Recently, there has been an astounding increase in the number of ATM skimmer attacks nationwide.
- In Washington, skimmers on multiple ATMs of one bank allowed thieves to steal over $50,000, prompting the bank to cancel about 8,000 ATM cards. An astute customer alerted the bank after finding a skimmer on one of its ATMs.
- In Illinois, a bank suffered a loss when over $100,000 was stolen using ATM skimmer overlays which were exactly the same color as the ATMs and blended in, making them hard to see.
- In separate attacks, nearly 300 accounts of two Kansas banks were compromised and funds taken due to ATM skimming. The criminals also placed cameras on the machines most likely to record keypad sequences.
ATM skimmers are becoming more complicated and difficult to detect. Skimmers can now completely encase the front of a cash machine. For information on the many skimmers being used, including pictures and descriptions, check out Brian Krebs’ computer security and cybercrime blog, krebsonsecurity.com.
- ATMs can be directly infiltrated with malware. By posing in disguise as a repair tech, a criminal gains physical access to a machine, opens its enclosure with a universal key or passcode, and installs malware that compromises the software by plugging a USB directly into the machine. This method is increasingly being used as it is more profitable than attaching skimming hardware. The malware can sit undetected in the system for a longer period of time, allowing the thieves to thoroughly and quickly drain funds.
- As a precaution, please remind your staff to periodically physically inspect bank ATMs for skimmers or tampering. Regular physical inspections should be part of a written policy. Also, please remind customers to be cautious when using any ATM, cash machine or credit authorizing devices (such as at a gas pump) and to alert police and/or the bank (or vendor) immediately if anything seems suspicious. A good habit to develop: wiggle or push everything on a machine before using to see if anything jiggles or is not securely attached. Typically, skimmers are just loosely attached by glue or two-face tape to allow the thieves to quickly and easily remove before detection. Also, consider covering one’s hand when entering numbers on the PIN pad.
Brian Krebs has recently reported a new attack—“shimming,” in which a slim, flexible circuit board (a “shimmer”) is inserted through an ATM’s card slot and captures data from chip-enabled credit/debit cards. Thieves can then print magnetic-strip cards with the stolen information that could potentially be used at lower security ATMs. He notes that banks can check a card’s integrated circuit card verification value to determine if it is a counterfeit. However, he warns that some banks are doing this incorrectly—or not at all—and thieves have figured out which ATMs accept these fake clones.