Fraudsters Trying to Capture Bank Cards at Machines

If your cash card gets eaten by the automated-teller machine, it may not end up in the hands of a bank employee.

European financial institutions are seeing a sharp rise in card "trapping," where criminals use various tricks in order to capture and retrieve a person's ATM card for fraudulent use.

For the first half of this year, financial institutions reported 1,045 trapping incidents, according to a new report from the European ATM Security Team (EAST), a nonprofit group composed of financial institutions and law enforcement. The figure, which covers 20 countries within the Single Euro Payments Area (SEPA), represents a 640 percent increase over the first half of 2008.

"For the first time, we've seen a significant spike in the number of card-trapping incidents," said Lachlan Gunn, EAST's coordinator. "It's a new trend."

Criminals may be turning to trapping as an alternative way to get around the main security feature for payment cards issued in Europe: the microchip.

European banks now use chip-and-PIN (personal identification number) cards, also known as EMV cards. During face-to-face transactions, customers must enter a PIN into point-of-sale devices, which authenticates the transactions. ATMs verify the presence of a chip to prevent the use of cloned cards without a microchip.

So far, it's not believed criminals have been able to successfully clone a microchip. Instead, they attach "skimming" devices onto ATMs or POS devices, which record a card's magnetic stripe that contains account details. Cameras or special keypad overlays can be used to obtain the PIN.

The magnetic stripe can then be copied onto a dummy card. But the criminal then has to find an ATM that doesn't check for the microchip. Usually, they've turned to countries further afield in Europe that haven't quite fully deployed chip-and-PIN compliant ATMs.

But now 92 percent of the cash machines in the SEPA verify the presence of the chip before allowing a withdrawal, Gunn said. Some fraudsters have looked to the U.S. in order to use cloned cards.

"A significant part of these losses are occurring in the USA, where magstripe signature-based transactions are allowed and where there are no current plans to introduce EMV at ATMs or other payment terminals," according to EAST's report.

But it appears some fraudsters would rather keep it local, instead trapping cards and then withdrawing money. Since they have genuine card, they don't have to worry about the microchip.

Gunn said they've been known to trap cards and then pull them out with tweezers. Another method is the "Lebanese loop." A device is placed on the ATM, which uses tape, a wire or strong thread to retain a card after it has been inserted. The PIN is obtained by shoulder-surfing, and card is retrieved when the customer leaves.

U.K. banks usually limit cash withdrawals to £500 (US$830) a day. The criminal can repeatedly take out money daily until the customer notifies the bank to shut down the card. EAST's report said trapping has been particularly acute in one country but declined to identify it.

Losses from card trapping still are far less than those from skimming. Trapping losses were amounted to €248,000 (US$370,000) compared to €156 million for skimming for the first half of the year, EAST said. Other kinds of ATM fraud caused €321,000 in losses.

Subscribe to the Security Watch Newsletter

Comments