ATM Skimming Attacks Continue Worldwide

Latest European fraud update finds that card skimming-related losses were reported in 45 countries.

March 22, 2017

EDINBURGH, Scotland – The European ATM Security Team (EAST) published its latest European Fraud Update for 2017, based on country crime updates provided by representatives of 19 countries in the Single Euro Payments Area (SEPA), and 5 non-SEPA countries, at the 41st EAST meeting held in Oslo, Norway on February 8, 2017.

Card skimming at ATMs was reported by 18 countries. The usage of M3 – Card Reader Internal Skimming devices continues, which is a type of device placed at various locations inside the motorized card reader behind the shutter. Five countries reported such attacks.

International skimming related losses were reported in 45 countries and territories outside of the SEPA and in 9 within SEPA. The top three locations where such losses were reported remain the United States, Indonesia and India.

Skimming attacks on other terminal types were reported by eight countries and four countries reported such attacks on unattended payment terminals (UPTs) at retail fueling stations. One country reported the use of an M3 – Card Reader Internal Skimming Device at a public transport ticket machine, the first time this has been seen.

One country reported a new form of crime, “Cash-in” or “Cash Deposit” fraud, where the criminals deposit fake banknotes into ATMs (where the cash deposit function is available) and then credit their cards or other accounts.

ATM malware and logical security attacks were reported by eight countries all involving the usage (or attempted usage) of black-box devices to allow the unauthorized dispensing of cash. EAST has recently published seven related ATM Fraud Alerts. To help counter such attacks, Europol published Guidance and Recommendations regarding Logical attacks on ATMs.

Ram raids and ATM burglary were reported by nine countries, and nine countries reported explosive gas attacks. The use of solid explosives continues to spread and seven countries reported such attacks.

Payment fraud issues were reported by five countries, while one country reported an increase in both vishing and phishing attacks and another reported criminal abuse of the chargeback system.

NACS has many resources available online related to skimming and payments security.