Sunday, August 22, 2010

ATM Skimming: How effective are the security solutions, such as Jitter?

Fraudsters Already Know How to Bypass Security Solution

ATM skimming -- it is the fastest-growing electronic-fraud risk, according to the U.S. Secret Service, accounting for more than $1 billion in annual losses. And some industry experts estimate skimming-related losses to be as much as three times higher.

While the average skimming attack spans a timeframe of between one and two hours, losses per incident average $30,000, according to ADT Security Solutions, which provides anti-skimming solutions for the financial industry. ADT also estimates ATM skimming attacks cost financial institutions and their customers 10 times more than losses suffered during robberies.

Among the initiatives deployed to combat ATM skimming is jitter technology, which uses a stop-start, or jitter motion, when a card is inserted in the ATM. In theory, the irregular motion distorts the magnetic stripe details on the card, so if a skimming device has been placed on an ATM, the jitter feature makes the copied information unusable.

But some industry experts say that jitter technology is outdated and only partially effective - and that banking institutions need to be exploring new security solutions.

Jitter works on ATMs with motorized card readers -- ones in which the user inserts the card and then allows the reader to pull the card in, read the mag-stripe data and then push the card out. The technology is not effective on machines with dip readers, in which the user manually inserts and withdraws the card. "[Jitter] is easily defeated and has been," Schriber says.

As Gartner's Litan points out, even if jitter were unbreakable, it's a siloed solution - one that only addresses the ATM link in the payments chain. That kind of siloed approach to fraud prevention is no longer effective.

"Right now, a lot of financial institutions are only relying on jitter," Litan says. "Some of the bigger banks -- the big five, I'd say -- are just now working toward incorporating fraud detection at the ATM. It's kind of shocking that they did not have better fraud detection before now, but then again, up until recently, ATM fraud was manageable."

Multilayered Approach Needed

ANZ, as an extra measure of protection, has installed PIN shields on its ATMs to protect the PIN from capture. "Putting measures in place to protect both the card data and the PIN gives the best chance of stopping the fraud," Prestwood says.

Other techniques institutions might deploy in addition to jitter include:
  • Radio-frequency jamming, which uses an electromagnetic field to detect foreign objects placed or mounted on an ATM's fascia;
  • Camera surveillance, which can recognize when a foreign object is placed on an ATM;
  • Devices that sense vibration, such as when an ATM is drilled to attach a skimmer.
There is no single 'silver bullet' to overcome the increasingly serious skimming threat, in which criminals continually work to defeat vendors' evolving anti-skimming technologies. Therefore, a multilayered approach to ATM security is what we needed.

No comments: