NAC challenges FICO on ATM fraud
T he National ATM Council Inc. asked Fair Isaac and Company (FICO) to substantiate its recent claims of escalating debit card fraud at nonbank ATMs. In a statement issued March 27, 2017, FICO asserted that debit card fraud rose 546 percent in 2016, with 60 percent of on-site fraud occurring at nonbank ATMs. The data contradicts NAC's 2016 survey, which found few skimming devices installed in retail ATMs, NAC representatives stated.
"ATM terminals in brightly lit, well-populated retail stores are far less likely than bank ATMs to be targets of card data theft and skimming," said NAC Board Chairman George Sarantopoulos. "Outdoor, on-premises bank ATMs are typically left unattended and out of sight of bank personnel, making them the perennial targets of choice for card and PIN data theft."
Bruce Wayne Renard, NAC Executive Director, added, "Last year, when FICO issued a similar press release about non-bank ATM fraud volumes, NAC surveyed over 160 ATM companies. Nine out of ten respondents never found a skimming device on their ATMs, and more than 50 percent had been in the retail ATM business for more than 10 years."
Contrasting perspectives, cultures
FICO, founded in 1956 by engineer Bill Fair and mathematician Earl Isaac, has evolved into an international authority on predictive analytics, credit scoring, and business rules management and optimization. Publicly traded in the New York Stock Exchange under the symbol FICO, the company is 20 percent owned by leading banks, including Bank of America Corp., JPMorgan Chase & Co. and Wells Fargo & Co.
NAC, established in 2012, is dedicated to the needs of independent ATM owners, operators and suppliers. The not-for-profit association represents members' best interests in an array of issues and initiatives, which include the approaching October 2017 EMV (Europay, Mastercard and Visa) liability shift, Operation Chokepoint and an ongoing legal battle against Visa Inc. and Mastercard over ancillary ATM fees imposed on retail ATMs.
"Given the competitive nature of the nation's largest banks, FICO's card fraud data makes sense," Renard said. "The data is skewed in much the same way as big banks impose egregious penalties on their own cardholders each time they use a competitor's ATM."
Debatable data points
"The number of payment cards compromised at U.S. ATMs and merchants monitored by FICO rose 70 percent in 2016," FICO stated. "The number of hacked card readers at U.S. ATMs, restaurants and merchants rose 30 percent in 2016."
Renard called FICO's statement on compromised payment cards misleading and biased against retail ATM terminals. Chief among his concerns are the following:
- Inconclusive fraud origination points: "FICO refers to card 'compromises,' without identifying where fraud originated and where card data was stolen," Renard stated. "Based on FICO's own descriptions, 'compromise' could encompass the use of cloned and counterfeit cards at retail ATMs and not the skimming theft of card data. This is a big distinction, with a big difference."
- Incomplete metrics: Renard noted that FICO cites percentages without providing actual figures. "While there may be a percentage increase in card fraud at retail ATMs, the absolute number of skimming incidents and card data theft is still miniscule in comparison to the skimming that takes place at the bank ATMs," he said. "When you start at zero, which is where card skimming at retail ATMs has stood historically, future incidents will represent a 'huge' percentage increase, while their absolute number remains low."
- Implausible objectivity: "As a for-profit enterprise traded on the NYSE, with heavy bank ownership of its stock, FICO's latest report is highly suspect with respect to its findings on card fraud at ATMs that compete with bank ATMs," Renard stated.
Reducing counterfeit fraud
Renard and Sarantopoulos acknowledged the ongoing EMV migration has elevated short-term threat levels across the entire ATM and retail payments ecosystem, as criminals make one last grab at mag-stripe counterfeit fraud. Despite these imminent risks, they said, ever-vigilant independent ATM owners, vendors and deployers have not seen a spike in on-site skimming.
"When EMV was rolled out in other countries, statistics show a measurable jump in card fraud during the transition period, as the mag-stripe land grab was ending," Sarantopoulos said. "NAC has worked diligently over the past several years to raise awareness of this short-term, escalating threat window throughout the U.S. retail ATM sector, even though skimming at retail ATMs has not been an issue in the past."
"While we have no doubt that, during the current EMV transition, criminals are using more and more counterfeit, cloned cards to try and steal money from all ATMs and point of sale devices, which has occurred in other countries during initial EMV implementation, it is inaccurate to suggest that skimming theft of cardholder data is a significant issue at retail ATMs in America," Renard added.
NAC representatives have asked FICO for supporting data points and a long-form copy of the unpublished 2016 debit card fraud report. The Green Sheet reached out to FICO for comment and will update this story should FICO respond.
View prior breaking news