ATM skimming is like identity theft for debit cards: Thieves use hidden electronics to steal the personal

information stored on your card and record your PIN number to access all that hard-earned cash in your
account. That's why skimming takes two separate components to work. The first part is the skimmer
itself, a card reader placed over the ATM's real card slot [source: Krebs]. When you slide your card into
the ATM, you're unwittingly sliding it through the counterfeit reader, which scans and stores all the
information on the magnetic strip.
However, to gain full access to your bank account on an ATM, the thieves still need your PIN number.
That's where cameras come in -- hidden on or near the ATMs, tiny spy cameras are positioned to get a
clear view of the keypad and record all the ATM's PIN action [source: Walters]. Always pay attention to
objects mounted on the ATM or located close by. A pinhole or off-color piece of plastic could give away
the camera's hiding place. Cameras could even be hidden in brochure racks [source: Krebs].
Some ATM skimming schemes employ fake keypads in lieu of cameras to capture PIN numbers. Just like
the card skimmers fit over the ATM's true card slot, skimming keypads are designed to mimic the
keypad's design and fit over it like a glove. If you notice that the keypad on your ATM seems to protrude
oddly from the surface around it, or if you spy an odd color change between the pad and the rest of the
ATM, it could be a fake.

Skimming is the theft of payment card information used in an otherwise legitimate transaction. The thief
can procure a victim's card number using basic methods such as photocopying receipts or more
advanced methods such as using a small electronic device (skimmer) to swipe and store hundreds of
victims card numbers. Common scenarios for skimming are restaurants or bars where the skimmer has
possession of the victim's payment card out of their immediate view.[9] The thief may also use a small
keypad to unobtrusively transcribe the 3 or 4 digit Card Security Code, which is not present on the
magnetic strip. Call centers are another area where skimming can easily occur.[10] Skimming can also
occur at merchants such as gas stations when a third-party card-reading device is installed either
out-side or inside a fuel dispenser or other card-swiping terminal. This device allows a thief to capture a
customers card information, including their PIN, with each card swipe.[11]
Instances of skimming have been reported where the perpetrator has put over the card slot of an ATM
(automated teller machine) a device that reads the magnetic strip as the user unknowingly passes their
card through it.[12] These devices are often used in conjunction with a miniature camera
(inconspicuously attached to the ATM) to read the user's PIN at the same time.[13][14] This method is
being used in many parts of the world, including South America, Argentina,[15] and Europe.[citation
needed] Another technique used is a keypad overlay that matches up with the buttons of the legitimate
keypad below it and presses them when operated, but records or wirelessly transmits the keylog of the
PIN entered. The device or group of devices illicitly installed on an ATM are also colloquially known as a
"skimmer". Recently made ATMs now often run a picture of what the slot and keypad are supposed to
look like as a background, so that consumers can identify foreign devices attached.

Skimming is difficult for the typical cardholder to detect, but given a large enough sample, it is fairly easy
for the card issuer to detect. The issuer collects a list of all the cardholders who have complained about
fraudulent transactions, and then uses data mining to discover relationships among them and the
merchants they use. For example, if many of the cardholders use a particular merchant, that merchant
can be directly investigated. Sophisticated algorithms can also search for patterns of fraud. Merchants
must ensure the physical security of their terminals, and penalties for merchants can be severe if they
are compromised, ranging from large fines by the issuer to complete exclusion from the system, which
can be a death blow to businesses such as restaurants where credit card transactions are the
norm.[citation needed]
Defined as the intentional act of trickery to unlawfully obtain funds from an ATM, most people associate
ATM fraud with external crime, where the card or card number and associated PIN are illegally obtained
by outside individuals, gangs, or even more sophisticated organized crime syndicates. Considered a form
of identity theft by the Federal Trade Commission (FTC), while identity theft had been holding relatively
steady for the last few years, the FTC cites a 20 percent increase in ATM fraud in 2011 alone.
From the onset of the proliferation in the use of ATMs, less sophisticated (but equally effective)
methods of ATM fraud include such means as card trapping, skimming, and keypad overlays. Trapping,
as the name implies, is where the customers card is somehow trapped by the perpetrator only to be
retrieved later. Skimming is where the perpetrator has put a device over the card slot of an ATM, which
reads the magnetic strip as the user unknowingly passes his card through it. These devices require the
use of a miniature camera (inconspicuously attached to the ATM) to read the users PIN at the same
time.
Lastly, where a hidden camera is not or cannot be employed, a keypad overlay can be used to match up
with the buttons of the legitimate keypad below it [pressing them when operated], but records for or
transmits to (wirelessly) the perpetrator the keylog of the PIN entries. Collectively, the device(s) illicitly
installed on an ATM is/are known as a skimmer and the process is known as skimming.
4 Most Common Types of ATM Cyber Fraud
Today, the criminals have gotten a bit more technologically sophisticated, with the most common types
of ATM cyber fraud being:
Cassette Manipulation Fraud Where the ATM is programmatically altered to dispense multiples of the
withdrawal amount with a single cash withdrawal transaction.
