More scammers are targeting bank-owned ATMs: FICO

ATM hacker
Fraudsters are getting more brazen and technologically savvier, according to FICO, which reporting a significant increase both in the number of compromises and in the cards affected per compromise.
Adobe Stock

Card-skimming attacks on ATMs are rising, and they're also becoming more brazen, with bank-owned ATMs targeted in a third of all attacks in the first half of 2023.

In the first half of 2022, bank ATM compromises accounted for just 20% of all attacks, according to Fair Isaac Corp. Bank-owned ATMs are typically considered more secure than independent or free-standing ATMs, according to Debbie Cobb, FICO's senior director of product management, who spearheaded the data collection. 

Scammers are also more active, and each attack is more lucrative. The first half of 2023 saw a 77% increase in the number of cards compromised compared to the first half of 2022. This number, which has increased at a faster rate than the number of compromise events, represents a 48% increase in the average number of cards affected per compromise in the first half of 2023. 

This trend is "deeply concerning" for the industry, said Andrew Latham, certified financial planner and content director at SuperMoney.com. 

"[The data] is indicative of the elevated skill and audacity of modern-day fraudsters who are leveraging increasingly sophisticated techniques to skim more cards in a single incident," said Latham. "They're not just hitting more targets; they're making each hit count significantly more."

Latham attributes the rise in the last few years to "the rapid digital transformation, driven in part by the global pandemic," that has "propelled vast segments of our daily transactions online, creating a fertile ground for fraudsters."

Fraudsters are looking at terminals that get more traffic, but it is also more likely that skimming devices are getting better camouflaged — and thus can remain in use for a longer period of time before the ATM's owner spots them.

A typical ATM skimmer consists of an insert or overlay for the card reader to capture the card data, and a camera or fake PIN pad to capture the user's PIN.

More sophisticated thin "shimming" devices that insert into the card slot are much more difficult to detect than traditional overlays. Shimming devices can copy and save information from EMV-chip cards to clone their magnetic stripes, according to Ally Armeson, executive director at the Cybercrime Support Network. 

Terminals are outfitted with skimmers, shimmers and pinhole cameras for an average of one to two weeks before cardholders' details are then used for fraud, according to Cobb. 

Scammers are also increasingly targeting users of Electronic Benefit Transfer cards under the Supplemental Nutrition Assistance Program or Temporary Assistance Program. This year, New York City saw a surge of compromised EBT cards when shoppers tried to pay at the cashier. In these cases, the grocery stores' point-of-sale devices had been compromised or outfitted with skimming hardware.

EBT cards are easier and cheaper targets than most credit and debit cards because they have not switched over to EMV-chip security. Scammers can clone these cards using only magnetic-stripe data, and can identify if that data belongs to an EBT card by its BIN, according to Cobb.

Scammers know when these cards get funded, and can drain the accounts before a consumer has a chance to spend the benefit money, Cobb said. 

"The speed at which new technologies are adopted often leaves vulnerabilities that are quickly seized upon by criminals," added Latham.

However, it's not to say that only those dependent on legacy payments systems are being squeezed for cash. This card skimming increase is representative of fraudsters improving on all fronts. 

The FICO report also highlighted an uptick in authorized push payment fraud, in which the fraudsters scam customers into wiring money directly to the criminal under the pretense they are paying a legitimate fee. Scams account for billions of dollars of direct losses to consumers, with the Federal Trade Commission reporting that U.S. consumers lost $8.8 billion to scams in 2022, a 30% increase over 2021.

"The difficult piece is that the criminal is tricking the actual consumer into making the transaction," said Cobb.

Banks and card vendors must begin to use a "layered approach" in the arms race between institutions and transgressors, Cobb said. 

Issuers can use third-party AI models to look for unique or abnormal behavior for a specific customer based on their history of transactions, to flag suspicious activity. The challenge is determining what constitutes "normal" spending — patterns that are often unpredictable. 

Larger financial institutions are beefing up their own technological defense mechanisms, while smaller ones are looping in fintechs. 

JPMorgan Chase's new large language fraud detection models can detect signs of fraud by analyzing patterns that are close together and far apart. The international payments messaging organization Swift is merging AI into some of its existing products, like its mid-transaction service where each bank can set a threshold for transactions that need a second look. 

The most important aspect of developing successful anti-fraud technology is the scope of the data, said Brent Jackson, founder and CEO of Torpago, a card and spend management fintech. 

"We're also seeing a lot of banks roll out more best-in-class partners. A lot of newer fintech companies like Alloy have access to thousands of data points that you can cross reference. It really elevates the bank's fraud capabilities," Jackson said.

He added that his team errs more on the side of caution with transactions that come their way. The fintech will block a charge at the point of sale if it exhibits any fraud signs. If the transaction is vetted, customers can go ahead and authenticate it through their bank.

Safeguards like multi-factor authentication, biometric verification and one-time passwords can also help deter skimming attempts.

Who wins — fraudsters or banks — depends on who is most precise and thorough. For financial institutions, this means examining customers' payment and spending habits holistically. 

"Identifying a scam means understanding the nuances of how you typically interact, and what types of transactions a consumer would make," said Cobb. "Even though it's your device, and you made the transaction, is it part of your typical trend?"

For reprint and licensing requests for this article, click here.
Technology Payments
MORE FROM AMERICAN BANKER