Banks in Europe are seeing innovative skimming attacks against ATMs, where fraudsters rig special devices to the cash machines to record payment card details.
Many banks have fitted ATMs with devices that are designed to thwart criminals from attaching skimmers to the machines. But it now appears in some areas that those devices are being successfully removed and then modified for skimming, according to the latest report from the European ATM Security Team (EAST), which collects data on ATM fraud throughout Europe.
Skimming devices are designed to record the account details from the magnetic stripe on the back of a payment card. The data can then be encoded onto a dummy card. A person's PIN (personal identification number) is often captured with a micro-camera, which was done with the illicitly modified anti-skimming devices, according to the report.
Banks in five countries also reported seeing a new type of skimming device, which uses a modified MP3 player to record card details. It also has a micro-camera to record PINs, according to a photo seen by IDG News Service.
EAST doesn't reveal which banks noticed the fraud or the country in which it occurred. EAST only notes whether the attack occurred in a country that is a "major deployer" of ATMs - where there are more than 40,000 machines in the country. Those countries include France, Germany, Spain, Russia and the U.K.
Installing malicious software on an ATM is a more sophisticated way to execute fraud. One country of the five major deployers saw this style of attack, which was first seen in Eastern Europe in 2007.
ATMs often run operating systems such as Microsoft's Windows CE and are vulnerable to attacks executed remotely and by people who break into the machines to install malware. Both kinds of attacks were demonstrated by security researcher Barnaby Jack at the Black Hat conference in Las Vegas in July.
European banks haven't seen a new kind of attack called "shimming." This attack involved inserting an extremely thin plastic circuit board into a point-of-sale device or ATM. It then can record data either on the card itself or transmit the data using a wireless transmitter. Due to the design of ATM machines in Europe, "we don't think shimming is an ATM threat," said Lachlan Gunn, EAST's coordinator.
Overall, European banks have seen a record number of skimming attacks this year, but losses actually fell, according to figures released by EAST last month. Skimming losses amounted to €143.5 million (US$202.1 million) for the first half of this year, down 7 percent from the €154.1 million reported in the last half of 2009. The decline was attributed to the widespread deployment in Europe of chip-and-PIN (Personal Identification Number) cards or EMV (Europay, MasterCard, Visa) cards.
An ATM that is EMV-compliant checks the card's PIN via the microchip in order to let a transaction proceed. Cloned cards that do not have the microchip usually will not work.