Warning! Card Skimmers in NJ on the Rise: How to Spot Them, What to Do
in Compliance & Regulatory
By: Nicola Foggie, NJCUL Vice President, Compliance and Regulatory Affairs

This week, a credit union leader made NJCUL aware of a skimmer placed on a Wawa automated teller machine (ATM) located in the southern New Jersey town of Woodbury Heights. Thousands of dollars were skimmed from the victim’s account virtually overnight.

Card Skimming is a method used by criminals to capture data from the magnetic stripe on the back of an ATM card. Devices used are smaller than a deck of cards and are often fastened in close proximity to, or over the top of, the ATM's factory-installed card reader, and they are popping up everywhere, including across the state of New Jersey. According to a recent article posted by BankinfoSecurity, despite the recent bust of an alleged skimming ring in Massachusetts, ATM fraud is on the rise and shows no sign of abating.

One industry expert has a list of incident response tips (provided below) for financial institutions that want to fight back against ATM skimming attacks. Mike Urban, Senior Director of Fraud Solutions at FICO, says all types of ATMs—and even pay-at-the-pump gasoline stations—are under attack. According to BankinfoSecurity, in the last month, several skimmers have been found at gas stations around the nation, where the tech-savvy fraudsters are placing readers to capture the PIN and the card number before the PIN is encrypted. "I predict we're going to see more of those," Urban says. "They are targeting the weakness of the mag stripe, and that will be something we have to live with until a better solution is developed.”

The current trend began slowly, says Urban. Several years ago, the targets were primarily off-premise ATMs. Criminals could buy ATMs, place skimming devices in them, and collect card and pin information. Urban warns that criminals have begun focusing on financial institutions' ATMs once the encrypting PIN pad and other advancements in technology changed how PINs were protected.

Keep in mind:

  • Criminals placing skimming devices will target an attack for a day, a weekend, or a short period of time.
  • They usually go to other ATMs of the same model/make to attack that fit the look of the skimming device.
  • They are much more sophisticated than previous skimming devices.

"They also use the same paint coatings, so they are getting access to that information somewhere—those compounds that generally aren't available at a local hardware store,” says Urban. “You can't go in and order ATM gunmetal grey paint. There is a real industry around the creation of these ATM skimming devices."

The Challenge for Credit Unions
Many financial institutions, including credit unions, have not invested in real-time fraud monitoring of PIN-based transactions, Urban says, because traditionally risk has been lower. His advice: Institutions need to take a hard look at where they're going to spend monitoring money. "By now I mean getting ahead of the curve before the fraud starts to happen, and get PIN-based card transaction monitoring in place."

Technology advancement won't stop a determined criminal. It is a cat and mouse game, and from what Urban sees with increased skimming in the UK and Canada, "We're going to see significant increases in skimming."

Below are a few steps, suggested by Urban, that you can take now to help your credit union move toward combatting card skimming fraud. The League is also hosting a Cyber Security Roundtable on March 21 with FBI Supervisory Special Agent Brett Yeager who will discuss current and emerging cyber threats as well as security controls that can be used to protect your critical systems. Register here.

Action Items for Credit Unions:

  • Have a Plan — For what you do if you find a skimming device on one of your ATMs.
  • Document the Plan — List everything that should happen, people to be contacted, actions to be taken.
  • Educate Your Branch Employees — If a device is found, all employees should know what and what not to do. Educate branch employees and third-party vendors, as well as ATM servicers. Make sure they are monitoring the outside of the ATMs for residue or devices that actually are on the ATM.
  • Inspect All Locations — Frequently, checking the fascia and surroundings around the ATMs, making sure nothing has been added or moved.
  • Set ATM Standards — Including visual standards for all ATMs in all branches. Keep it standard. Take a photograph of each ATM, inside and outside. Show employees what it should look like, so ATMs can be quickly examined to see what may be out of place.
  • Don't Touch Skimmer If Found — Contact law enforcement if a device is found on the ATM. Tell employees to not touch it or pick it up or pull it off the ATM. Secure the area with bank robbery tape until law enforcement arrives.
  • Be Vigilant At All Times — Increase your checks on ATMs, especially if you've heard of ATM skimming in your area. If there are reports of ATM skimming, increase the number of checks. Even if there are no reports, have employees check ATMs in off-hours and over weekends, which are prime times for skimmers to be put on ATMs.
  • Contact Other Institutions — Share information with local and regional institutions about what's happening at your branches and make sure they share information with your institution.

For more information on card skimming awareness, contact NJCUL’s Nicola Foggie at nfoggie@njcul.org.

Source: www.bankinfosecurity.com