Giovanni JamesRegional Legal AdviserAsset Recovery UnitRegional
Security SystemFusion CentreParagon, Christ ChurchBarbados
ATM Skimming: A Serious And Growing Problem In The Caribbean
1
What Is ATM Card Skimming??A method used by criminals to capture
data from the magnetic stripe on the back of an ATM card.Devices
used are smaller than a deck of cards and are often fastened in
close proximity to, or over the top of the ATMs factory-installed
card reader.ATM skimming is a world-wide problem.
In 2010 Retail Banking Research Limited estimated 1.7 million
global ATMs.
There are about 49 billion annual worldwide ATM cash
withdrawals.
The US Secret Service estimates that annual losses from ATM
skimming in the USA totals about US $1 billion each year; about US
$350,000 a day.
Cybercrime now generates over US $1 trillion a year for
cybercriminals. It now brings in more money than the drugtrade.
Did you Know?
The USA and the Caribbean are considered soft targets.
Almost every Caribbean Island has been affected by Card Skimming
in varying degrees; with combined losses estimated to be in the
millions.
Organised crime groups love ATMs
Skimming devices illegally record account data from the magnetic
stripe of a credit or debit card.
PIN numbers are usually capture using hidden devices such as
mini cameras, keypad overlays or audio recording devices.
The average cardholder has no knowledge that the skimming device
is there because it does not interfere with the operation of the
ATM.
The data is typically stored in the memory of the skimmer and is
downloaded to a PC where it can be used to make fake cards.
Skimming
Other methods of card skimming include:
Hidden Card Reader
Petrol station pumps where cards are accepted
Point of sale machines
Contactless Smart card readers
ATM Skimming Hardware
Round-shaped Skimming Device with double-sided tape
ATM Skimming Devices with Internal Batteries
ATM Pin Hole Cameras with Micro SD Memory Card Slot
Brochure holder Pin Hole Camera
ATM PIN capture overlay device pulled back to reveal the
legitimate PIN entry pad.
Bluetooth-enabled gas pump skimmer.
Sophisticated ATM Skimmer Transmits Stolen Data Via Text
Message
Many security-savvy persons have learned to be vigilant against
ATM card skimmers and hidden devices that can record you entering
your PIN at the cash machine. Experts say an increasing form of ATM
fraud involves the use of simple devices capable of snatching cash
and ATM cards from unsuspected users.
Claw-like card & cash trap ATM devices
Card reader/writer
Adapted 2 Pin USB Charging Cable
Two network cable card skimming devices, as found attached to
this ATM.
Pro-Grade Point-of-Sale Skimmer
Chip Card ATM Shimmer: Fraud experts in Mexico have discovered
an unusual ATM skimming device that can be inserted into the mouth
of the cash machines card acceptance slot and used to read data
directly off of chip-enabled credit or debit cards. The device is a
type of skimmer known as a shimmer, so named because it acts as a
shim that sits between the chip on the card and the chip reader in
the ATM recording the data on the chip as it is read by the
ATM.
Skimming devices have the same appearance as genuine
fixtures.The average skimming attack is a short-term
occurrence.Usually an hour or two. Maximum period of skimming
attack on an ATM is usually 24 hours.In a 1-2 hour period,
criminals can accumulate an average of US $33,000 per
incident.Skimming usually done at peak transaction times. Skimming
is a migratory crime.
Facts About ATM Skimming
Information Downloaded
Sale of information
Card Not Present transactions
Cloning of cards
Harvesting
What happens to the information on skimming devices?
Most of the Caribbean region has not fully migrated to the EMV
system thus making the region a soft target for ATM Skimming.
Estimate of millions in losses from harvesting of skimmed cards,
replacement of skimmed cards and improved security measures.
Significant soft costs incurred by FI Risk-Security staff.
Damage to reputation of ATM deployers.
Loss of business.
Fines from the card networks.
Potential lawsuits.
Non-EMV compliant banks will not be refunded by card networks
for loses from ATM fraud.
Effects of Card Skimming on the Financial Sector
Players are usually involved in Card-Not-Present fraud or
cross-border counterfeit fraud (particularly ATM fraud).
Origin of major card skimmers identified in the region:
1. Eastern Europe- Bulgaria and Romania* 2. Chinese* 3. African-
Nigeria* 4. UK 5. USA 6. South America* 7. Locals / Residents *
-Most prevalent
Who are the major skimmers in our region??
Marked increase in the number of foreign nationals travelling
through the region with Skimming equipment.
Both local and foreign accounts are affected.
Skimmers move from one Caribbean country to the next skimming
and harvesting.
Skimmers connected to international criminal gangs,
Skimmers travel under the disguise of vacation, alone or in
small groups to various islands in the Caribbean, sometimes with
families to hide their true intent.
Skimmers connected to money laundering, drugs, guns, identity
and document fraud e.g. fraudulent passports.
Recent ATM Skimming trends in the Caribbean
Recent monitoring and arrests in the Caribbean region have
revealed the following criminal connections and associations to
card skimming:
Money invested in the wholesale purchase of drugs.
Money used to purchase firearms which are supplied to gang
members.
Increase in money laundering.
Purchase of high end goods for self-use or resale.
Skimmers belong to organised criminal gangs associated with
drugs, arms dealing, human trafficking to name a few.
Migration of international criminal gangs to our region for ATM
skimming introduces into local culture new criminal enterprise
which State agencies are not equipped to deal with.
Connections and Associations to ATM skimming
With the ever increasing problem of ATM skimming and cybercrime
in the region and the associated crimes for example, money
laundering, drug trafficking, arms trafficking to name a few,
countries should consider the inclusion of these types of crimes
(skimming and cybercrime) in their National Risk Assessment.
Almost every ATM skimming case will have a component of money
laundering.
The identification of ATM/payment card crime as a risk should
lead to countries/territories identifying their deficiencies in
legislation and training.
Identification of these risks should assist
countries/territories in addressing these deficiencies in their
National Action Plan.National Risk Assessment ATM Skimming &
Cybercrime
RecommendationsAML/CFT POLICIES AND COORDINATION Assessing risks
and applying a risk-based approach
Card skimming/ATM Fraud is a significant threat to the
region.
It is connected to all the crimes mentioned previously including
money laundering.
It involves transnational criminals.
Movement of monies around the globe.
Failing to address these risks in the National Risk Assessment
exercise would mean that a country is failing to take corrective or
mitigating measures in relation to a significant threat.
This failure may impact issues such as Customer Due
Diligence/Knowing Your Customer.
This failure can give rise to the question of whether Customer
Due Diligence/ Know your customer mechanisms are working, given,
the significant variance from a customers usual activity.
Banks may need to enhance the risk profile of ATMs as a product
offered.
Are banks reporting Suspicious Activity Reports in relation to
these transactions, which may be tied to many other major crimes
such as ML, drug trafficking, human trafficking, transnational
crime?
FATF 40 Recommendations
2. National cooperation and coordination
The FIU must:
work with Financial Institutions and other regulators such as
the Central Bank to raise awareness of the threat posed by card
skimming.
Monitor the receipt of Suspicious Activity Reports by financial
institutions and other regulated entities with ATMs to ensure that
SARs are filed.
Analyse this information in a timely fashion for dissemination
to relevant law enforcement agencies for investigation.
Consideration can be given to creating a multi-agency task force
to discuss strategies to mitigate and combat the threat posed by
card skimming.
Financial Institutions (FIs):
EMV Migration Have a planDocument the planEducate
employeesInspect all ATM locationsRecording keeping and pictorial
documentationSet ATM standardsReport Skimming to law
enforcementContact other institutions
Tips to reduce ATM skimming
Card Holders
Familiarise yourself with the look and feel of the ATM fascia of
machines
Contact your card issuer if you have completed a transaction and
suspect that your card or PIN may have been compromised.
Check your card transactions frequently, using online banking
and your monthly statement.
Always protect your PIN and be aware of people around or close
to you.
Ask your card provider if they offer account alert technology
that will deliver SMS text communications or emails to you in the
event that fraudulent activity is suspected on your payment
card.
Update your address and cell phone information for every card
you have, so that you can be reached if there is ever a critical
situation that requires your immediate attention.
Law enforcement:
Familiarise officers in particular, border control officers on
skimming equipment and methods of concealment.
Train law enforcement agencies in investigation and prosecution
of ATM skimming.
Secure and preserve evidence of card skimming ASAP.
Establish cooperative, crime prevention liaison with FIs
operating in your country.
Team with other local, regional and international law
enforcement agencies in communicating skimming events, dates,
locations and images as well as bio-data of know skimmers and their
travel plans.
Consider working with National Financial Associations to build
collaborations and maximize resources.
Identify, investigate and prosecute associated crimes such as
money laundering.
