ATM skimming is not a new or creative concept.
Skimming allows criminals to steal the information from the magnetic strip on debit and ATM cards so they can duplicate cards to empty the victims’ bank accounts via cash withdrawals or large purchases, all before the bank or the customer realizes it and deactivates the card.
With EMV becoming more widely accepted and adopted, it was assumed this problem would fade. The chip-enabled cards provide encryption and tokenization that is beyond the capabilities of criminals to break. But resourceful crooks will relentlessly probe systems, processes and people until they find a weakness or an opportunity. That weakness is the magnetic strip that still exists on all EMV cards.
When a crook places a skimmer on an ATM, gas station, restaurant, or other point-of-sale device, he's still able to copy the magnetic strip’s data if the device accepts the entire card.
This means that most ATMs, or anywhere a card is swiped because the merchant doesn’t support EMV, allow hackers access to the easy to defeat magnetic strip, even if the card itself is EMV.
Once criminals have copied the magnetic strip, they will duplicate the card without the EMV chip. And, if the ATM or point-of-sale device criminals use to steal money from is not EMV compliant, the owner of the non-EMV device can be held liable for the loss incurred. This is because EMV enabled ATMs or POS terminals are programmed to reject EMV cards that are swiped because the machine is expecting a chip.
For organizations with legacy equipment, all is not lost. It is worth working with your ATM service provider or credit card processor to build in business rules to stop cloned EMV cards from taking advantage of your legacy equipment.
For instance, during POS transactions where a customer swipes a card identified as EMV, it might be possible to have the terminal present the customer with a message to hand the card to the store employee. Employees could then be trained to verify the card has an EMV chip.
And for ATMs, reducing the amount of money that can be withdrawn from non-EMV-compliant terminals makes it more difficult for bad guys to steal.
The best solution, however, is to install EMV equipment and stay vigilant for the next wrinkle in the bad guys’ playbook.
