Many security-savvy readers of this blog have learned to be vigilant against ATM card skimmers and hidden devices that can record you entering your PIN at the cash machine. But experts say an increasing form of ATM fraud involves the use of simple devices capable of snatching cash and ATM cards from unsuspected users.
Security experts with the European ATM Security Team (EAST) say five countries in the region this year have reported card trapping incidents. Such attacks involve devices that fit over the card acceptance slot and include a razor-edged spring trap that prevents the customer’s card from being ejected from the ATM when the transaction is completed.
“Spring traps are still being widely used,” EAST wrote in its most recently European Fraud Update. “Once the card has been inserted, these prevent the card being returned to the customer and also stop the ATM from retracting it. According to reports from one country – despite warning messages that appear on the ATM screen or are displayed on the ATM fascia – customers are still not reporting when their cards are captured, leading to substantial losses from ATM or point-of-sale
According to EAST, most card trapping incidents take place outside normal banking hours with initial fraudulent usage taking place within 10 minutes of the card capture (balance inquiry and cash withdrawal at a nearby ATM), followed by point-of-sale transactions.
A twist on this attack involves “cash traps,” often claw-like contraptions that thieves insert into the cash-dispensing slot which are capable of capturing or skimming some of the dispensed bills. Here are a few pictures of a cash-trapping device from an EAST report released earlier this year.
Not all cash trap devices are so diabolical looking, or made to be inserted into the machine. The images below show a cash trap removed from the face of a cash dispenser (left) and a cash trap as designed to be fitted onto an ATM (right).
EAST reports that one of the most common ways that ATM thieves are stealing cash these days involves jamming an oversized fork-like device into the cash dispenser slot to keep it open following a normal ATM transaction. Thieves in Europe reportedly used this method to steal more than a million Euros from French cash machines this year.
As in past reports, EAST found that while ATM skimming remains an entrenched problem in Europe, most of the fraudulent transactions that result from skimming attacks on European ATMs occur outside of Europe. EAST believes this is because more than 90 percent of European ATMs now are compliant with the so-called “chip and pin” approach, also known as the EMV (an initialism for Europay, Mastercard and VISA) standard.
ATM cards store account data on magnetic stripes on the backs of the cards, and thieves have focused their attention on lifting the data from customer cards — either through handheld skimmers — or via magnetic strip readers on ATM skimmers. The data can then be re-encoded onto blank ATM cards, and used at ATM along with the victim’s PIN to withdraw cash. The EMV approach uses a secret algorithm embedded in the chip planted into each ATM card. The chip encodes the card data, making it harder (but certainly not impossible) for fraudsters to read information from them or clone them.
Needless to say, U.S. based financial institutions do not require chip-and-PIN, and that may be a contributor to the high fraud rates in the United States. In response, according to EAST, one or more card issuers in eight European countries have now introduced some form of geo-blocking by which payment cards are blocked for usage outside of designated EMV Chip liability shift areas.
If you liked this story, please see my entire series on ATM skimmers.