rom card compromises and identity theft to network-security breaches and the potential for encryption hacks, mainstream media reports have flooded the airwaves and headlines with stories of high-tech breaches that have compromised ATMs and POS devices. But experts agree it's the relatively low-tech external attacks that consumers and deployers should be wary of.

The tried and true methods of ATM attack are still the most popular among fraudsters.

Skimming is still No. 1

Anna Istnick, Senior Product Marketing Manager for North Canton, Ohio's Diebold Inc., says card-skimming is by far the world's No. 1 ATM-related crime.

In the United States, Boston-based TowerGroup estimates that financial institutions (FIs) lose almost $1 billion annually to stolen cards and skimming at the ATM and POS. And regardless of efforts to combat skimming, the U.S. Secret Service estimates that fraud losses from skimming cost about $350,000 a day in the United States (TowerGroup: "Turning Phishing into Cash: Criminal Convenience at the ATM?" August 2005).

Andreas Pollklaesener, a Banking Security Specialist for Paderborn, Germany-based Wincor Nixdorf International, says card-skimming at the ATM and POS continues to grow throughout the world. And as long as use of the magnetic stripe lingers, card compromises will continue to grow.

"This crime is increasing all over the world," he said. "Many in the world still use the magnetic stripe at the POS and ATM to get consumer data and the PIN. And the two together can be used to create cards, which are being sent over the Internet and can be used at any type of ATM to get money. This kind of crime is still growing, so skimming has a major effect."

Why is skimming so prevalent? Because it's easy, Pollklaesener said.

Fraudsters have learned how to manipulate the system by leaving a skimming device on an ATM for only 30 to 45 minutes. By the time an FI detects anything, the skimming device and the criminals are long gone.

The dawn of the Internet age has only fueled the problem.

"It used to take one or two weeks for the duplicated card data to be transferred to another country - now it takes only one to three days," Pollklaesener said. "And then the data is only used one to two months, so it's hard for networks to track. The trend is copy it fast, use it fast."

Manufacturers have responded to skimming problems with security features like "jitter" or "enhanced card drive," which varies the direction and speed of the card as it's read by the ATM. The varied motion scrambles the magnetic-stripe data as it's read so that only the FI can read it. If the information is copied, it's illegible.

But opinions about jitter's effectiveness are divided.

Even with the jitter, says Wincor's Pollklaesener, cards can still be skimmed.

"Jitter is a security feature, but it helps only for simple skimmers," he said. "With motorized skimmers or extended skimmers, only a sensory solution will protect them."

Rob Evans, Director of Industry Marketing for Dayton, Ohio-based NCR Corp., said ATM security should be approached holistically.

"Jitter is very effective, but jitter is not all NCR recommends," he said. "We also recommend the Fraudulent Device Inhibitor," which automatically sends an alert to the FI when one of its ATMs has been tampered with. The inhibitor also prevents cards-trapping. NCR's Intelligent Fraud Detection plays a similar role in that it detects changes to the ATM's fascia and actually prevents a skimming attack.

Evans and Pollklaesener agree that using sensory technology to detect when something has been attached to an ATM is a good idea. With such technology an FI can be alerted when a change occurs, and it can then decide whether to take the affected ATM offline.

"We think that the best thing to do is to make the ATM the least attractive target," Evans said.

Ram raids come in a close second

Where card skimming is primarily an FI ATM problem, ram-raid attacks are a retail/ISO problem. And in the States, blunt-force attacks on the ATM have edged their way into first place among ATM-related crimes.

Off-premises machines, by their nature, are skimming deterrents, since they are always within eye-shot of a store clerk; but they're prime targets for ram raids.

Like card-skimming, industry experts try to stay ahead of the ram-raid curve, but it's a challenge since the frequency of attacks tends to ebb and flow.

"It's just hard times," said Diebold's Istnick of the rise in ram raids. "It's just a reflection of desperation."

The industry is making strides to deter ram raids with ink-stain packs that explode when cassettes are removed, bullhorn-like alarms that go off when ATMs are shifted or moved, and by bolting ATMs more tightly to floors and foundation.

But common-sense approaches, like ensuring ATMs aren't located next to plate-glass windows or doorways - prime targets for ram raids - usually have the greatest impact, Evans said.

Increased awareness about some of those vulnerabilities has brought the industry together, Evans said. Though their vulnerabilities tend to differ, figuring out how to address ATM security from an industry perspective has narrowed the chasm between them.

"If the card-carrying public says, for instance, 'I don't feel good about pulling out my debit card here at the bar and using the ATM,' it's a problem that affects all of us," he said. "It's a general consumer concern that really is bubbling up right now. You asked why now? Well that's why. Consumers are just picking up on this stuff."

Because of that "bubbling up" effect on public perception, NCR launched its NCR Secure initiative, a consulting service designed to help retailers and FIs up their ATM security.

Diebold initiated a similar effort last year with the launch of Playing It Safe, a Web site geared toward consumer safety at the ATM.

"One [ATM] problem is no more great than another," Evans said.

Link to original article: www.atmmarketplace.com/research.htm?article_id=26577&pavilion=4&step=story