Europe's ATM skimming attacks rise, but losses fall
IDG News Service - European banks reported a record number of skimming attacks, where payment card details were captured by criminals as bank customers tried to withdraw cash from ATMs.
Banks reported 5,743 attacks in the first six months of this year, according to the European ATM Security Team (EAST), a nonprofit group composed of national payment organizations, financial institutions and law enforcement. The figure represents a record high since EAST first began keeping statistics in 2004.
The number of attacks was 3% higher than the second half of 2009 and up 24% over the first half of 2009. But despite the higher number of attacks, losses fell.
Skimming losses were €143.5 million ($202.1 million) for the first half of this year, down 7% from the €154.1 million reported in the last half of 2009. The decline is likely due to a couple of factors, said Lachlan Gunn, EAST's coordinator who prepared the report.
Nearly 95% of cash machines in 31 countries in the Single European Payments Area (SEPA) are chip-and-PIN (Personal Identification Number) cards or EMV (Europay, MasterCard, Visa) cards. An EMV-compliant ATM will confirm the card's PIN via the microchip in order to let a transaction proceed.
But most payment cards still have a magnetic stripe on the back containing the card's account details. That's the target of fraudsters. By attaching an external recording device near where a bank card is inserted into an ATM, a fraudster can "skim" those details and encode them onto a dummy or clone card.
The clone card lacks the microchip and won't work in EMV-compliant machines. But it will work in countries that don't use the EMV system, such as the U.S. Also, some banks in Europe will still allow their cards to go into a "fallback" mode, where if the chip doesn't work, the transaction can proceed anyway using the magnetic stripe. That feature is also useful for banks with customers traveling in countries that don't use EMV.
As a result, cybercriminals tend to export the card details and use the clone card elsewhere. EAST's figures show that domestic losses for the first half of this year -- where cards issued in a country are also used for fraud there -- fell 44% compared to the last half of 2009. Many card issuers have also stopped allowing their cards to go into fallback mode, which contributed to the decline, Gunn said.
Skimming fraudsters are "having to work a lot harder now to get less," Gunn said.
But international losses increased by 7%, which "indicates that criminals are continuing to find ways to use counterfeit cards in countries that are not EMV compliant." EAST members reported that those losses occurred in Argentina, Australia, Azerbaijan, Brazil, Canada, Dominican Republic, Egypt, Jordan, Hong Kong, Kenya, Lebanon, Malaysia, Mexico, Morocco, Peru, Philippines, Russia, South Africa, Thailand and the U.S.
European countries that have some machines that use fallback mode include Austria, Bulgaria, Finland, Germany, Italy, the Netherlands, Poland, Romania, Spain, and the U.K.
To combat the problem, banks affiliated with Visa have been slowly issuing cards with the EMV microchip but no magnetic stripe. So far banks in Austria, Belgium, Bulgaria, France, Germany, Italy, Netherlands and Switzerland have committed to issuing the new cards, according to Visa.
"As long as they have mag stripes, the criminals can still attack them," Gunn said.
Send news tips and comments to firstname.lastname@example.org
- Securing Mobile App Data - Comparing Containers and App Wrappers Analysts agree that Mobile Device Management (MDM) is not enough when it comes to securing app data. Although it remains a critical component...
- PCI 3.0 Compliance In this white paper, learn how PCI-DSS 3.0 effects how you deploy and maintain PCI compliant networks using CradlePoint devices.
- Mitigating Security Risks at the Networks Edge This white paper provides strategies and best practices for distributed enterprises to protect their networks against vulnerabilities, threats, and malicious attacks.
- 5 Strategies for Modern Data Protection Read the five strategies for modern data protection that will not only help solve your current data management challenges but also ensure that...
- Business-driven data protection Setting up data protection infrastructures with your organizations' core mission or business in mind is key. In this webinar, the ARCserve team will...
- On-Demand Webinar: Mind the Gap! Watch the webinar featuring Bob Janssen, CTO and Co-Founder of RES Software, to start building a solid foundation for business and IT to... All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!