Checkmate, Skimming

Checkmate, Skimming | Diebold Nixdorf Blog


Regardless of where you are in the world or in what language it’s spoken, most people recognize checkmate as a word that signals the end. In chess, the end of an opponent’s king. The impending end of the game.

Checkmate is so powerful a concept that it’s long been emulated in the business world. Why? Because it’s an offensive strategy. An attack against an opponent. Or a competitor. And, inherently, it’s proactive: An action taken to prevent or thwart something or someone.

Could we apply this philosophy to the world’s biggest threat to security at the ATM? Is it possible that we could effectively checkmate skimming?

To answer that question, let’s first take a look at the current state of the skimming threat.

Skimming attacks continue to grow – at an alarming rate.

Skimming remains, without question, the biggest threat to ATMs globally. And although awareness of the threat is greater than ever before, the incidence of skimming continues to grow. In fact, in an April 2016 update from FICO Card Alert Service, data showed a 546-percent increase in ATM skimming attacks in the United States from 2014 to 2015. The European ATM Security Team (EAST) also revealed an increase, albeit a more modest one. In Europe, attacks increased by 19 percent during the same period, equating to more than 327 million Euros in losses. Places like Thailand, Indonesia, the Dominican Republic, Cambodia and Brazil also continued to be troubled by skimming attacks.

If those numbers aren’t enough to convince you the skimming threat remains a critical security concern, consider this: Perpetrators of skimming crimes have become far less discriminant with their attacks. While in previous years skimming was concentrated in major metropolitan areas with larger financial institution targets, both U.S. and European data show the attacks are dispersing geographically. Why?

Because skimming technology is far more accessible. And advances in the technology have made it more advantageous to hit a larger number of targets for shorter periods of time.

The means methods to skim have become more sophisticated, and it’s harder to catch the perpetrators.

As advancements have improved consumer technologies like mobile phones and computers, you’ve probably noticed that these devices have become smaller and smaller. This trend, known as miniaturization, has also increased the sophistication of skimming. Devices used to read magnetic stripes are now miniscule when compared to their predecessors. And tiny, almost undetectable cameras can now be used to record PIN entry. As the technology becomes more and more miniature, it is much easier to deploy. And much harder to expose.

At the same time, advancements like Bluetooth technology have enabled the remote retrieval of data collected at attack sites. Why is this important? Because would-be criminals no longer have to return to the scene of the crime to collect their bounties. The information they need is remotely transmitted. This eliminates the possibility of detecting and removing devices before data is retrieved, as well as apprehending suspects when they return to make their collection.

These technology trends have converged to create a new threat known as deep-insert skimming. Such attacks occur when a device is inserted through the mouth of the card reader and is retained – because of its small dimensions – inside the card reader. There, it skims the magnetic stripes of all cards subsequently inserted into the reader. At the same time, a tiny camera is attached somewhere on the fascia of the ATM – or even in the environment around the ATM – to give the attacker a clear line of sight to the PIN pad. Both magnetic stripe data and video of PIN entry can be remotely transmitted to the attacker and, ultimately, combined for sale in bulk or used to encode cards to enable redemption fraud.

The default approach to combatting skimming may work on deep-insert attacks, but for how long?

Financial institutions typically employ iterative strategies to combat skimming: applying upgrades, new features or “fixes” to their existing technology after a new type of threat is detected. Such an approach – a defensive approach – may keep you above the fray temporarily, but a reactive strategy still leaves you vulnerable. Once an FI is targeted, it becomes trapped in a cycle of reacting, remediating and managing restitution. The reality is that for financial institutions that don’t take a more proactive, aggressive approach – a checkmate approach – it’s no longer a question of if they will fall prey. It’s a matter of when.

There is a checkmate solution – Diebold ActivEdge™ Secure Card Reader.

Early this decade, as we studied the evolving threats, Diebold anticipated that to thwart miniaturization, remoting and other up-and-coming means of skimming, we’d need to create even more aggressive ATM security solutions. In 2014, we introduced ActivEdge, an innovative card reader that remains the only single solution in the world that can completely mitigate today’s skimming.

FIs often ask me how that can be true. Some have even been told by industry insiders that it’s impossible that ActivEdge can mitigate all known skimming. But ActivEdge is truly a checkmate solution in that it can thwart – or put an end to – every modern type of skimming. And that includes deep-insert skimming.

How? By incorporating two core changes to the card reader. First, rotating to long-edge card insertion, making it impossible for today’s skimmers to read from end to end the magnetic stripe. And second, utilizing a moving, encrypting read head that prevents criminal modification to the card reader. These changes are enhanced by encrypted communication to the CPU, a locking gate to combat card trapping, and pairing of the reader with a specific terminal to prevent the installation of fraudulent devices. And we continue to explore and evolve our technology – and invent new solutions – to stay ahead of the next type of attack.

Make a move to thwart skimming.

In chess, once your opponent captures your king, it’s impossible to escape. The same applies to skimming. Once you’ve been attacked, there’s no way to undo the damage. Skimming is costly – the average skim results in $50,000 in losses. And those losses don’t account for the long-term impact on consumer trust. You can choose to focus on the aftermath, or you can mitigate the threat. What will be your next move?

It is possible to checkmate skimming. Let’s start a conversation about how Diebold’s ActivEdge can help.