Credit and debit card skimmers aren’t just for ATMs anymore. According to European anti-fraud experts, innovative skimming devices are turning up on everything from train ticket kiosks to parking meters and a host of other unattended payment terminals.
Recently, at least five countries reported skimming attacks against railway or transport ticket machines, according to the European ATM Security Team (EAST), a not-for-profit organization that collects data on skimming attacks. Two countries reported skimming attacks at parking machines, and three countries had skimming incidents involving point-of-sale terminals. EAST notes that Bluetooth devices increasingly are being used to transit stolen card and PIN data wirelessly.
The organization also is tracking a skimming trend reported by three countries (mainly in Latin America) in which thieves are fabricating fake ATM fascias and placing them over genuine ATMs, like the one pictured below. After entering their PIN, cardholders see an ‘out-of-order’ message. EAST said the fake fascias include working screens so that this type of message can be displayed. The card details are compromised by a skimming device hidden inside the fake fascia, and the PINs are captured via the built-in keypad, which overlays the real keypad underneath.
EAST found that eight countries reported cash-trapping attacks at ATMs, with three of the eight nation’s reporting “significant increases” in this type of attack. The most common method of cash trapping used by crooks continues to involve what’s known as a “cash claw,” a device designed to be inserted into the cash dispense slot on an ATM and pry additional bills from the machine as it opens to dispense cash.
The latest report from EAST continues to emphasize that most card fraud stemming from skimming incidents in Europe is in fact perpetrated outside of Europe, particularly in the United States, the Dominican Republic, Brazil, Mexico, Peru and Thailand.
EAST posits that a big reason for this trend is the broad adoption in Europe for a bank card security standard known as EMV (short for Europay, MasterCard and Visa), more commonly called “chip-and-PIN.” Most European banks have EMV-enabled cards, which include a secret algorithm embedded in a chip that encodes the card data, making it more difficult for fraudsters to clone the cards for use at EMV-compliant terminals. Because chip-and-PIN is not yet widely supported in the United States, skimmer scammers who steal card data from European ATM users tend to ship the stolen card data to buyers or co-conspirators in the United States, where the data is encoded onto fabricated cards and used to pull cash out of U.S. ATMs.
EAST notes that in ten European countries, one or more card issuers have now introduced some form of “geo-blocking,” by which payment cards are blocked for usage outside of designated EMV Chip liability shift areas. The organization found that issuers which have adopted such tactics continue to show a decline in skimming incidents and in skimming related losses.
Update, Mar. 31, 9:27 a.m.: A reader who services ATMs took issue with my description of the way these cash claws typically operate. He offered a different explanation: The claw is pushed into the dispenser by the thief. When a customer requests cash the cash becomes trapped in the claw and is not visible by the customer because its behind the cash shutter/slot. The machine reports a fault with dispensing and is unable to pull the cash back from the dispenser because the claw us trapping it. The thief returns when the victim leaves and forces the shutter open and pulls the claw and cash out. According to the ATM guy, this kind of attack can vary in how its performed. For example the shutter can be forced open first and the claw inserted.