It is quite difficult to prevent crime like the Melbourne ANZ card skimming attacks on the bank’s ATM network. The weakest point of attack is usually people (i.e., users) and their habits.

The user of the ATM may not carefully check the slot where the card is inserted, the ATM may be located indoors, in a spot with poor lighting, or it may be used after hours when it’s relatively dark. In all these cases it is possible not to notice the “fake slot” that the skimmers use.

Typically, the attackers record the information on the magnetic strip of the ATM card, may use mobile phone cameras to record the user’s PIN. They then create a fake card and use it to withdraw money illegally.

Another form of skimming happens at restaurants, and shops, where there is an illegal device and your card is swiped twice, while the friendly assistant may pay special attention to the PIN you enter into the keypad of the genuine EFTPOS/ATM terminal.

It is then up to the software the banks run, to detect that something is amiss, such as unusually large transactions from the same account, unusual locations where an ATM card has not been used before, etc. The banks use sophisticated algorithms to detect anomalies in user population behaviour and, by definition, the anomalies have to be large enough to be detectable, by which time a lot of money may have already been stolen. 5000 users, as reported in this story, is not that many, given the huge numbers that use ATMs every day.

If you like, think of the PIN as the “seed” that is used to generate a much longer “password” (really a pseudorandom binary string) which is transmitted via the ATM network. The PIN has to be short, and cannot be time varying, otherwise we wouldn’t remember it, thus it is enough for the attacker to associate the PIN with the information on the magnetic strip.

Technical countermeasures exist, but are quite expensive to roll out. Australia has been a bit slow compared to some other locations.

One countermeasure is the three digit number (CVV code) on the back of the card, which is requested in online transactions, which gives evidence that you are indeed in possession of the genuine card and not a machine generated fake card. Of course PINs may also be requested to make this even stronger. On the Internet, there would be encryption as well, to protect important information such as account numbers, passwords, etc.

It is possible to use holograms and other (expensive) technology, and special ATMs (again more expensive) which detect genuine cards. Think of the three digit number now being much longer and embedded in a hologram which is read by a sophisticated optical detector in the ATM.

Some online banking systems provide the option of providing a user with a one-time-password (which is typically sent to your mobile via SMS) by a so-called “out of band” channel before they will accept the online transaction as valid. So if someone made a fake card, they’d also need your phone to perform transactions.

Some overseas banks provide the user with a “SECURE ID” token, which displays a pseudorandom sequence of digits, changing maybe every minute or so, and you are also required to enter that number in addition to your PIN. If you lose that little piece of hardware, it has to be replaced at some cost.

All technical and operational countermeasures cost real dollars, can be onerous on some members of the public (imagine entering a different PIN/password combination each time you use an ATM) and as long as fraud does not get too prevalent, the banks are probably ahead. After all, in some cases they charge you to use the ATM network. If it was widely considered that ATMs are insecure, people would start using the bank tellers and they’d need to hire more people.

This is a Commonwealth Bank directive to staff on how to identify card skimming devices, read it in full here.

Facts on ATM skimming attacks:

  • Criminals tend to attach skimming devices either late at night or early in the morning, and during periods of low traffic.
  • Skimming devices are usually attached for a few hours only.
  • Criminals install equipment on at least 2 regions of an ATM to steal both the ATM card number and the PIN.
  • Criminals then sit nearby receiving the information transmitted wirelessly via the devices (installed on the ATM).

What can you do to mitigate the risk of a skimming attack?

  • Get to know the appearance of your ATM.
  • Inspect the front of the ATM for unusual or non standard appearance. Scratches, marks, adhesive or tape residues could be indicators of tampering. The inspection should be part of your morning external check and afternoon closing procedure. Where possible, inspections should also be conducted during trading hours.
  • Familiarise yourself with the look and feel of your ATM fascia. Particularly pay attention to all of the touch and action points. (e.g. keypad, customer card entry slot, lighting diffusers)