ATM skimmers swipe your data and then your money

  • By Lauren Zumbach Chicago Tribune
  • Friday, May 27, 2016 9:53am
  • Business

As a computer security researcher, Steve Manzuik says he’s “a little more paranoid” than the average person when it comes to his credit and debit cards.

He’s familiar enough with ATM skimmers — devices that mimic an ATM’s card reader to swipe card data — to say he could probably make one, if he desired.

But Manzuik, 42, director of security research at Duo Security, couldn’t escape getting caught by one. One morning in December, he got an email saying about $600 was withdrawn from his account at an ATM in Beverly Hills. Manzuik, who was at home in Las Vegas, immediately called his bank.

The bank canceled his card, and a new one arrived about four days later. Getting his money back took about a week and a half, he said.

“I was lucky I didn’t need that account,” said Manzuik.

Fraud involving ATM skimming isn’t new but is on the rise, according to data from FICO Card Alert Service, which monitors transaction data for bank clients. FICO recently reported a nearly 550 percent increase nationwide in the number of ATMs compromised by criminals in 2015 compared with 2014.

Skimming is by far the most common way fraudsters obtain card data, according to FICO.

Each of those incidents took less time than in 2014 and affected about half the number of cards, which T.J. Horan, vice president of fraud solutions at FICO, attributed to criminals taking a “quick hit” approach.

There are a variety of ATM skimming devices, but many use a card reader that can be affixed on top of the genuine card slot to “skim” card details from the magnetic strip on the card. Since debit cards typically require a four-digit personal identification number, an ATM with a skimming device also often has a false keypad or pinhole camera to record the digits customers punch in.

A ‘fix’ is on the way

Upgrades that will let ATMs read the chips in newer credit and debit cards, similar to those already being rolled out in card readers at store checkout counters, will likely cut down on use of tough-to-spot skimming devices, according to payment industry experts.

But fraud could rise in the meantime as criminals try to wring more dollars from skimming before it becomes less lucrative.

“I think what we’re seeing is an indication it’s imperative we make the change,” said Doug Johnson, senior vice president of payments and cybersecurity at the American Bankers Association. “Criminals are realizing it’s a window that’s going away, and we need to make sure it does go away.”

FICO’s report found criminals were increasingly targeting nonbank ATMs, such as those in convenience stores, which may be less closely monitored.

Nonbank ATMs accounted for 60 percent of all compromised ATMs in 2015, up from 39 percent the year before, according to FICO.

Customers are generally reimbursed for fraudulent transactions as long as they’re reported within 60 days.

The new chip technology, known as EMV, being rolled out at in-store terminals is also coming to ATMs.

Oct. 1 marks the first of two dates that will shift liability for fraud from the financial institutions issuing cards to either ATM operators or the issuing institutions, depending on which has less up-to-date EMV technology.

Nearly 60 percent of U.S. ATM operators said they expected at least 75 percent of their ATMs to accept chip cards by the end of 2016, according to a survey by the ATM Industry Association. Since Manzuik’s card details were stolen, he said he’s more careful to shield the ATM keypad with his wallet as he types in his PIN.

But even he doesn’t bother trying to spot skimmers on ATMs.

“Some are so small now you wouldn’t notice unless you were prying around to see if anything’s loose, which is suspicious behavior in front of an ATM,” Manzuik said.

“I try to be as careful as I can, but I’m not doing anything silly or losing sleep over it.”

Avoid ATM skimming

Pay close attention to anything that looks out of place, such as a card reader that’s not firmly attached or doesn’t let a card enter smoothly.

Use ATMs you’re familiar with so you’ll be more likely to notice a change that indicates tampering.

Stick to ATMs in secure, well-monitored locations.

When typing in a PIN code, cover the keypad to thwart pinhole cameras.

Regularly check your transactions through an online banking app, paper statement or email and text transaction alerts.

Compiled from industry experts

Talk to us

> Give us your news tips.

> Send us a letter to the editor.

> More Herald contact information.

Support local journalism

If you value local news, make a gift now to support the trusted journalism you get in The Daily Herald. Donations processed in this system are not tax deductible.