While far from unusual, a recent ATM skimming attack on Martha’s Vineyard highlights two particular lessons bankers need to know about these kinds of attacks: skimmers are becoming increasingly sophisticated in their methods of thievery and skimming is no longer just a big bank’s concern.

Throughout July and August, skimmers targeted a Martha’s Vineyard Savings Bank ATM in Oak Bluffs. In total, they stole about $180,000 from up to 160 customers over Labor Day weekend, said Lt. Tim Williamson of the Oak Bluffs Police Department.

Williamson said the case is progressing and police have honed in on two suspects, due mainly to bank employees’ vigilance.

The average ATM user, he explained, spends a minute or two in the vestibule and mainly uses his or her dominant hand to swipe the card, withdraw cash and collect a receipt, but when the bank’s employees watched surveillance footage, two men in particular stuck out because they spent only about 20 seconds in the vestibule and would use both hands to place the skimming devices.

“The first individual would come in and place the skimmer over the card slot, and the second individual would come in immediately behind him, and he would place the camera,” Williamson said.

He said the ATM in question was located in a downtown area with heavy foot-traffic and the thieves would plant the device around 5:30 p.m. and remove it five hours later, outside of normal banking hours.  

Better Skimming Technology

“The more expensive skimmers tend to include a data transmission component that will protect the scammer’s asset,” explained Brian Krebs, a journalist who writes about cyber-crime and computer security at KrebsonSecurity.com. “In a perfect world, the bad guy never wants to have to come back to the scene of the crime. Even the most expensive skimmers don’t want to lose their equipment, but they want the option of not having to go back to the scene.”

Bluetooth technology is popular now, so the skimmer has to wait only a block or two away while his investment collects and transmits the purloined data. Krebs said the even more advanced skimmers will incorporate GSM technology into their machines, cannibalizing cellphone parts to use in the ATM skimmer.

Criminals now also build their devices to suit the specific make and model of ATM the thief wants to skim. Williamson said that’s what the suspects in the Oak Bluffs skimming operation did.

Unreliable Stats

There are few reliable statistics about the yearly costs of ATM skimming, said Brent Woodside, manager of ATM security at Diebold. For one thing, many financial institutions aren’t exactly eager to reveal their losses. Some estimates put industry-wide losses at about $8 billion annually, and tech company NCR estimates that across the 20,000 or so reported instances of ATM skimming last year, each incident averaged a loss of approximately $50,000.

But it can be difficult to even trace a skimming attack back to a specific bank or ATM, Woodside said, because the criminals don’t typically put that stolen data to work the very next day. Weeks could pass before they actually compromise the customer’s account and by that point, the customer may not connect the attack on their finances with the visit they paid to a compromised ATM over a month ago.

One possible solution is the “chip” card that has an EMV smart chip embedded into it. Krebs said these are currently more popular in Europe and have lead to dramatic declines in ATM skimming incidents there, but with one hitch: the magnetic stripe is backwards-compatible. That means that card information is still skimmed in Europe, but the information is actually deployed and the account compromised in the U.S.

Until chip-embedded cards and ATMs become the norm worldwide, Woodside recommended that banks invest in multiple layers of security to guard against ATM skimming.

Smaller banks, he said, have been particularly vulnerable in recent years since larger banks have invested more dollars into extra security measures.

Williamson offered clues for spotting an ATM skimmer. Look for scratch marks that might have been made by tools or adhesive residue left by tape. Woodside recommended daily ATM inspections and said, “Get to know your ATM. Take a picture of it, if you need to. Watch for anything different.”

Whatever you do, don’t try to remove or tamper with the skimmer, but instead contact bank security or law enforcement. The chances are pretty good the thief who planted it there may be waiting nearby and he more likely than not wants to protect his investment.

Woodside recalled a recent skimming attack that was revealed when a customer using the ATM noticed a keypad overlay and picked it up to snap a picture of it.

“As soon as he did, a person walked up and ripped it out of his hands and walked away,” Woodside said. 

Email: lalix@thewarrengroup.com