• United States



Contributing Columnist

How to protect yourself from ATM crime

Mar 27, 20179 mins
MobileSecuritySmall and Medium Business

Banks like Wells Fargo are rolling out much better ATM security. Here's why it won't stop ATM theft.

06 bank accounts atm
Credit: Thinkstock

The ATM card is dead. Or is it?

Starting Monday, all 13,000 Wells Fargo ATMs will enable you to withdraw money without using your card, according to Jonathan Velline, head of Wells Fargo ATM and branch strategy.

It works like this: Open the Wells Fargo app on your phone. Tap a button in the app for a temporary eight-digit code. Then enter the code, followed by your PIN, to access your account.

Wells Fargo is the first major U.S. bank to offer app-based access to all of its ATMs.

Citigroup, Chase and Bank of America and others are working on similar ATM functions, with only some machines already upgraded.

Later this year, it gets even better. Wells Fargo will activate ATM near-field communication (NFC) readers, enabling you to use Apple Pay, Android Pay, Samsung Pay or the bank’s own Wells Fargo Wallet, for gaining ATM access. Just walk up to the ATM, tap the phone on the reader while holding your finger on your phone’s fingerprint scanner, and the ATM will prompt you for the PIN. Once entered, you get access as if you had used your ATM card.

The NFC feature won’t be universally available until at least late next year. The NFC readers are already built into some 40% of Wells Fargo ATMs, according to Velline, and additional installations will continue through next year.

Not carrying a card means your card can’t be used by crooks to steal money from you. And that improves your security.

The downside of not carrying cards is that you won’t be able to gain entrance to the ATMs that are behind a door that you can unlock only with a card. (Velline told me that the bank is testing solutions for no-card access to these ATMs, but has nothing to announce yet.)

Why ATM theft is such a big deal

One way crooks steal money is by using an ATM to steal from the bank. It’s good old-fashioned bank robbery, but with a modern twist.

These approaches include the Russian way (malware that instructs the ATM to dispense cash when a certain code is entered) and the American way (pulling up to a gas station ATM in your pickup truck, tying a steel cable around the ATM and driving away, dragging it behind your truck).

ATM bank robbery is the banks’ problem. You have to worry about your own bank account being drained by sophisticated ATM thieves.

One of the oldest ATM card-theft tricks is the creation and installation of fake ATM interfaces, complete with keypad and card scanner. They’re called ATM skimmers. These are mounted by criminals on top of the real ATM interface. When someone tries to use the ATM, the crooks copy the data from the card and record the PIN entered on the fake keypad.

Here’s a security video of a skimmer being installed at an ATM in New Jersey.

This particular crime has been around for years, and it’s growing fast.

The FICO Card Alert Service says the number of ATMs with compromised security increased sixfold in 2015 over the previous year.

The biggest recent innovation in the world of ATM insecurity comes in the form of pinhole “spy” cameras. While a skimmer copies the data on the card, the camera records video of the bank customer entering his or her PIN. Later, the crooks can make a fake duplicate card, and use the PIN they saw entered on the video.

This is a better solution than fabricating a mock keypad, because the equipment is smaller and less difficult to build. Victims use the actual ATM keypad, instead of a fake one. Only the card skimmer is fake.

This method has mostly replaced the old approach of fabricating a phony keypad. Already some 90% of skimmers found now use pinhole cameras, according to Verizon.

The London police do a great job raising public awareness about various types of theft and what people can do about it. The department’s official Twitter account tweets photos of new ATM scams they discovered, such as this and this. The department is trying to get people into the habit of covering their fingers while entering their ATM PIN, just in case there’s a hidden camera watching. They use the hashtag #CoverYourPin.

These pictures reveal that ATM-installed pinhole cameras are almost impossible to spot.

Security experts say you should look for signs of tampering, such as broken, scratched or loose fixtures, before using an ATM.

The New York Police Department says crooks often install card-skimming electronics on one machine, then damage nearby machines to force customers to use the compromised one. They warn that customers should avoid using an ATM if it’s one of several and the others are out of service.

In fact, the evolution of ATM skimmers tracks the same trends in consumer technology — thinner, smaller and more mobile.

That’s why the advice to look for ATM tampering works only for the “traditional” skimmers that duplicate ATM interface elements.

