As ATM protections evolve, skimmers adapt
The suspect struck in daylight, wearing mirrored sunglasses and a black bicycle helmet.
He rode a black mountain bike to the drive-up ATM at an F&M Trust branch in Hampden Township, Cumberland County and stopped there for “an unusually long period of time,” according to local police.
A teller noticed. Police investigated and found items that led them to believe the cyclist had connections to a recent string of skimmer-device discoveries in Cumberland County. Skimmers are devices that criminals install on or inside card terminals to steal credit card numbers, often by copying information from the cards’ magnetic stripes.
Any machine that accepts debit and credit cards can become a target, with police periodically finding skimmers at banks, stores and other businesses throughout Central Pennsylvania over the past several years. Most businesses, though, have upgraded their card readers to accept more-secure chip cards, adding a layer of difficulty for criminals who use the kinds of skimmers that copy magnetic stripes.
This switch from swipe cards to chip cards has left thieves with two options: target gas stations, which have not yet had to upgrade their machines, or find ways to steal information from the chip cards.
Criminals are doing both.
Gas pumps at risk
Skimmers have tricked unsuspecting card owners into handing over access to their credit and bank accounts for years, with criminals bringing in anywhere from a few hundred to a few million dollars during skimming sprees reported over the past several years. Industry experts had hoped chip cards would solve the problem.
The cards have embedded computer chips — called EMVs, an acronym for chip creators Europay, MasterCard and Visa — that replace the magnetic stripes that have long transmitted information to payment processors. The chip cards have been commonplace in Europe for years and entered the U.S. several years ago.
MasterCard and Visa have driven the timeline for accepting chip cards in the U.S. by shifting liability for fraudulent purchases from themselves to whichever party in a transaction has the least secure technology. Businesses that own ATMs and payment terminals could find themselves on the hook for skimmer-related fraud if they fail to upgrade their technology to accept chip cards.
Reimbursing customers for fraudulent transactions can add up. Although exact dollar amounts for skimmer-related fraud are difficult to come by, credit card fraud in general cost Americans a record $16 billion in 2016, according to Javelin Strategy & Research’s 2017 identity fraud study.
There is one exception to the shift in liability for fraud: gas stations.
Visa and MasterCard initially expected businesses to have EMV-accepting terminals at gas pumps by October 2017, the same deadline for ATM owners to upgrade their machines. But the card companies pushed the deadline back to October 2020, however, after realizing the costs involved in the upgrades — which could require some gas stations to replace entire fuel pumps — as well as the potential for a shortage of EMV-compliant equipment, Visa said in a statement in December 2016.
“Now that most retail establishments have the chip readers inside at the checkout or the kiosk, that kind of takes that options away from the thieves,” said John Bitner, head of Cumberland County’s weights and measures department, which inspects fuel pumps. “The one remaining place is at the gas pumps.”
Americans swipe their credit and debit cards at fuel stations about 29 million times per day, said Jeff Lenard, spokesman for the National Association of Convenience Stores, a trade group based in Alexandria, Va. Skimming devices, however, only affect a tiny percentage of those transactions. When criminals target a station, they often install a device only at a single pump, capturing an average of 30 to 100 cards per day.
Just because skimmers are rare does not mean fuel-pump owners can let their guard down, Lenard said. Station owners can protect customers by installing special tape on their pumps that show when a criminal may have opened a device to install a skimmer inside the machine. They also can check for external skimmers, which fit over top of existing equipment, by looking for card readers that seem loose when wiggled, or keypads that appear less worn than surrounding equipment.
Gas station owners in Cumberland County are receiving help from Bitner’s department to check for these devices.
Weights and measures officials conduct annual inspections at all of the county’s roughly 100 gas stations to ensure their equipment works as advertised to consumers. It recently, however, added a new round of random inspections throughout the year to look specifically for skimming devices.
The department started the inspections in November, not long after police reported a skimmer device found at a fuel pump near Mechanicsburg. The inspections take about a half hour each, and the department’s three full-time employees can often conduct the checks on their way to and from other appointments.
During an inspection, a county official will check the exterior of the pumps for signs of tampering, as well as open up the devices to check for internal skimmers, devices that are more likely to be installed on older pumps that can sometimes be opened by a standard key criminals can buy online. Smaller stations might also be more vulnerable to skimmer activity, especially ones that close overnight.
Bitner is not aware of any surrounding counties that operate similar programs separate from their regular annual fuel pump inspections. Only a few of Cumberland County’s neighbors even have local weights and measures departments, with other areas relying on state resources.
As of Nov. 9, Bitner’s department had not uncovered any skimming devices during the roughly half dozen checks conducted since the start of the program. County employees also have educated gas station owners about how to look for skimmers themselves — a step that Bitner hopes will dissuade any future criminals.
More than one way
Despite the growing use of EMV cards, the number of merchants and ATM owners reporting compromised card readers is on the rise, by as much as 30 percent between 2015 and 2016, according to credit-reporting agency FICO.
Some cases of compromised machines are likely attributable to card readers that had yet to make the transition to EMV. But there’s more than one way to skim a card.
Some cases might have resulted from so-called “shimmer” attacks — which involve installing devices that can pull certain kinds of information directly from an EMV chip. Exact statistics on shimmer attacks are difficult to come by, and EMV cards are still significantly more difficult for thieves to crack than are magnetic-stripe cards, according to security experts.
Advances in technology also have not stopped criminals from trying to target bank-based ATMs. The suspicious cyclist spotted by the F&M Trust teller in Hampden Township may have also tried to target ATMs around Carlisle, Boiling Springs and Chambersburg, police said Nov. 4.
A range of midstate financial institutions have reported skimming devices at their ATMs over the years. One group of criminals based in York went on a skimming spree in 2014 — targeting Members 1st Federal Credit Union in Hershey and Mechanicsburg, Santander Bank in Spring Grove and York, Centric Bank in Linglestown, Fulton Bank in Hershey and Jonestown Bank and Trust in Lebanon — before police caught them in late 2015.
F&M Trust recommends consumers protect themselves from skimmers and other threats by monitoring their financial accounts and immediately notifying the bank of any suspicious activity.
“Technology is an integral part of our lives today, but with all of the innovation and convenience technology brings us, it also brings risk,” bank officials said in a statement. “Threats to our financial well-being can come from many different areas and in many different forms.”