Card-skimming attacks on ATMs are rising, and they're also becoming more brazen, with bank-owned ATMs targeted in a third of all attacks in the first half of 2023.
In the first half of 2022, bank ATM compromises accounted for just 20% of all attacks,
Scammers are also more active, and each attack is more lucrative. The first half of 2023 saw a 77% increase in the number of cards compromised compared to the first half of 2022. This number, which has increased at a faster rate than the number of compromise events, represents a 48% increase in the average number of cards affected per compromise in the first half of 2023.
This trend is "deeply concerning" for the industry, said Andrew Latham, certified financial planner and content director at SuperMoney.com.
"[The data] is indicative of the elevated skill and audacity of modern-day fraudsters who are leveraging increasingly sophisticated techniques to skim more cards in a single incident," said Latham. "They're not just hitting more targets; they're making each hit count significantly more."
Latham attributes the rise in the last few years to "the rapid digital transformation, driven in part by the global pandemic," that has "propelled vast segments of our daily transactions online, creating a fertile ground for fraudsters."
Fraudsters are looking at terminals that get more traffic, but it is also more likely that skimming devices are getting better camouflaged — and thus can remain in use for a longer period of time before the ATM's owner spots them.
A typical ATM skimmer consists of an insert or overlay for the card reader to capture the card data, and a camera or fake PIN pad to capture the user's PIN.
More sophisticated thin "shimming" devices that insert into the card slot are much more difficult to detect than traditional overlays. Shimming devices can copy and save information from EMV-chip cards to clone their magnetic stripes, according to Ally Armeson, executive director at the Cybercrime Support Network.
Terminals are outfitted with skimmers, shimmers and pinhole cameras for an average of one to two weeks before cardholders' details are then used for fraud, according to Cobb.
Scammers are also increasingly
EBT cards are easier and cheaper targets than most credit and debit cards because they have not switched over to EMV-chip security. Scammers can clone these cards using only magnetic-stripe data, and can identify if that data belongs to an EBT card by its BIN, according to Cobb.
Scammers know when these cards get funded, and can drain the accounts before a consumer has a chance to spend the benefit money, Cobb said.
"The speed at which new technologies are adopted often leaves vulnerabilities that are quickly seized upon by criminals," added Latham.
However, it's not to say that only those dependent on legacy payments systems are being squeezed for cash. This card skimming increase is representative of fraudsters improving on all fronts.
The FICO report also highlighted an uptick in authorized push payment fraud, in which the fraudsters scam customers into wiring money directly to the criminal under the pretense they are paying a legitimate fee. Scams account for billions of dollars of direct losses to consumers, with the Federal Trade Commission reporting that U.S. consumers lost $8.8 billion to scams in 2022, a 30% increase over 2021.
"The difficult piece is that the criminal is tricking the actual consumer into making the transaction," said Cobb.
Banks and card vendors must begin to use a "layered approach" in the arms race between institutions and transgressors, Cobb said.
Issuers can use third-party AI models to look for unique or abnormal behavior for a specific customer based on their history of transactions, to flag suspicious activity. The challenge is determining what constitutes "normal" spending — patterns that are often unpredictable.
Larger financial institutions are beefing up their own technological defense mechanisms, while smaller ones are looping in fintechs.
JPMorgan Chase's new
The most important aspect of developing successful anti-fraud technology is the scope of the data, said Brent Jackson, founder and CEO of Torpago, a card and spend management fintech.
"We're also seeing a lot of banks roll out more best-in-class partners. A lot of newer fintech companies like Alloy have access to thousands of data points that you can cross reference. It really elevates the bank's fraud capabilities," Jackson said.
He added that his team errs more on the side of caution with transactions that come their way. The fintech will block a charge at the point of sale if it exhibits any fraud signs. If the transaction is vetted, customers can go ahead and authenticate it through their bank.
Safeguards like multi-factor authentication, biometric verification and one-time passwords can also help deter skimming attempts.
Who wins — fraudsters or banks — depends on who is most precise and thorough. For financial institutions, this means examining customers' payment and spending habits holistically.
"Identifying a scam means understanding the nuances of how you typically interact, and what types of transactions a consumer would make," said Cobb. "Even though it's your device, and you made the transaction, is it part of your typical trend?"