By Robin Sidel
Criminals are stealing card data from U.S. automated teller
machines at the highest rate in two decades, preying on ATMs while
merchants crack down on fraud at the checkout counter.
The incidents, in which thieves steal information from debit
cards to make counterfeit plastic, are taking place at ATMs that
are owned by banks as well as independently owned cash kiosks in
shopping centers, convenience stores and restaurants, according to
industry executives.
From January to April 9, 2015, the number of attacks on debit
cards used at ATMs reached the highest level for that period in at
least 20 years, according to FICO, a credit-scoring and analytics
firm. The company tracks such incidents through its card-
monitoring service for financial institutions that represent more
than 65% of all U.S. debit cards.
Debit-card compromises at ATMs located on bank property jumped
174% from Jan. 1 to April 9, compared with the same period last
year, while successful attacks at nonbank machines soared by 317%,
according to FICO.
"These tremendous spikes in fraud are unprecedented," said John
Buzzard, who manages FICO's card-alert service.
The company declined to disclose the total number of such
incidents, citing contractual restrictions with its customers.
The incidents come as banks are racing to issue new credit and
debit cards with computer chips that make it more difficult for
thieves to create counterfeits. However, most ATMs don't yet accept
the new technology, though J.P. Morgan Chase & Co. and Bank of
America Corp. have recently begun to install the more advanced
machines. A Bank of America spokeswoman wouldn't comment on whether
they have seen an increase in fraud. A J.P. Morgan spokesman said
the bank expects attacks on its ATMs to decline this year due to
enhanced security.
Criminals "know there is still vulnerability [at the ATM] and
they are trying to capitalize on it," said Owen Wild, director of
security marketing at NCR Corp., one of the largest ATM
manufacturers.
Merchants are further along in installing equipment to accept
the new cards at checkout counters in stores because they will be
on the hook to absorb the cost of fraudulent transactions starting
in October if they don't have the new equipment in place.
That liability shift won't take place for ATM operators until a
year later at the earliest. Card issuers currently have the
liability for most fraudulent transactions.
The wave of hacking underscores the financial industry's battle
to thwart cybercrime and comes as consumers and banks are reeling
from several high-profile data breaches at retailers that have
exposed millions of credit cards and debit cards to potential
fraud.
Many of the ATM incidents involve a long-established technique
in which criminals install devices that capture information from
the card's magnetic stripe. The method, called skimming, sometimes
also involves a tiny camera that records the cardholder entering a
personal identification number.
Criminals use the information to manufacture counterfeit debit
cards that can be used to withdraw cash at an ATM or make a
purchase in a store or online. The trend is particularly
troublesome because thieves can drain a bank account when they have
access to cardholder information. Though cardholders aren't
typically liable for unauthorized activity on their debit cards,
issuing banks may have some discretion to determine if the customer
promptly reported the theft.
Consumers also have few ways to prevent an attack because the
thievery is often well disguised. Experts advise countermeasures
such as covering the keypad with your other hand when entering a
PIN and trying to avoid nonbank locations where the ATM is in a
hidden location that thieves could easily access without being
detected.
Industry executives say that it is difficult to quantify the
amount of fraud losses that are associated with such attacks.
Tremont Capital Group, a consulting firm that specializes in the
ATM industry, predicts that thieves will make at least 1.5 million
ATM cash withdrawals this year. Only a portion of the attacks
ultimately result in fraudulent transactions. The trend is
"alarming, but manageable" because it represents a fraction of
total ATM transactions, said Sam Ditzion, chief executive of the
Boston-based firm.
A study released last year by the Federal Reserve found that
U.S. consumers made 5.8 billion ATM withdrawals in 2012, totaling
$687 billion.
Still, the hacking trend is creating headaches for banks and
customers whose card information could be at risk.
Earlier this year, New Orleans-based Whitney Bank deactivated
7,100 debit cards and issued new ones to customers after the bank
discovered thieves had attached a plastic mold and metal plate to
ATM card receptors at several of its ATMs. The bank is a unit of
Hancock Holding Co.
"We continue to proactively and vigilantly monitor ATMs and
client transactions across our five-state footprint for any
potentially fraudulent ATM activity," a spokesman said. The bank,
which also operates in Texas, Mississippi, Alabama, and Florida,
hasn't seen any additional skimmer attempts.
Laurie Cataldo of Red Bank, N.J., was the recent victim of a
debit-card hack. Thieves drained about $85 from her checking
account before she noticed, though she doesn't know where they
swiped her account information. The bank restored the funds to her
account, but the episode forced the 30-year-old radio disc jockey
to withdraw cash in advance of a coming trip because the bank froze
her account.
Ms. Cataldo now tries to make her ATM transactions more secure
by covering the PIN pad with her hand when tapping in her
identification number. "Debit cards are so convenient, but then
they wind up being way more inconvenient if you get hacked," she
said.
Mr. Buzzard of FICO said that the attacks are occurring in
traditional hot spots such as southern Florida but also popping up
in new places like Albuquerque, N.M., and Memphis, Tenn.
There was also a surge of hacking activity last week that
traveled from Philadelphia to New York, he said.
Access Investor Kit for Bank of America Corp.
Visit
http://www.companyspotlight.com/partner?cp_code=P479&isin=US0605051046
Access Investor Kit for NCR Corp.
Visit
http://www.companyspotlight.com/partner?cp_code=P479&isin=US62886E1082
Subscribe to WSJ: http://online.wsj.com?mod=djnwires