ATMs are becoming fatter targets for bad guys

The number of attacks on debit cards used at ATMs recently reached at least a 20-year high, according to data from Fair Isaac Corp. (FICO), the company behind the well-known FICO credit score.

It found that debit-card compromises at ATMs on bank property surged 174 percent from Jan. 1 to April 9, while attacks on nonbank machines leaped by 317 percent during the same period. Most of these thefts result from a process known as skimming, in which criminals attach devices to the cash machines to steal account information encoded on a card's magnetic stripe.

According to David Tente of the ATM Industry Association, the fraudsters are using more technologically sophisticated skimmers. "The devices have gotten a lot smaller," he said. "They can be very hard to detect when they are there."

Skimming has long been a security challenge for the industry, but it's becoming more of problem even as MasterCard (MA) and Visa (V) push for the adoption of chip-based card-security technology, dubbed EMV, over the next few years.

"They have put in place a new technology standard, which includes both the use of the chip ... as well as a whole series of protocols on how the transaction should occur between an ATM or a point-of-sale terminal and the credit card processing network," Owen Wild, director of security marketing at NCR, told CBS MoneyWatch.

"Inherently, this technology process is far more secure than the current process," said Wild. But he added that the Fair Isaac data was consistent with what his company was seeing.

Larger banks are further along in deploying EMV, which stands for the main credit card processors (Eurocard, MasterCard and Visa), though the technology isn't available everywhere. EMV makes it harder for crooks to create fake debit cards, which is something they often do with skimming machines. NCR issued a security alert to its customers on July 23 about the issue.

Starting on Oct. 1, 2016, for MasterCard and on the same day a year later for Visa, the card issuers will no longer automatically assume liability in cases of fraudulent transactions. In most cases, that means the ATM operator will be assuming the liability.

EMV, though, isn't a magic bullet that will solve the industry's security woes.

Diebold chief innovation officer Frank Natoli told CBS MoneyWatch in an email, "Diebold has always believed that while EMV is a great technology, the continued presence of the magnetic stripe on the card leaves customers vulnerable to skimming attacks."

Indeed, NCR's Wild expects the magnetic stripe to remain in use for at least the next decade even as EMV chips are deployed. The U.S. has about 425,000 ATMs, but only 15 percent to 20 percent of them are processing EMV transactions, and few debit cards with the chips have been issued so far.

"The card issuers are going to want to have the dual capabilities," said Wild, "because their object is to have that card used in as many transaction points as possible."

  • Jonathan Berr On Twitter»

    Jonathan Berr is an award-winning journalist and podcaster based in New Jersey whose main focus is on business and economic issues.