Surcharge Fraud The programmatic setting of the ATM surcharge to zero on the attackers card.
Confidentiality Compromise Where the perpetrator gains unauthorized access to ATM system logs and
the confidential information stored therein that can then be exploited.
Software Compromise Fraud The catch all for all other ATM fraud that involves the exploitation of
software vulnerabilities so as to manipulate the ATM operation itself.
Despite the variety of ways and means that such fraud can be affected, the fact of the matter is that
ATM fraud is perpetrated externally, internally, and in some cases by way of some combination of the
two. In short, criminals have found that ATM fraud can be committed at lower personal risk, can often
be very lucrative, and can usually be carried out without the need for physical force or a weapon.
While the scope of the problem is enormous, as we read/hear about it almost every day in the media,
the total cost of ATM fraud in the U.S. is difficult to clearly establish, due in large part to organizations
being very guarded about releasing such information as well as the varying forms in which this type of
crime can occur.
What we do know is that fraud committed from the inside can be every bit as devastating as external
ATM fraud. Fraud committed by the actual person replenishing or servicing the machine can be as
simple as pilfering small amounts at a time or more complex with a carefully orchestrated shell game,
whereby larger amounts of funds in the machine are siphoned off undetected.
In this scenario, the fraudster carefully keeps the residual cash returned to the processing facility in line
with the machine dispense totals by sharing (the same or another machine) ATM funds, which goes
undetected by those responsible for balancing. A two-person team for dual control, actually performing
ATM replenishment, may reduce the opportunity for loss, but may not be practical from a cost
standpoint. One ATM servicer alone can have access to over one hundred machines, allowing for an
opportunity to steal in excess of a million dollars, undetected for years. These crimes are often times
uncovered through mere accident with a fraudster getting out of his or her routine, causing an out-of-
balance situation identified at the processing facility and a resulting investigation.
Reducing the Potential for ATM Fraud
Some fundamental controls that should be in place to mitigate ATM losses include proper registering,
issuance and return, inventorying, and storage of access devices, along with completion and
accountability of servicing documentation. These fundamental controls are very important; however,
they may provide little resistance to the loss in the example above.
As an ATM service provider, there are some additional measures that can be implemented to reduce the
potential for ATM fraud occurring, or at least from growing out of control:
Rotate the ATM servicers, so that no one person handles the cash exclusively for a machine over a
specified point.
Develop an ATM cash audit program where the servicers machines are randomly inspected onsite and
balanced by a designated two-person audit team at a specified interval. Greater emphasis and
frequency should be with cash-add serviced machines.
The latter approach is only as effective as the program implementation. From a practical standpoint,
only a small number of the total machines serviced may be audited. However, a significant benefit of
deterrence can come from creating awareness with the servicer that any of their machines may be
subject to a cash audit at any time.

Preventive measures are typically stifled with cost constraints, particularly where the needs and sense of
urgency can be somewhat ambiguous to certain people. However, when a devastating situation unfolds,
the need for adequate internal controls becomes quite obvious. While any preventive approach is an
expensive one, the cost of not doing enough may be far greater in the long run.
The need for the financial services industry as a whole to embrace and apply universal fundamental cash
handling standards is imperative. Financial institutions doing business with the various vendors should
be able to have confidence that these standards are being followed. There should be absolute
transparency with the vendors, so the financial institution can see that the appropriate controls are in
place and consistently followed, as well as have the ability to have a full audit of all customer inventories,
not just their own, whenever requested.
Lowers & Associates (L&A), an international risk management firm, with extensive experience in the
cash handling industry, knows and understands the best practices used today. L&A has various
programs with the leading CIT carriers and insurers to both conduct surveys to evaluate internal controls
compliance, as well as perform full inventory cash and coin audits.
How to Secure Your ATM
Securing the ATMs infrastructure becomes one of the most challenging tasks. The process requires
business, IT and third party vendors involvement. ATM security is a combination of physical security,
which is basically how to secure the assets, logical security, or how to protect operating systems from
malware, and finally the fraud from skimming attacks.
In practice
An ATM Security Policy should be in place, or a related section should be added in the current Security
Policy. All ATMS should comply with PCI DSS, and all third parties, contractors, and providers involved in
ATM processing should comply with PCI DSS standards.A regular internal audit should be conducted to
ensure compliance with the security policy.
The ATM location should comply with the Crime Prevention Through Environmental Design concept
which provides guidelines and a set of rules on proper facilities design and environment, which affects
human behavior by reducing the occurrence of crimes. It addresses landscaping, entrances, facilities,
lighting, road placements, and traffic circulation patterns.
The ATM location should be far from any glass walls and close to a solid wall. There should be no direct
access to the ATM, and bollards should be added to prevent car jacking.
An ATM located in an open area visible with proper lighting in place will help to prevent criminal
activities. TheATM should be well fixed to its location
An onsite validation process should be put in place to approve the ATM location by key players: Bank or
site owner, ATM vendor, ATM supplier, ATM Cash Replenishment companies, and local police
intelligence (who can report the crime history of the location). During maintenance, if ATM vault access
is needed then we should close the branch, office, withdraw cash and put it in a vault during all
maintenance operations. An Intrusion Detection System should be in place in all areas where the ATM is
located.
The ATM should include its own alarm system, CCTV cameras embedded, the pin keyboard should not
be covered by the system, CCTV should be connected to a recorder and centralized screening system.
Consumers can increase PIN protection by avoiding any shoulder surfing attacks.
Including GPS as an additional component to an ATM can help to localize it in theft cases, as
compensating control, an active cash protection by using ink, glue or gas for cash destroying.
Include an ATM review in the annual Risk Review
A process review should be in place to review lost audit trails and security notifications, according to
security policies, standards and best practices. The process review includes changing user profiles,
tracking all unsuccessful logins or attempts to access. The process review includes use of privileged user
accounts and all major events such as restarting stop change in execution mode.
Admin should not interact directly from their personal computers or laptops. The PIN number should
never been transmitted or stored in clear text regardless the media or channel used. ATM network
communication should be encrypted using a strong encryption protocol, 3DES, AES, the WEP protocol is
prohibited.
Conduct a regular Ethical Hacking testing and vulnerability scanning on the ATMs network which include
wireless access point presence testing, the exercise covering Black box penetration testing, Malware
analysis and source code review of the ATMs firmware.
All passwords should be changed from manufacturers defaults. Disposal process in place for the ATM,
the HDD has to be cleaned at the end of life. Only administrators profiles users can access ATMs
through terminal services / server. Patch management should be in place and followed prior to installing
any patches, fixes on ATMs, all updates should be tested prior to applying in production.
Anti Virus protection should be implemented for all ATMs. Restrict physical access to ATMs, block all
unnecessary ports, cables and switches protection particularly in shared occupancy facilities.
Patch installation on the ATM required disconnecting the ATM from the network and putting it off line
during the installation process. To avoid any disruption in customer services, planning should take place.
All data on ATM HDD should be encrypted to prevent any unauthorized access during third party
maintenance or in theft cases.
Educate people, employees, consumers, third party technicians, through training, awareness, share best
practices, random checks should be conducted by employees, inspecting the reader from skimming
devices during ATM maintenance and cash replenishment.
A detection system that senses and sends an alert and/or takes the ATM offline when anything is
attached to the card reader, keypad or fascia. Keep records of all security complainsuse sensors and
detection systems which can trigger alerts or shutdown an ATM if any external device is attached to the
card reader or keypad. Use of jitter technology and other behavioral software can detect and stop all
transactions which do not match the cardholder profile.
Third parties, contractors and providers responsibilities should be clearly defined and mentioned in SLA
in case of fraud conducted through ATM interface software or unapproved software installation.
Employees should not have full access to the ATM. Segregation of duties, least privilege and business
needs access should be followed to mitigate the risk associated. Implement a password policy according
to the best practices and track all sharing password cases through regular control, be sure to change the
default password.
Access control should be in place with 2 factors of authentication. Harden the ATM Operating System
and disable all unnecessary user accounts (guest). User accounts should be locked after 3 unsuccessful
attempts. Develop an incident response process, in case of attacks identified, with response plan
including tasks and personal assignments.
Next Steps
Organizations need to assess and review the risk profile of their ATM, because threats can vary
depending on the location, environment, facilities, CCTV, etc . A Risk
Analysis will outline all vulnerabilities and related countermeasures or compensating control to reduce
and contain the risk which includes prevention and detection controls.
The first is prevention through security policies, procedures, baselines, technical by using firewalling;
prevent unauthorized equipment from being physically plugged into ATM, deterrent controls through
using of CCTV cameras, and educating people through awareness training.
The second one is detection by monitoring, alerts notification, regular logs review, and vulnerability
assessment.
Physical security, logical security and fraud should not be addressed separately, as attacks become more
sophisticated, issues need to be addressed from physical perspective, logical perspective and fraud
perspective.
Multilayered security methods are the most effective. Layered security should be in place, perimeter
security through physical access control, firewalls, hardening the ATMs Operation System to secure and
close all unnecessary ports and make them unavailable for hackers and worms, regular pen testing,
secure maintenance process, use of centralized monitoring tools.
Monitoring is still one of most important steps to secure ATMs. ATM monitoring capabilities provide a
set of messages, status, notifications and alarms which can be analyzed and identify problems or
security concerns, IE: notification of continual card reader failure might be an indication of tampering
attacks.
As the human factor is still the weakest link, employees, consumers, and providers should be aware of
ATM threats, therefore awareness program should be developed and conducted, the program includes
presentations, hands on training using multimedia presentations, formal session training, movies, flyers,
etc. to ensure a large communication and audience.
A holistic strategy will drive and protect Automated Teller Machines channels at all level.
Knowing your employees may not be enough
Keep authorizations current
Separation of duties and dual approval
Protect your access information
Separate Online Access Functions
Protect you and your customers payment assets
Know your trading partners
Account reconciliation is critical