Skip to content
Link copied to clipboard
Link copied to clipboard

ATM skimmers: Taking your money while they still can

As a computer-security researcher, Steve Manzuik says he's "a little more paranoid" than the average person when it comes to his credit and debit cards. He's familiar enough with ATM skimmers - devices that mimic an ATM's card reader to swipe data - to say he could probably make one.

As a computer-security researcher, Steve Manzuik says he's "a little more paranoid" than the average person when it comes to his credit and debit cards. He's familiar enough with ATM skimmers - devices that mimic an ATM's card reader to swipe data - to say he could probably make one.

But even Manzuik, 42, director of security research at Duo Security, couldn't escape getting caught by one. One morning in December, he got an email saying about $600 was withdrawn from his account at an ATM in Beverly Hills. Manzuik, who was at home in Las Vegas, immediately called his bank.

The bank canceled his card, and a new one arrived about four days later. Getting his money back took about a week and a half, he said: "I was lucky I didn't need that account."

Fraud involving ATM skimming devices is on the rise, according to data from FICO Card Alert Service, which monitors transaction data for bank clients. FICO doesn't release specific numbers, but it recently reported a nearly 550 percent increase nationwide in the number of ATMs compromised by criminals in 2015 compared with 2014.

Skimming is by far the most common way fraudsters obtain card data, according to FICO. Each incident took less time than in 2014 and affected about half the number of cards, which T.J. Horan, vice president of fraud solutions at FICO, attributed to criminals taking a "quick hit" approach.

There are a wide variety of ATM skimming devices, but many involve a card reader that can be affixed atop the genuine card slot to "skim" card details from the magnetic strip on the back. Because debit cards typically require a four-digit PIN, an ATM with a skimming device also often has a false keypad or pinhole camera to record the digits punched in.

A sharp-eyed customer might be able to spot skimming devices, but as they get smaller and more sophisticated, even a bank employee might struggle to notice them, said David Tente, executive director of the ATM Industry Association's U.S. and Latin America chapters

Upgrades that will let ATMs read the chips in newer credit and debit cards will likely cut down on use of tough-to-spot skimming devices, according to payment-industry experts. But they said fraud could rise, in the meantime, as criminals try to wring more dollars from skimming before it becomes less lucrative.

"I think what we're seeing is an indication it's imperative we make the change," said Doug Johnson, senior vice president of payments and cybersecurity at the American Bankers Association. "Criminals are realizing it's a window that's going away, and we need to make sure it does go away."

FICO's report found that criminals were increasingly targeting nonbank ATMs, such as those in convenience stores that may be less closely monitored, Horan said. Nonbank ATMs accounted for 60 percent of all compromised ATMs in 2015, up from 39 percent the year before, according to FICO.

Customers are generally reimbursed for fraudulent transactions as long as they're reported within 60 days.

The new chip technology, known as EMV, being rolled out at in-store terminals also is coming to ATMs. Oct. 1 marks the first of two dates that will shift liability for fraud from the financial institutions issuing cards to either ATM operators or the issuing institutions, depending on which has less current EMV technology.

Nearly 60 percent of U.S. ATM operators said they expected at least 75 percent of their ATMs to accept chip cards by the end of 2016, according to a survey by the ATM Industry Association.

Replacing an ATM costs about $2,000, but the cost of skimming fraud is a big incentive to upgrade, said Julie Conroy, retail banking research director with Aite Group, a financial-services consulting firm.

ATM operators estimated losses from a skimming device placed on a single machine ranged from $5,000 to $100,000 and averaged $650 per card, according to the ATM Industry Association's 2015 Global Fraud Survey. In countries that have already made the transition to chip cards and readers, ATM skimming fraud has declined, industry analysts said.

People whose cards already have them won't reap the benefits of the more-secure chips at ATMs unless the machines are equipped with chip-card readers. Even then, it will be possible to skim card details as long as chip cards also have the traditional magnetic stripe.