, is that ATM makers have driven the cost of their machines down so low the price of an anti-skimming upgrade doesn’t make economic sense. “Security upgrades for ATMs can be an issue,” he adds.

‘Moving Inland’

Regardless whether ATM deployers or merchants spring for the cost of EMV readers or anti-skimming upgrades, payment experts recommend regular equipment inspections to spot signs of tampering. They also recommended photos be taken of the equipment prior to the start of inspections to establish a baseline. In addition, staff should be trained to identify skimming and shimming devices.

Other best practices include performing background checks on staff. Many merchants have staff that work in cahoots with criminals or look the other way when a skimming device is being installed, payment experts say.

While merchants and ATM deployers provide the frontline defense against skimming, processors need to be on the lookout, too. Examining ATM activity can reveal patterns of potential fraud, such as large ATM withdrawals. It is not uncommon for skimmers to come back and empty an ATM using a counterfeit card they created after inserting a skimming device into that ATM, says Trace Fooshee, a senior analyst with Aite Group.

“ATM deployers should also take note if cardholders complain it’s difficult to insert their card. That can be indication a shimmer has been inserted in the card reader,” Fooshee says.

If nothing else, stakeholders on the back end of the payments industry need to continue to educate merchants and ATM deployers about the exposure they have to skimmers if they continue to remain non-compliant with EMV.

“Skimming fraud is moving inland from the urban coastal regions that have been a hotbed of fraud to more rural areas, where merchants think they are the safe from this type [of] fraud,” says Toth of Conexxus. “Criminals aren’t going to find a new career as EMV continues to roll out. They are going to follow the path of least resistance.”