ATM Fraud Arrests: A Red Flag for Merchants7 Charged for Alleged Roles in Skimming Scheme at Gas Stations, Hotels
The arrests this week of seven men alleged linked to a skimming operation that targeted ATMs at retailers, including hotels and gas stations, is yet another indicator that U.S. merchants need to beef up the security of these devices.
What makes these non-bank ATMs attractive to fraudsters is that they typically aren't closely monitored or inspected, and they're rarely equipped with anti-skimming detection devices or solutions, says Shirley Inscoe, a fraud analyst at consultancy Aite.
"ATMs in gas stations or other retail locations may be tampered with, without people paying much attention," Inscoe says. "And since customers of many different financial institutions are using these ATMs, as opposed to a bank ATM that typically incurs heavy usage by its own clients, fraud trends may not be as readily apparent."
Details of Scheme
The U.S. Attorney's Office for the Southern District of New York announced Feb. 2 the arrests tied to the compromise of retail ATMs. Authorities allege that between January 2015 and December 2015, the seven individuals arrested colluded to install skimming devices on ATMs located at hotels and a gas station in Las Vegas. They also are accused of installing cameras, which were used to capture PIN data as it was entered by unsuspecting users on the ATMs' PIN pads.
The alleged fraudsters used the stolen card data to create counterfeit cards that were later used to make fraudulent ATM withdrawals in New York and Las Vegas, according to the indictment.
The scheme reportedly cost U.S. banks "thousands" of dollars in fraud losses, according to the Manhattan U.S. Attorney's Office. A spokeswoman for the office says the total monetary amount lost to fraudulent transactions is still being determined.
The seven men arrested have been charged with one or more counts of access device fraud; conspiracy to commit access device fraud; producing, using and trafficking counterfeit and unauthorized access devices; and aggravated identity theft.
Retail ATMs Under Attack
Attacks against retail ATMs can go undetected for extended periods, Aite's Inscoe says, because cards from so many different issuers are used at these machines. Unless all of the issuers share information about fraud trends they're seeing, connecting the dots can be difficult.
Retail ATMs are not inspected as often as ATMs in bank branches, which are regularly checked by staff, she adds.
"Unfortunately, many gas stations and retailers look at these ATMs purely as a source of income and fail to recognize the security issues," she says. "Often, they don't realize the level of sophistication fraudsters employ in matching the skimming devices (color, material, etc.) to the ATM surround/enclosure. The result is that the skimming devices can be quite difficult for an untrained eye to spot. Often, tiny cameras will also be mounted to capture the PIN entered by the customer, and these can be easily camouflaged as well."
John Buzzard, a fraud specialist at core banking processor FIS Global, says off-premises ATMs also are not typically placed in ideal or secure locations.
"Sometimes the off-premises machines are placed in woefully dark or remote locations within a property," he says. "I have been in some luxurious hotel properties and discovered the ATM down a dark hallway or installed under a set of unused stairs. This can contribute to risk when the placement isn't physically ideal."
He also says stronger contracts with the companies that install these ATMs at retail locations could help retailers prevent some of these skimming attacks from happening. "Part of the problem could be resolved in the lease that is signed between the owner of the ATM and the property owner where the machine sits," Buzzard says. "Who monitors for fraud? Who is responsible for surveillance footage in the aftermath of a security event? These are things that should be agreed upon before the first transaction is carried out."
More Skimming Ahead?
ATM skimming schemes are expected to become more common as the U.S. ramps up its EMV migration at the point of sale (see Alert: ATM Skimming Up in U.S.).
While merchants are working to update their POS terminals to accommodate EMV chip cards in the wake of the October 2015 fraud liability shift date, the liability shift date for ATMs is not until October 2017. That means ATMs - especially those at merchant locations - will be an even more attractive target for skimming attacks.
Retail ATMs have quickly become the sweet spot for criminals, says Owen Wild, global director of security solutions at ATM manufacturer NCR Corp.
"Due to the nature of their location, off-site and unattended ATMs will tend to be targeted more frequently than on-site," he says.
Banking institutions can invest in fraud management applications to help them track anomalous behavior at off-premises ATMs that might suggest fraud, Owen says. These applications can monitor the transactions and alert when unusual activities are detected, he explains. "This provides an enterprise view to detect fraudulent behavior."
But these applications are not a substitute for fundamental security enhancements in ATMs, he stresses.
For example, retailers have an obligation to invest in anti-skimming technology that could help prevent these types of attacks in the first place, Owen says. And they must more regularly inspect and monitor their ATMs.