Why EMV won’t keep card-skimming crooks away from ATMs
At the end of September, the first of the EMV liability shifts for ATMs — specifically, the one for MasterCard — will go into effect.
In less than 465 days, the second shift — this one for Visa — will go live, as well. At this point, nothing short of an act of Congress will prevent ATM operators and acquirers from shouldering financial fallout for ATM fraud.
Actually, an act of Congress might not be out of the question. Dick Durbin, the Illinois senator who created a massive EMV headache for the U.S. payments industry with his payments-regulating amendment to the Dodd-Frank Act, is now looking into the EMV standard.
Durbin recently fired off letters to the Federal Trade Commission and the major card brands asking them some inopportune questions — about the composition of EMVCo and the PCI Security Standards Council; about EMV certification timelines; about the decision to employ chip and signature in the U.S. rather than the more secure chip and PIN; and about the ongoing inclusion of a data-laden and skimming-prone magnetic stripe on U.S. debit and credit cards.
Considering the tone of Durbin’s letters and the unpersuasive nature of the card companies’ responses, it’s not unthinkable that the senator will step up with some new ideas for “leveling the payments field.” In fact, further payments system tinkering seems very thinkable.
Meanwhile, EMV migration plans move forward and the card brands insist that there will be no adjusting the liability shift deadlines. And no removing the mag stripe from U.S.-issued cards, for now.
Which means that ATM operators will still be targeted by fraudsters and their ever-smaller and more sophisticated skimming devices.
In fact, most industry experts predict that ATM fraud attacks will rise as the U.S. converts to the EMV standard and thieves rush to make the most of pilfered card data.
In April, FICO Card Alert Service, which monitors hundreds of thousands of ATMs in the U.S., reported that fraud at ATMs increased nearly sixfold between 2014 and 2015. Of this, 60 percent occurred at retail ATMs, compared with 39 percent in 2014, FICO said.
“Criminals are taking a quick-hit approach to ATM theft and card fraud,” said T.J. Horan, FICO VP of fraud solutions, in an April 8 press release. “They are moving faster to make it harder for banks to react and shut down the compromises. They are targeting nonbank ATMs, which are more vulnerable.”
The National ATM Council, whose membership mostly comprises independent ATM deployers, disputes the FICO statistics.
According to executive director Bruce Reynard, “NAC believes the actual incidences of card skimming at retail ATMs is low and that the FICO report may be referring to the use of stolen card data at retail ATMs vs. the actual theft of the data at these terminals,” he said.
The FICO release does not support this interpretation, though. It explicitly says that, “The number of ATMs in the U.S. compromised by criminals rose 546 percent ...” (emphasis ours.)
Regardless of who’s right, almost no one disputes that ATM fraud will rise before EMV is fully implemented. In a recent ATM Marketplace webinar sponsored by TMD Security, a provider anti-skimming solutions, Tom Moore, the company’s managing director for North America said that:
Losses resulting from cards that were issued and skimmed in Europe but used for fraud internationally rose 20 percent in 2014 to almost $309 million. The top locations for reported fraud spend on cards skimmed in Europe are the USA, Indonesia and Thailand.
This trend is likely to continue until all regions have fully implemented EMV and the magnetic stripe has been removed from our cards.
Total debit fraud in Canada was more than CA$142 million ($114 million) in 2009. By 2014, just two years after EMV adoption, total debit fraud had plunged to just over CA$16 million ($13 million). …
… Domestic debit fraud at the ATM averaged nearly CA$2,400 ($1934) per terminal in 2009. By 2014, that figure had been slashed to a mere CA$33 ($27) per terminal.
Cornell believes the U.S. will see a similar precipitous drop in skimming losses at ATMs as EMV nears coast-to-coast implementation.
When the chip finally goes global, the mag stripe will go away, Moore said: “How long will this be? Well, industry experts predict at least another five years.”
Until this happens, the only absolutely positively 100 percent-reliable way to prevent card skimming is to prevent the card itself from coming in contact with the ATM card reader. Mobile and NFC transaction solutions are making this a genuine and viable option — especially for financial institutions who control their own ATM fleets and banking apps, but also for IADs who are willing to go to the expense and trouble to offer card-free cash.
Apart from this, the only solution for ATM deployers is EMV compliance. Because, skimmed mag stripe data will still have value to crooks who will continue to produce and use counterfeit cards in remaining non-EMV markets — and, of course, remaining non-EMV ATMs in EMV markets.
And nobody who wants to remain in business wants to be the last mag stripe-only ATM deployer standing.