'Mystifying and problematical': NAC's ATM skimming survey

Skimming is once again in the news after the National ATM Council issued a press release this week announcing its U.S. ATM skimming survey results.


Aspects of the press release are mystifying and fairly problematical for the industry. But the real news, as we'll see when we dig deeper into the facts, lies in the wealth of security best practices and security solutions available for protecting the industry against skimming.


The press release states, for example: "The survey results show 93 percent of the companies operating ATMs at retail locations throughout the U.S. have never experienced a credit card 'skimming' incident at their ATMs."


One problem with this statement is that it doesn't mention debit card skimming, even though the majority of ATM users transact with debit cards.


What is even more puzzling, though, is that the infographic accompanying the press release says, "93 percent of respondents have never found a skimmer on their ATMs".


The press release says 93 percent of respondents have never experienced a credit card skimming incident, but the infographic says 93 percent of respondentshave never found a skimmer on their ATMs.


The fact that a skimmer has never been found on an ATM does not mean that a skimming incident has never occurred at that particular ATM.


So, which 93 percent is it — the 93 percent who have never had a skimming incident or the 93 percent who have never found a skimmer on their ATMs?


Some context is required for understanding what's happening in regard to skimming. Skimming — whether digital, analog or stereo — is a highly sophisticated kind of crime. Attacks can make use of a wide array of criminal devices — inlay, miniaturized, eavesdropping and external.


Furthermore, skimming devices usually are in operation for only a few hours before being removed by the criminal so as to prevent detection. They are attached and subsequently removed at lightning speeds.


So when the survey indicates that 62 percent of respondents check their ATMs at least once a week, I find that a very weak argument, indeed.


There are 168 hours in a week. If a machine is checked once a week, this means it is not being checked for 167 hours of that week.


Even if the machine is in a store that closes after hours, it's simply impossible for staff to continuously and effectively detect whether a skimming device might be attached to the ATMs, particularly if it's for short periods of time.


In addition to physical checks, we need other security solutions and best practices.


An additional problem with the press release is that there's no correlation between the results of the survey and the conclusion drawn in coverage of the press release in Digital Transaction News.


The article says, "The results confirm that card skimming is very limited at retail ATMs." One cannot infer — especially from the results of a rather small and narrow study — that 93 percent of respondents having never found a skimmer on their ATMs "confirms" that "card skimming is very limited at retail ATMs."


The conclusion simply does not follow from the premise. As I have argued: a) skimming devices used today can be very hard to detect, especially if they are miniaturized or internally placed; and b) devices are typically operational only for a limited time before being removed.


The emphatic claim that "card skimming is very limited at retail ATMs" is not proven or justified by the survey results alone. Even if checked weekly, ATMs go for long periods of time before being examined for the presence of skimming devices. Again, the fact that you've never seen a skimming device on a machine does not mean there has never been a skimming device on that machine.


My question is, where is the real and comprehensive data about skimming and compromises of debit and credit cards?


Unfortunately, the skimming survey press release has raised more questions than it has answered. In the meantime, with EMV migration underway in the United States, it's incredibly important that all ATM deployers read and apply updated best practices if they are to prevent ATM skimming or lower their risk of attack.


Earlier this year, ATMIA published "Preventing ATM Skimming and Card Data Compromise, Version 2," which brings members up to date with procedures for counteracting the latest criminal devices and methods used in ATM skimming attacks.


Applying security best practices and, where appropriate, using security solutions is the best approach to the ongoing problem of skimming. It's still the No. 1 threat to ATM security, as our annual global fraud surveys have shown for five years leading up to and including 2015.


The real news is that information about the prevention of ATM skimming is already freely available. Impressive anti-skimming solutions are available, besides. With skimming losses averaging $650 per card and running from $5,000 to $100,000 per incident, the cost of not applying best practices and protection can really hit the pocket.


In our 2015 global security survey, ATMIA asked respondents whether they thought the outlay and effort involved in EMV fraud prevention was ultimately worth it; 58.7 percent of them said it was.


That's a fact well worth remembering. Here's another: Together, our industry can fight this threat and win.


Other news