The Green Sheet Online Edition
April 24, 2017 • Issue 17:04:02
NAC challenges FICO on ATM fraud
The National ATM Council Inc. asked Fair Isaac and Co. (FICO) to substantiate its recent claims of escalating debit card fraud at nonbank ATMs. In a statement issued March 27, 2017, FICO asserted that debit card fraud rose 546 percent in 2016, with 60 percent of on-site fraud occurring at nonbank ATMs. The data contradicts NAC's 2016 survey, which found few skimming devices installed in retail ATMs, NAC representatives stated.
"ATM terminals in brightly lit, well-populated retail stores are far less likely than bank ATMs to be targets of card data theft and skimming," said NAC Board Chairman George Sarantopoulos. "Outdoor, on-premises bank ATMs are typically left unattended and out of sight of bank personnel, making them the perennial targets of choice for card and PIN data theft."
Bruce Wayne Renard, NAC Executive Director, added, "Last year, when FICO issued a similar press release about nonbank ATM fraud volumes, NAC surveyed over 160 ATM companies. Nine out of ten respondents never found a skimming device on their ATMs, and more than 50 percent had been in the retail ATM business for more than 10 years."
Contrasting perspectives, cultures
FICO is recognized as an international authority on predictive analytics, credit scoring, and business rules management and optimization. Publicly traded in the New York Stock Exchange, the company is 20 percent owned by leading banks, including Bank of America Corp., JPMorgan Chase & Co. and Wells Fargo & Co.
NAC is dedicated to the needs of independent ATM owners, operators and suppliers. The not-for-profit association represents members in an array of issues and initiatives. "Given the competitive nature of the nation's largest banks, FICO's card fraud data makes sense," Renard said. "The data is skewed in much the same way as big banks impose egregious penalties on their own cardholders each time they use a competitor's ATM."
Debatable data points
FICO additionally stated, "The number of payment cards compromised at U.S. ATMs and merchants monitored by FICO rose 70 percent in 2016. The number of hacked card readers at U.S. ATMs, restaurants and merchants rose 30 percent in 2016." Renard called FICO's statement on compromised payment cards misleading and biased against retail (nonbank) ATMs. Among his concerns are:
- Inconclusive fraud origination points: "FICO refers to card 'compromises,' without identifying where fraud originated and where card data was stolen," Renard stated. "Based on FICO's own descriptions, 'compromise' could encompass the use of cloned and counterfeit cards at retail ATMs and not the skimming theft of card data. This is a big distinction, with a big difference."
- Incomplete metrics: "While there may be a percentage increase in card fraud at retail ATMs, the absolute number of skimming incidents and card data theft is still miniscule in comparison to the skimming that takes place at the bank ATMs," Renard said. "When you start at zero, which is where card skimming at retail ATMs has stood historically, future incidents will represent a 'huge' percentage increase, while their absolute number remains low."
- Implausible objectivity: "As a for-profit enterprise traded on the NYSE, with heavy bank ownership of its stock, FICO's latest report is highly suspect with respect to its findings on card fraud at ATMs that compete with bank ATMs," Renard stated.
Reducing counterfeit fraud
Renard and Sarantopoulos acknowledged the ongoing EMV migration has elevated short-term threat levels across the entire ATM and retail payments ecosystem, as criminals make one last grab at mag-stripe counterfeit fraud. Despite this, they said, ever-vigilant independent ATM owners, vendors and deployers have not seen a spike in on-site skimming.
"NAC has worked diligently over the past several years to raise awareness of this short-term, escalating threat window throughout the U.S. retail ATM sector, even though skimming at retail ATMs has not been an issue in the past," Sarantopoulos said.
"While we have no doubt that, during the current EMV transition, criminals are using more and more counterfeit, cloned cards to try and steal money from all ATMs and point of sale devices, which has occurred in other countries during initial EMV implementation, it is inaccurate to suggest that skimming theft of cardholder data is a significant issue at retail ATMs in America," Renard added.
NAC representatives have asked FICO for supporting data points and a long-form copy of the unpublished 2016 debit card fraud report. The Green Sheet reached out to FICO for comment and will update this story should FICO respond.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.