By John Pearce
Last fall, a Staten Island firefighter noticed his bank account was about $1,600 lighter than he expected. He had not withdrawn the money, nor had his wife. When he checked with his local bank branch, he learned that he and more than 100 other bank customers had fallen victim to high-tech thieves that may have taken more than $100,000 over a single weekend from one automatic teller machine.
All of the bank’s customers were victims of a practice known as ATM skimming. It is one of the industry’s fastest-growing electronic crimes, now costing financial institutions and consumers $8 billion annually, according to the U.S. Secret Service. And skimming can potentially affect any of the more than 400,000 ATMs in the U.S.
ATM skimming is the electronic “bank job” of this decade and its practitioners have become the modern-day Bonnie and Clyde. But unlike that legendary couple, skimmers choose card readers and miniature cameras rather than guns to steal other people’s personal financial information and money. Skimming is a highly profitable crime with a relatively low risk of being caught. Internet sites offering the sale of equipment and training for skimming applications make it even easier for criminals to become involved in financial identity theft.
Many skimmers operate in nomadic gangs, taking high tallies from a few high-volume ATMs over a couple of hours and then moving to another location, often in another city. With few exceptions, financial institutions are required to reimburse consumers’ losses.
In a matter of seconds, criminals can place a skimming device on an ATM card reader that blends in with the machine’s appearance and does not interfere with its operation. The device is able to read personal financial information from the magnetic stripe on the back of the consumer’s card. A small wireless camera, concealed near the ATM fascia – or a keypad overlay – is also used to capture the user’s PIN as it is entered. Information from the device and camera is sent wirelessly to the criminal’s laptop computer. The ATM user typically has no idea that his or her information has been compromised.
Criminals upload the account information they receive onto the magnetic stripes of purchased blank cards, cloning an inventory of duplicate credit and debit cards. They can write the passwords on the face of the cards to keep them linked. These new cards allow the thieves to cash out debit accounts or they may use the information to complete Internet purchases. There are also electronic markets where the cardholder’s data can be sold to worldwide crime syndicates.
By the time the consumer receives a bank or credit card statement, notices the discrepancies and reports them to his or her bank, the skimmer is usually long gone, having left few traces behind for police to follow.
Criminals generally find it easier to attack unmanned ATMs, over 250,000 of which are at on-site locations of financial institutions. Since most banks are closed evenings and often on weekends, criminals have plenty of time to install and remove their skimming equipment without interruption. Many off-premise ATMs are located in well-lit, 24-hour manned locations such as convenience stores or other retail environments.
But financial institutions can take steps to combat skimming. Banking security and risk compliance teams can establish anti-skimming plans and procedures. Cameras focused on the ATM can act as a 24/7 deterrent to skimming and other crimes, while also providing video to help identify skimmers as they work. Even simple solutions such as bright lighting around ATMs and adjacent parking areas and pathways and cutting back vegetation to allow an unobstructed view of the ATM can help.
There is also advanced detection technology that many U.S. banks are now putting in place to help defeat skimming equipment. One solution – already proven to work in more than 40,000 global ATMs – is installed inside the ATM making it invisible to both the consumer and the skimmer.
This solution not only helps prevent the crime by jamming the skimmer’s ability to read card information, but also detects the presence of skimming devices on the ATM. When a skimming device is detected, the anti-skim technology can trigger silent alarms for a security response or coordinate video surveillance of all skimming activities – providing layered protection without disrupting the customer’s use of most ATMs.
Skimming costs financial institutions in New York millions of dollars each year in fraud losses and investigative costs, but perhaps the greatest damage is done to their reputation and the loss of customer confidence that accompanies the theft of personal financial information.
A recent study by Harris Interactive reported that 67 percent of U.S. adults who use financial institutions with ATMs would likely switch to another institution after experiencing ATM fraud or a data breach. That is how seriously banking consumers – and banking ATM operations – react to the issue of identity theft and the theft of their personal financial information.
Studies like that make it clear how important it is for financial institutions to act immediately to help protect themselves and their customers from personal financial data theft.
John Pearce is marketing director, financial & banking and government systems, for ADT Security Services. Pearce, a 25-year veteran in the security industry, is a frequent contributor to financial media on security and risk topics. He also directs the popular ADT Financial & Banking Symposium, one of the industry’s top education forums on the security and operational issues impacting financial institutions.