The newest threat is something ATM maker NCR calls “deep insert skimmers.” Instead of an elaborate fake ATM interface placed on top of the ATM, “deep insert skimmers” go inside the scanning mechanism where they can’t be seen, and where they don’t interfere with the functioning of the ATM’s card scanner.

The first “deep insert skimmers” couldn’t be removed from ATM card readers. They were installed permanently, and some wirelessly transmitted card data to a nearby pinhole camera. After leaving the skimmer in operation for a few days, the thief would retrieve only the camera, along with its card data and video of PIN entry.

The most sophisticated “deep insert skimmers” use magnets that snap into place inside ATM card scanners. They retain their own data and can be removed after harvesting ATM card data.

Used with pinhole cameras, they’re very close to being undetectable.

Here’s video of a “deep insert skimmer” being demonstrated by an ATM thief.

You’ll note that all this skimming activity involves magnetic-strip cards. We now have chip-based cards, which are supposed to improve security.

The U.S. chip standard is called EMV, which are the initials of the three companies that created it: Europay, MasterCard and Visa. EMV cards are also backed by JCB, American Express, China UnionPay and Discover. Visa has given banks until October to support EMV cards at ATMs.

Sadly, there’s an emerging version of ATM skimming for EMV cards called “shimming.” This kind of theft is hard and rare, so it’s not a major threat yet.

Worse, most cards that use chips still require the magnetic strip that’s so easy to scan. And most ATMs that support chips will require cards with magnetic strips, even if they read the chip for data.

Isn’t ATM skimming over now that we have cardless access?

It would be tempting to assume that fingerprint-protected, NFC-based authentication would end ATM crime. Unfortunately, that’s not going to happen, and for three reasons.

1. Unsecure ATM methods aren’t going away

Sadly, newer and better security schemes don’t improve security if they are deployed in addition to the old ones, rather than as a replacement for them.

For example, fingerprint access to a phone is more secure than a four-digit PIN, but it’s not more secure than both fingerprint access and a four-digit PIN. The PIN access is still there.

Banks like Wells Fargo are not in a position to force customers to give up unsecure banking habits. They add new methods without canceling the old ones. To illustrate this, Velline told me that Wells Fargo has 20 million mobile app users. But it has 70 million customers. That means 50 million Wells Fargo customers aren’t even using an app.

The new use of temporary codes for ATM access is more secure. But all the less secure methods are still in place.

Banks will have customers with ATM card access, mobile app access or both. The banks will support ATM card access via cards that have chips, magnetic strips or both. They’ll support mobile app-based access that uses passwords, fingerprints or both. And once the app is accessed, the ATMs will dispense cash to customers who choose an app-generated numeric code, NFC unlocking, or both.

In other words…

2. People are lazy about security

Banks have to give customers what they want. That leaves security ultimately in the hands of consumers, who generally don’t care or know about security (until they become victims of theft or fraud).

For example, if Wells Fargo customers wanted to maximize ATM security after Monday, they would put their ATM card in a safe place and never carry it. They would change their Wells Fargo app password to a very strong password using a good password manager, then never use it, opting instead for fingerprint access to the app. Then, at the ATM, they’d use the new eight-digit code option.

But I’d bet that most customers will keep carrying their ATM cards, keep their unsecure app passwords, and even keep using the card at the ATM out of habit.

Users are almost always the weakest link in any security chain.

3. Cash is still king

Bank websites and mobile apps support nearly every banking function, including check deposits (via smartphone pictures of checks).

The only reason to visit an ATM at all is to withdraw or deposit cash.

Cash is ideal for privacy, because transactions leave no digital record. But it’s lousy for security because it can be stolen — and also because it inspires people to use ATMs.

The good news

The bad news is that ATM crime will continue unabated, with criminals updating their methods as new technologies arise.

The good news is that you can protect yourself. Avoid using cash and ATMs. Update your password to a very secure one. Use fingerprint access to your banking app. Take advantage of your bank’s latest ATM security. Never carry or use your ATM card (unless you need it as a debit card). And always check your transactions on your bank’s app or website — and ask the bank about anything suspicious.

If all of that fails, you should also know about the existence of a law called the Electronic Fund Transfer Act, which requires banks to reimburse you for any losses resulting from this kind of ATM crime. You have to report the theft within 60 days, or the law doesn’t apply.

Thanks to new technology, anyone can do banking securely.

They won’t. But they can.

And so can you.