Credit card and bank card skimmer fraud has spread around the world, stealing from consumers and banks at locations ranging from gas stations to ATMs and restaurants, according to a report from ACCA USA, the U.S. arm of the Association of Chartered Certified Accountants, and Pace University in New York.
The report, written by Pace University professor Darren Hayes, explains how criminal enterprises are coming up with new ways to steal as skimming devices have become smaller and much more sophisticated in terms of power, memory, communication and encryption capabilities.
“It’s a huge problem,” said Hayes. “Usually when we see these incidents of skimmer fraud, very often it’s over a million dollars per scam. These guys work in a coordinated effort. When they attach a skimmer to multiple ATMs, they can work in a coordinated effort to cash out money from those ATMs at the same time.”
On Tuesday evening, a pair of Romanian men were arrested by police at a Chase bank branch in Brooklyn after they returned to retrieve the skimmers they had installed only hours earlier, according to The New York Times.
“It’s usually either Romanian or Bulgarian criminals who are involved in skimmer fraud, both in Europe and here in the U.S.,” said Hayes. “With regard to other types of payment card frauds, very often it involves U.S. hackers or sometimes hackers from Russia or former Soviet nations.”
The U.S. ranked number one in the world in terms of financial losses associated with skimming fraud in the first six months of 2011, followed by the Dominican Republic, Russia and Brazil.
Skimmer technology has existed for many years and has advanced over time, Hayes pointed out. Without significant steps to combat such activity, it is likely to continue to escalate. The Aite Group has reported that in 2011 the average loss from skimming crime was $50,000, an increase of $20,000 from the previous year.
“This is a war being fought at the ATM and the gas pump, at the intersection of street crime and tech crime,” said ACCA USA head Warner Johnston. “As criminals become more sophisticated, they are devising creative ways to separate consumers from their cash.”
Hayes’s report identifies different ways in which skimmer scams are cropping up across the globe.
“Devices are becoming smaller and have more memory,” Hayes said. “The quality of data on the devices has improved over time, and skimmers often are password protected and use advanced encryption protocols.”
A skimmer is an electronic device used to read and store electronic data. While there are many different types of skimmers (including devices used to read data from tags embedded in U.S. driver licenses and passports), the new research focuses on devices that read and record data from consumer payment cards, such as ATM, credit, debit, prepaid and electronic gift cards.
One of the most common types of skimmer is the ATM skimmer, used to record the data contained on the magnetic strip on the back of a consumer’s ATM card. A skimmer may be placed on a stand-alone ATM, such as one at a convenience stores or doorway at a bank.
There are 2.2 million ATMs worldwide, which are expected to increase to more than 3 million by 2016. A new ATM is installed every five minutes. North America has the largest ATM market in the world, with approximately 425,000 in the U.S. alone.
The United States is pivotal for criminal gangs because it has more ATMs than another country and because it is not EMV-compliant (as the cards do not contain a global chip), once its EMV cards are skimmed they can easily be cloned. Cards that are cloned by criminals are also used in other non-EMV countries, such as Ghana, Costa Rica, Mexico and Malta. EMV stands for Europay, MasterCard and Visa.
MasterCard and Visa announced Friday that they will form a group, including banks and retailers, to improve payment card security, initially focusing on adoption of EMV chip technology, according to CBS News.
“The issue is that if you have a chip, the chip cannot be cloned because with every transaction that chip has a counter and generates a new number,” said Hayes. “So the criminal can’t predict what the next number is going to be because it’s based on an algorithm that only the card issuers have. And so you could still skim a credit card that has an EMV chip, but you’re limited in where you can use it. You can only really use it in a non-EMV country like the U.S., which has terminals and ATMs that don’t read the chip. Most modern nations have upgraded and adopted EMV and are compliant with EMV. Banks over here have been reluctant to do so. There may be some reluctance because of the tremendous cost involved with the adoption of EMV. The U.S. has the most number of ATMs in the world, and upgrading those ATMs is a tremendous expense. In my report, I mention that 18 percent of the ATMs in the U.S. are a decade or older.”
Security standards with European credit, debit and ATM cards differ from standards in the United States, making it easier to do skimmer fraud in the U.S.
“The problem for the U.S. as well is that more than half of ATMs are independently owned and they are not affiliated with a bank,” said Hayes. “It’s more difficult to have a bank policy that’s going to protect the majority of ATMs because that’s not the case in the U.S.”
Criminal enterprises typically use overlay devices at ATMs, gas station pumps and ticket-vending machine, as well as parasite devices at point-of-sale terminals, and handheld skimmers at restaurants and retail stores.
Handheld skimmers are not an issue in other countries as much as in the U.S. For example, at U.S. restaurants, a waiter can take a credit or debit card, walk away from the table, and later present a receipt to the customers. At European restaurants, a card remains in sight at all times, and a waiter brings a terminal to the table.
In addition, the equipment used in various skimming operations is readily available in the U.S. from online sites such as Amazon.com and spy stores.
“Usually they can either import those or they will make some of those devices over here,” said Hayes. “Generally the actual printed circuit board, which is the actual skimmer, will be brought into the U.S., but the actual overlay device that hides the skimmer will be manufactured here in the U.S.”
In the U.S., skimmer fraud statistics are impossible to obtain because there is no central repository for these statistics.
“If you want to find out about who is responsible for skimmer fraud investigations, it could be the U.S. Secret Service, it could be in some cases local police, maybe like the NYPD, it could be the banks or their crime labs,” said Hayes. “But all of these different agencies are not reporting to an independent authority that is monitoring and keeping track of payment card fraud.”
