European banks reported a record number of skimming attacks, where payment card details were captured by criminals as bank customers tried to withdraw cash from ATMs.
Banks reported 5,743 attacks in the first six months of this year, according to the European ATM Security Team (EAST), a nonprofit group composed of national payment organizations, financial institutions and law enforcement. The figure represents a record high since EAST first began keeping statistics in 2004.
The number of attacks was 3 percent higher than the second half of 2009 and up 24 percent over the first half of 2009. But despite the higher number of attacks, losses fell.
Skimming losses were €143.5 million (US$202.1 million) for the first half of this year, down 7 percent from the €154.1 million reported in the last half of 2009. The decline is likely due to a couple of factors, said Lachlan Gunn, EAST’s coordinator who prepared the report.
Nearly 95 percent of cash machines in 31 countries in the Single European Payments Area (SEPA) are chip-and-PIN (Personal Identification Number) cards or EMV (Europay, MasterCard, Visa) cards. An EMV-compliant ATM will confirm the card’s PIN via the microchip in order to let a transaction proceed.
But most payment cards still have a magnetic stripe on the back containing the card’s account details. That’s the target of fraudsters. By attaching an external recording device near where a bank card is inserted into an ATM, a fraudster can “skim” those details and encode them onto a dummy or clone card.
The clone card lacks the microchip and won’t work in EMV-compliant machines. But it will work in countries that don’t use the EMV system, such as the U.S. Also, some banks in Europe will still allow their cards to go into a “fallback” mode, where if the chip doesn’t work, the transaction can proceed anyway using the magnetic stripe. That feature is also useful for banks with customers traveling in countries that don’t use EMV.
As a result, cybercriminals tend to export the card details and use the clone card elsewhere. EAST’s figures show that domestic losses for the first half of this year — where cards issued in a country are also used for fraud there — fell 44 percent compared to the last half of 2009. Many card issuers have also stopped allowing their cards to go into fallback mode, which contributed to the decline, Gunn said.
Skimming fraudsters are “having to work a lot harder now to get less,” Gunn said.
But international losses increased by 7 percent, which “indicates that criminals are continuing to find ways to use counterfeit cards in countries that are not EMV compliant.” EAST members reported that those losses occurred in Argentina, Australia, Azerbaijan, Brazil, Canada, Dominican Republic, Egypt, Jordan, Hong Kong, Kenya, Lebanon, Malaysia, Mexico, Morocco, Peru, Philippines, Russia, South Africa, Thailand and the U.S.
European countries that have some machines that use fallback mode include Austria, Bulgaria, Finland, Germany, Italy, the Netherlands, Poland, Romania, Spain, and the U.K.
To combat the problem, banks affiliated with Visa have been slowly issuing cards with the EMV microchip but no magnetic stripe. So far banks in Austria, Belgium, Bulgaria, France, Germany, Italy, Netherlands and Switzerland have committed to issuing the new cards, according to Visa.
“As long as they have mag stripes, the criminals can still attack them,” Gunn said.
Send news tips and comments to jeremy_kirk@idg.com