As mag stripe cards are giving way to EMV-protected alternatives, cybercriminals are on a final cash grab using some technologically improved ATM card skimmers. Skimmers, thus far, do not work on chip-based transactions — but only 45-50 percent of U.S. card transactions are done via EMV as opposed to the mag stripe.
“ATM skimming is an over $2 billion problem globally,” Martin Bally, vice president and chief security office at Diebold Nixdorf, told CNBC.
Skimmers are not a new problem, but the technology that powers them has markedly improved over time — previous incarnations were easy to spot with the naked eye, but newer versions are all but invisible.
“Now there’s a skimmer that is literally as thin as…a credit card. And it slides into the slot and down. It’s not even detectable,” said Chris Hadnagy, the CEO of Social-Engineer, a cybersecurity training company.
And not only are the skimmers getting harder to spot — they are becoming easier to access remotely, thanks to built-in bluetooth capacity.
“If you can get it in there [the ATM] and not be seen or found, you can walk up to the device later on, turn your phone on, connect to the Bluetooth wireless, download all the cards, act like you’re pumping some gas and leave, and they would never know that it was you,” Hadnagy said. “It calls to a server and downloads all the numbers to a file for them to obtain.”
Even more concerning, Hadnagy says the new devices take very little effort to install. He showed CNBC websites on the dark web which post instructions.
ATM manufacturers are working on new solutions to counter the threat. Diebold Nixdorf designed a machine which has you insert your card lengthwise instead of widthwise.
“The way we approach it is by changing the direction and way and how we read the magnetic strip on the card. And that simple change has been able to defeat all static skimming devices,” Diebold Nixdorf’s Bally said.
There are currently 7,000 ATMs using the technology around the globe. At this time, skimmers only work on cards inserted the normal way.
But give the cybercriminals time — they usually come up with something.