The evolution of ATM fraud

With all the attention paid to online fraud issues, it’s easy to forget that bank teller machines are still being targeted by money-hungry crooks. And, over the years, these criminals have become more sophisticated in their attacks.

By Karen Epper Hoffman

Mark Autrey isn’t sure if ATM fraud is on the rise, based on his limited sample of just seven ATMs. But he does see criminals’ methods as “ever evolving.”

Autrey is the chief information officer at $355 million-asset Four Corners Community Bank in Farmington, N.M. “As we find ways to combat known methods,” he says, “the criminals come up with new ways to work around newer technology.

“Shimming is slowly replacing skimming as more terminals become EMV-compliant,” he adds. “Cash traps are increasing due to the ability to make cards easily with 3D printers.”

While the spotlight is shining bright on online fraud and security, community banks know that ATMs are still a prime target for criminals looking to score quick cash. And, with more than 425,000 ATMs currently in use across the country, there are a lot of ready targets for them to hit. In March, credit scoring company FICO reported that the number of debit cards compromised at ATMs and merchant devices in the U.S. rose 10 percent in 2017 over the previous year. In 2016, ATM fraud jumped a full 70 percent over 2015, according to FICO.

“Fraudsters continue to get more sophisticated, and it shows,” says Al Pascual, senior vice president of research and head of fraud and security, Javelin Strategy & Research, a Greenwich Associates LLC company. The number of ATM fraud victims in the U.S. has increased more than 50 percent in only a year, from 403,000 in 2016 to 614,000 in 2017, according to Javelin. “They are sourcing card numbers and PINs more effectively by gaining access to ATMs to install skimming devices that are wholly undetectable from the outside, making the lives of vigilant consumers and bank security officers more difficult,” says Pascual.

Evolving fraud
Mauriceo Castanheiro, director of fraud analytics for Verafin, says, “Fraud has been migrating to the digital channel over the last few years as the industry continues to provide more products and services in the digital space, and fraudsters take advantage of the digital channel’s global reach. However, that does not mean that fraud on other channels, such as ATMs, is going away. It is simply evolving.” 

Mary Ann Miller, senior director and fraud executive advisor for NICE Actimize, says ATM fraud is on the rise “due to the flexibility and sophistication of the modern ATM to offer more banking services. The ability to deposit a check at the ATM is a favorite way for fraudsters to exploit the fund’s availability and cash it out.”

New attacks, largely physical in nature, have been migrating to the United States from overseas, primarily Europe. “Financial institutions need to be aware of these attacks—from jackpotting to the physical theft of entire machines—and implement solutions to mitigate these risks,” says Castanheiro. “But criminals are also using ATMs as a preferred channel for other frauds.”

He says sophisticated attacks are targeting customers to get around the perimeter controls the industry has implemented. These controls include multifactor authentication, PCI and EMV chip cards. 

“The ATM is a convenient channel for these types of fraud,” he says, “due to the ease of access and ability to break the traceability of fraudulent funds.”

Common scams
As a relatively small and well-secured bank, Four Corners Community Bank considers itself lucky. “We have been very fortunate and have not had any successful attacks at our ATMs,” Autrey says. “Our seven ATMs are all located at branches and have good video coverage. That may have something to do with why we haven’t been a target.”

But ATM thieves are becoming more sophisticated. As a result, no bank is safe from these potential attacks. Here are a few types of attacks on the rise.

Skimming
Skimming is the copying of data from a payment card’s magnetic stripe. It’s not new, but the parameters of this type of fraud are shifting as payment technology evolves. For example, the magstripes on EMV chip cards contain data indicating that the card has a chip. So if a fraudster copies an EMV chip card’s magstripe and tries to use the copy in an ATM, the issuer will know that the card should have a chip. If the chip isn’t present, the ATM should reject it.

Quick stat

614,000

Number of ATM fraud victims in 2017, up from 403,000 in 2016

To get around this, thieves are shifting toward lower-tech attacks, such as trapping a chip-enabled payment card in the machine and retrieving it later. Also, criminals are transmitting much of the data they glean wirelessly, “whether by Bluetooth or even cellular technology,” says Pascual, “meaning the fraudsters never need to retrieve the skimming device, reducing their risk and emboldening them further.”

“The ability to deposit a check at the ATM is a favorite way for fraudsters to exploit the fund’s availability and cash it out.”
—Mary Ann Miller, NICE Actimize

Over the years, criminals have developed several variants of this attack, including overlaid skimming devices and internal skimming devices. Card skimming continues to be “the top threat in the ATM environment,” according to Miller, because newer skimming devices, like Bluetooth skimmers, are easily and cheaply available over the counter and can be quickly installed at ATMs.

Hijacked terminals or “black box attacks”
Black box attacks usually involve attaching a device to an open USB port. Rather than exploiting software vulnerabilities, the malware mounts a “logical” attack, using the native protocols, middleware and communication within an ATM to achieve a fraudulent outcome.

“While the placement of card skimmer devices that capture and steal individual account and password information remains the biggest ATM fraud threat, there are new threats to manage that also have become prominent,” says Miller of NICE Actimize. These include hijacking teller machines, using malware or jackpotting.

Malware
Experts began seeing ATM malware, such as Cutlet Maker, in central and western Europe in 2017, according to the European Association for Secure Transactions (EAST). Cutlet Maker is “a run-of-the-mill program with a mildly amusing user interface,” according to a December 2017 blog from enterprise data security provider Trend Micro. Typically, crooks load malware onto an ATM with a USB stick and then use a dynamic link library from the ATM’s manufacturer to send commands to the cash machine’s dispensing unit.

Jackpotting
Jackpotting is the newest and perhaps most concerning type of ATM attack. Here, the criminal installs software in the ATM to make it spit cash as if they’re winning a casino jackpot. “Jackpotting has become more prevalent, as standalone ATMs are bastions of older, vulnerable technology where unpatched software and older operating systems are not uncommon,” Pascual says.

Jackpotting attacks rose 231 percent in 2017 in Europe compared to 2016, according to EAST. There were 192 incidents reported last year, compared with 58 in 2016. (Europe has about 420,000 ATMs, slightly fewer than the United States’ 425,000.) Most incidents involved attaching some sort of device, referred to as a black box, to an ATM. The black box then uses native ATM commands to cause the machine to dispense all of its cash.


Karen Epper Hoffman is a writer in Washington state.

Top