Several European countries have implemented new anti-skimming strategies and because they have an independent central reporting agency, they are able to see which strategies prove to be the most effective. “They could see, for example, how effective regional blocking was with payment cards in Belgium,” said Hayes. “Without a central reporting agency it’s difficult to measure a total cost of skimmer fraud in the U.S., and it’s difficult to show how different anti-skimming strategies have a financial impact.”
Hayes’s report offers recommendations to combat skimmer fraud. Financial institutions should speed up the integration of anti-skimming solutions and fraud investigations into their daily operations and improve cooperation with national and international law enforcement to keep up with the increased sophistication and global nature of skimmer schemes. He believes the future of ATM transactions lies in contactless cards, biometric security and smartphone withdrawals instead of traditional ATM cards.
Until there are better safeguards in place, consumers should use one hand to cover the keypad while entering their PIN and be careful of criminals “shoulder surfing.” They should also regularly monitor their accounts, financial statements and credit reports to be alerted to skimmer fraud or any type of identity theft. Consumers are also advised to provide their financial institutions with up-to-date contact information, including a mobile telephone number.
In addition, the report recommends that banks should ensure that ATMs have ample lighting and good visibility. Banks should also install cameras with ample memory to store video recording suspicious activity at ATMs. They are also advised to ensure that technology is installed to alert them when criminals are fitting overlay devices.
“It’s more of a physical type of security that they need to be concerned with,” said Hayes. “It’s more along the lines of having bank employees check to see if there are any loose parts on the card slots, if the card slots are loose, to make sure that there are no hidden cameras, to have well-lit ATMs, to have closed-circuit television cameras that work well, to check card slots. There are cards that you can get that are a little thicker than a regular credit card, but you can put them into the slot and see if there is anything preventing the card from going into the slot. I think it’s more preventative in terms of physical security.”
What Accountants Should Do
For accountants, Hayes recommends that they inform their clients and the businesses where they work about the problem of skimmer fraud, especially here in the U.S., where many criminal gangs cash out the cards that they skim.
“Skimmer fraud doesn’t just happen at ATMs,” said Hayes. “It also happens at restaurants, gas stations and point-of-sale terminals in every type of company. It’s very important for companies to understand that it doesn’t affect only the financial institutions and the banking industry. There are things that they need to do.”
He said organizations should make sure that their cashiers do not simply leave their point-of-sale terminals unattended without another employee keeping an eye on them. Hayes also sees the need for more use of anti-skimming devices and verification.
“The one thing that doesn’t happen a lot over here that I think is a very small thing to introduce is to ask for more verification,” said Hayes. “Here in New York City, it’s very infrequent that somebody would ask to see your driver’s license when you go to pay for something with your credit card. That’s a very small step for an organization to take that would certainly dramatically reduce skimmer fraud, because if somebody has cloned a card, they probably haven’t tried to create any kind of driver’s license with that person’s name because they’re cashing out maybe 100 different payment cards. They’re not going to go to the trouble of trying to create that number of phony driver’s licenses.”
Auditors should also be careful to look for suspicious activity, particularly on weekends. “Much of this fraud, particularly ATM fraud, occurs on a Friday evening,” said Hayes. “They’re counting on installing a skimmer or doing something on a Friday, and if the customer has an issue—say their card is trapped by that ATM machine—chances are they are going to wait until the following Monday morning. That’s often why many of these attacks occur on a Friday night. That’s when these criminals are going to very often carry out their crimes.”
Banks and other establishments with ATM machines should also inform customers how to protect themselves, such as by covering the keypad when they enter their PIN number and telling customers how they can report an incident.
“I don’t know that I’ve ever been at an ATM machine where there was a notice that says, Here are some things you should look out for.’ And if the dip reader moves, then contact this 800 number right away. Or maybe provide a small reward for customers who can report the possibility of a skimmer being installed,” Hayes suggested.
In January, Manhattan District Attorney Cy Vance, Jr. announced the indictment of 13 persons charged with operating a multi-million dollar fraud ring that employed Bluetooth-enabled skimmers at gas station pumps. The devices connected directly to a pump’s power supply, equipped with a Bluetooth chip allowing thieves to lift stolen data wirelessly.
More Vigilance Needed
Hayes recommended greater vigilance, particularly at restaurants, which have also been investigated by the Manhattan DA.
“There was a skimmer fraud takedown by the Manhattan District Attorney’s office where a number of waiters in restaurants were working in concert with one another, and using handheld skimmers, they were focusing on the American Express Black Card,” said Hayes. “There are certain types of restaurants which are sometimes targeted, higher-end restaurants and American Express Black Cards, so more vigilance in that area by accountants would also be important.”
He predicts there will be a higher cost of doing business for companies that don’t take steps to protect themselves from skimmer fraud, with a shift in liability from credit card companies. “Companies that don’t bother to upgrade to EMV are going to be found paying large sums of money to those who are victims of fraud,” he said. “For example, in Germany where I think they have close to 100 percent EMV compliance, if a German cardholder’s card is skimmed and then used in the U.S. and cashed out, the German bank can go back to the U.S. and say, Our client was a victim of fraud. You owe us the money.’ So American Express, Discover Card, Visa and MasterCard have all stated that those that fail to become EMV compliant may be subject to paying the cost of making these people whole and reimbursing them.”
That may be one reason why credit card issuers in the U.S. may soon support the EMV chips.
“In Germany, for example, you do have a chip in every card, but you can skim that card,” Hayes pointed out. “You can’t use it in Germany because any terminal in Germany is going to say this card doesn’t have a chip, so you’re not going to get any money from it. But somebody can take that skimmed data and bring it to the U.S. and use it on a terminal that’s not EMV compliant and withdraw money from that person’s account over here. That’s what happening over here. That’s why the U.S. is the focus of these criminals. They can skim cards in Europe, but they can’t use them in Europe, so they bring them to the U.S. and use them here.”