Fraud involving debit cards and personal-identification numbers is on the rise as criminals go where the cash is—even targeting banks' own automated teller machines.
Techniques such as "skimming," in which criminals capture card information and personal-identification numbers, have existed for years, often on a small scale. Though the dollar losses still are relatively modest, organized gangs now are pulling off more-sophisticated attacks.
They also are targeting bigger players: Whereas most of the fraud in previous years took place at independent ATMs or at retail points of sale, fraud at bank-owned ATMs made up more than 80% of the breaches in the first six months of this year, says Fair Isaac, which provides fraud-detection software.
Europe, which has faced a bigger problem than the U.S., saw card-skimming ATM attacks jump 24% in the first six months of this year, to 5,743, the largest six-month number since data-gathering began in 2004, according to the European ATM Security Team, a nonprofit group. (Losses from skimming fell 8%, to €144 million, or $197 million.)
Attacks on retailers continue to climb as well. Last month, supermarket chain Aldi said it had discovered that payment terminals in major U.S. cities in 11 states had been altered to allow the skimming of card numbers, cardholder names and PINs between June 1 and Aug. 31 this year.
Avivah Litan, fraud analyst at Gartner, a research firm, estimates that fraud involving debit cards, PINs and point-of-sale equipment has surged 400% over the past five years. One tactic, she says, has been "flash attacks": Using the stolen information, gangs create thousands of counterfeit debit cards and then dispatch cronies to at least 100 ATM machines in several cities at once. Each withdraws a small dollar amount from several accounts to avoid fraud-detection software, adding up to tens of thousands of dollars in losses.
Until recently, skimming equipment was relatively crude and clunky, attached to card-readers with double-stick foam tape and relying on small cameras to record hands punching in PINs. Newer devices include equipment that fits inside card readers, pinhead-sized cameras and well-crafted attachments that sit snugly on top of ATM card readers and PIN pads, looking just like the real equipment. Bluetooth technology allows the fake card reader and PIN pad to talk to each other, and data drives or wireless technology can make downloading of stolen information quick and easy.
Given such clever engineering, consumers may not be able to tell that a machine has been compromised. Banks may not know either: Fair Isaac says that perpetrators of such fraud often place skimmers on outdoor ATMs on Saturday mornings and remove them before the bank opens Monday. The data is typically passed to crooks in another country within hours.
Better technologies are available: Canada and several European countries, among others, have adopted so-called chip-and-PIN debit cards, with chips built into the card, adding a layer of protection. But American banks and retailers have resisted adopting the technology because it is expensive to replace cards, ATMs and point-of-sale machines.
The chip-and-PIN technology isn't foolproof, and experts say U.S. banks and retailers may instead leapfrog that technology, possibly by using the capabilities of smartphones to verify transactions or to actually make the transactions instead of using a card.
Given scammers' growing sophistication, consumers are at a disadvantage. But there are some steps you can take—beyond becoming an expert in equipment design and appearance—to avoid the traps or lessen the impact if your information is stolen:
• The simplest protection, says the American Bankers Association, is to get in the habit of covering up your hand when you enter your PIN so that a camera can't record what you are typing.
• Use an indoor ATM. Because they are less isolated, indoor ATMs are less likely to be tampered with than outdoor machines.
• Use your PIN sparingly at retailers, and choose the signature option—or a credit card—instead, Ms. Litan says.
• If you don't have time to check your bank account regularly, set up email or text alerts to send you balances weekly or, if you are particularly paranoid, daily, so that you will know sooner if something is amiss. Most banks will refund your losses promptly, but you need to report the violation quickly, preferably within two days and no later than 60 days after receiving a statement showing the fraud.
• You should add your bank's and credit card's customer-service numbers to your contacts so you can access them from both your email and cellphone. Having the numbers at hand will eliminate the frustration of trying to find them when you are traveling or at a public computer.
• If your bank suspects fraud, it needs to be able to reach you quickly. Make sure it has your cellphone number as well as your email address and that your other information is up to date. Taking my own advice, I discovered that my bank had home and work phone numbers that were more than a decade out of date.
— karen.blumenthal@wsj.com
Follow Us: