top of page

Card Skimming: Consequences, Strategies and Preventative Measures



Join Rob Leiponis and Heather Glezen as they chat with host Daniel Litwin about a common issue in banking: card skimming. Listen in as they tackle some hard questions regarding increased skimming attempts, consequences of skimming, preventive measures that banks and credit unions can take, and more.


Transcript:


Hello, everyone, and welcome to another episode of "A Bit About", a Parabit podcast. I'm your host for this episode. Daniel Litwin, the voice of B2B Folks, thanks so much for joining us on another episode of the show. As we continue to explore timely topics, major trends, technologies, you name it, shaping the larger security industry.


As we explore today's topic, make sure you're heading to our web right, Parabit.com. again, Parabit.com, for not only previous episodes of our podcast and also future ones, but also more information about our solutions and services and some more supplemental context on the topics we're gonna be breaking down today. So make sure you're doing that and subscribing on Apple Podcasts and Spotify for future episodes and a full catalog of previous conversations on A Bit About.


So today's episode of the podcast is obviously a special one. We're here in studio today with the Parabit team. And today, we're covering an important trend that is not only a common issue for payment processors, retailers, banks, etcetera, but it's actually an increasing issue. It's increasing in prevalence and in some of its negative impacts.


That issue would be card skimming. Yes. Card skimming. So in the last year, according to FICO data.


The number of compromised cards has actually jumped up significantly, a troubling 77% from 2022 to 2023. And this isn't happening at, you know, just like obscure hole in the wall shops or something. This is actually happening, excuse me, happening more prevalently at banks. So banks have actually been a favored target for card skimmers lately with an increase of up to about 33% of compromised locations being bank ATMs.


So what's the deal with this trend. Right? Why are we seeing card skimming tick up in prevalence? What are some of the consequences?


And what strategies should brick and mortars deploy whether these are operational, technology based or otherwise, to help curb this rising risk. Well, we wanted to get the Parabit team here in studio to discuss and give us some of their analysis. So let's go ahead and hear. From them, I'm pleased to welcome our two guests for today's episode of a bit about Rob Leiponis, CEO of Parabit, and Heather Glezen, Business Development Manager with Parabit.


Heather, Rob. Great to have you both on. How are y'all doing? Great. Thank you so much.

Thanks for having us. Absolutely. Thank you for joining us. And, we're actually doing this discussion on the tail end of GSX 2023, which was here in Dallas.


I'm curious if, you know, obviously, we're talking card skimming. Was that a point of concern or something that you heard at the show from folks that came to the Parabit booth or just casually, is it front of mind for the industry?


I think it's front of mind for the industry.


You know, there's a lot of skimming that's occurring at various different types of, self-service technology, as well as point of sale terminals and, you know, the ATM manufacturers have done a pretty decent job of, creating anti skimming or in skimming detection systems for their ATMs, but they still are getting compromised. And, you know, the usage of our solution in connection with the, solutions that have been deployed at the ATMs has, been a very good combatant about deterring skimming, but it is still a significant problem in the industry. And as you mentioned, it's it's on the rise.


And, we have several clients that are evaluating our solution, and then we've, we've, you know, we have 23 of the top 25 financial institutions in the US utilizing their solution, and they've had great success in mitigating skimming. And it's really, It's really helped them protect their brand because, when skimming first evolved years ago, it was really giving a bad reputation to the financial community because many customers were, you know, having their bank accounts emptied and getting compromised. And, it's it was costing banks literally millions of dollars, on skimming attempts because of the, you know, the reputational damage that was causing them. And I think some of those organizations that feel a little bit more un insulated from it and, maybe taken for granted and that hasn't occurred now with this, there's a significant cost, and it becomes a rude awakening of the threat.


Yeah. And I wanna paint a a wider picture of that threat. I mentioned, in my intro, some FICO data. This came out actually in early August, so it's very recent.


But let me paint that bigger picture of this card skimming trend with some other relevant stats. So there's been a 48% increase and the average number of cards impacted per compromise. This is in the first half of 2023. So significant jump there.


In the first half of 2023, we saw a year over year increase in compromised events of about 20%, and that jumped from about 525 compromised reports to 625 in 2023. Bank ATMs, again, have been a favored target, but the number, really puts it into context. We've seen a 109% increase in bank ATMs, encountering skimming incidents. And this is happening in a few key states, Virginia, Texas, New Jersey, Florida, and Colorado.


So that's just to paint the wider picture. You kinda mentioned your answer a little bit with, maybe the prevalence and rise of more self-service kiosks locations and, relationships that brands now have with their customers, but I'm curious if y'all can explain you know, beyond that or, you know, with that as part of a larger picture, what the current trends are that are motivating this increase in card skimming. Right? Why is it becoming an increasingly relevant issue in y'all's perspective?


Well, I think the the main reason is is because, like I mentioned before, the ATM manufacturer and other third party anti skimming solutions have done a decent job, but it's not a total end to end solution. So there's still points of compromise that the criminals are finding to be able to, compromise the ATM card readers as well as apply, the pin capture devices on ATMs.


The reputational damage that could be caused by a single skimming attempt is far greater than the increased cost of our solution over, not having a solution, within their banking environments to protect their customers. And, you know, it's really happening, what's interesting that's happened over the last several years is we've actually had, financial institutions who, in the past, did not create, build out branches with ATM lobbies because it was more, their concerns about, it's more of an environment that they have to spend more dollars to protect, but it really is providing, a safer environment for their ATM customers to utilize the the machine.


So they can use the machine, put their money away before they exit the facility. People that are using drive up and walk up ATMs, I mean, there's nothing to stop someone from running up to them or pretending to be a customer to stand behind them, take their money after do the withdrawal or rob them, and then leave the facility. So it does provide ATM lobbies in general. I mean, as far as far as I'm concerned, provide a better branded banking environment for customers.


Because you can go into a branch and take $20 out of a statement savings account, and there's a $100,000 worth of security around that branch. But in an ATM drive up per walk up, the the amount of security that's associated with those, 24 hour banking environments is very limiting. And, creates a compromise situation for customers that, you know, there's some banks out there that have thousand dollar withdrawal limits on their ATM. So, I mean, it's very attractive for this, this, the the people that are skimming, as well as people who do, attacks on customers that are using those machines, it's kinda like putting the customer out in the open really not a safe and pleasant banking environment from our perspective.

In addition to customer safety, it's also a matter of securing assets, which that lobby environment creates a more secured insulated location, where it's a little bit higher risk if you're looking at- these, criminals are, you know, they're very sophisticated with how they approach the skimming. And, and they're highly activated. Yeah. Well, expanding on that, I'm curious if y'all have seen or heard, about any evolutions to card skimming tactics as of late. Right? Like, is this spike in incidents, you know, solely relevant to larger macro factors or something to do with sort of, the expansion of self-service kiosk or is there also an element of the strategies themselves by card skimmers has improved or there's, you know, they have new tech that they're using to break in and capture that information.

Are y'all hearing anything like that as well? I think the technology that is being utilized today is, you know, hasn't really migrated to something that is more difficult to detect. I think it's still the traditional skimming and pin capture devices that have always been deployed for many years.


I think because of COVID and probably because of a decrease in in ATM transactions during that time, I think that, you know, banks in general saw less skimming attacks, but now that, you know, the economy's coming around, and, there's more ATM transaction volume that's occurring for many financial institutions that, it's opening the door for, criminals to have a desire to know, go back to adding skimming solutions to ATMs.


Now I'm curious to, you know, another trend that intersects here is the evolving ecosystem of payment methods as well. Right?


Obviously consumers are now using, a lot payment methods that go beyond the card, but even the card itself has fresh technologies. There's tap you know, tap pay, touchless payment, essentially. And I'm curious if that has had any impact on skimming strategies, skimming risk mitigation. Right?


And, you know, our our chip and pin or contactless technologies helping prevent skimming or, has skimming kind of adapted to these evolving technologies as well. What are y'all seeing there? You know, skimming is really still targeted towards, you know, magnetic stripe and NFC cards. You know, we have several clients that have enabled mobile transactions on their ATMs.


And, luckily with our solution we developed. It has Bluetooth access control embedded in it. So, from a customer experience perspective, we've developed an SDK that a financial institution can integrate into their banking app that think a customer can utilize to enter the lobby as well as process the transaction on the ATM. So, and plus that is a multi authenticated device.


So that really is the way to go from financial institutions to really mitigate skimming on their machines and any lobby that they have. Because as long as there's, cards, whether they be NFC, Bluetooth, I mean, NFC contactless, the, EMV chip or the mag stripe, that's an easy compromise point. And, you know, I know that there's goals for the industry to eliminate the mag stripe, But as long as there's a card, then there still will be skimming. You know, and then our solution basically enables financial tuitions to eventually at some point to eliminate the card, and then just basically provide a contactless transaction utilizing their mobile device.


When y'all brought up financial institutions, I'm wondering if you could give me some specific examples or anecdotes of basically what you're hearing from your clients about the issue itself and also how they're responding, right, are banks taking any specific or common steps to mitigate some of these card skimming risks, especially at their ATMs? Yeah. Because skimming is a is a chronic problem. You know, the I think the banks are reluctant to really discuss and share what their experience is because it's point of exposure for them, which is completely understandable.


You know, they're working on, you know, and and investigating and deploying many solutions that are a help mitigating it, but it's I don't think there's an end all to it. You know, I think, you know, the utilization of going to contactless payments and, as well as digital payments or digital transactions with mobile, is really the direction that, you know, many of the financial institutions that we do business with are investigating. Some of them have deployed it, but there's still, you know, a lot of smaller financial institutions, I don't think that they have the financial backing to really integrate that technology because it is much more expensive than what's currently available today with the inexpensive card that's provided to access cash or process a transaction.


Yeah. What are you hearing from the banks and financial institutions? Similar things as well? Or any, any specific anecdotes that come to mind?


Well, I you know, we see mag stripes are, probably the most easily compromised, highest risk. Would you would you agree with that, Rob? NFC, you know, contact NFC as well as make sure.


Yep. So, migrating to that contactless technology is is gonna be critical. And, you know, I just think there's a growing awareness around that increasing threat. Well, it's good to hear at least that these sort of tangential, evolutions to you know, payment processing and, payment touch points in general are coming with sort of ingrained security measures around the classic skimming technology.


But like you mentioned, also, any sort of long term phase out of the mag stripe or, you know, vulnerable chips on cards, it's probably gonna take a while. So in the short term, financial institutions, retailers, payment process regardless or gonna need some strategies to maneuver this increased threat or at least a return to form of this threat post COVID, like you mentioned. Part of that ecosystem is obviously Parabit. Also, so I wanna open it up here for y'all to expand a little more on Parabit's Skim guard technology. Could you tell us a little bit more about it and how it works to help insulate brick and mortars and their self-service touch points from card skimming risks. We developed this technology back in two thousand and thirteen and back in September twenty one when we released the latest two point o MMR reader, that supports Magstrype contactless NFC and Bluetooth access control.

It's really helped mitigate skimming, from a sense that you know, our reader has built in physical overlay detection, of a skimming device, RFID, skimming detection. So if someone puts an RFI skimmer next to the reader, it detects that as well.


Recent enhancements are we've developed impact detection, detection of when a card reader is replaced.


The physical design of the card prevents a shimmer from being installed inside our reader.

As well as tampering with the reader. We also monitor cable cut of the reader. So our reader has really proven to be I think the flagship product for financial institutions in the US. I mean, our testament of that is that we are 23 of the top 25 financial institutions in the US use our product. Some greater than other. And then there's literally thousands of smaller credit unions and banks that are slowly learning about the product.


And it's really helped law enforcement in the in the detection as well as the capture of criminals who are attaching skimming devices on our reader, as well as pin capture devices on the ATM.


Law enforcement has discussed with us the successes that they've had in in setting up stings to actually capture the criminals that are attaching these devices to the ATM, and we're very proud of that. Unfortunately the statistics on that are not available on that because it's not something that really you want to make public information, but we're we're trying to keep, i'm very proud of the fact that we created a solution that is as reliable as what it is. But it's basically has it's kept people's bank accounts from being emptied when they're not aware of it. And I'm curious if you all can both expand on where you see Skimgard fitting into the larger ecosystem of strategies and technologies that, brick and mortars and especially financial institutions might deploy to enhance their security measures around card skimming. Right? How do you see it being complimented by and enting that ecosystem?


When a customer approaches, an ATM, and if we have a financial solution that has integrated our SDK for access control into their online banking app, what are what is everyone walking around the street with their phone in their hand? Right? So if a customer has to pull their card out in front of an ATM or in front of an ATM lobby to gain access to it, they're compromising themselves because they're pulling their card out that someone can go up to them and take their card or force them to go to the ATM and process the transaction.


Integrating our SDK into the solution could provide a dual authentication that, you know, we're authenticating the customer at the ATM access point, and then we're also, the bank is authenticating them at the ATM. And then in addition to that, you know, utilizing our SDK allows the bank to do a retail integration, where, when a customer enters an ATM lobby, that credential of that customer can have a profile associated with it. So when they walk up to the ATM or they walk into the branch, they can change the the digital signage based upon their demographic.


They can be sending messages to the branch personnel working inside the branch of, what's the profile of this customer and then allow us to set up or, create more targeted marketing questions to upsell their customer to services like make a notice that customer has thousand dollars in a statement savings account. And now the the teller can ask a more engaging question or make a suggestion that you should speak to our investment services. Because in the for years, banks have been trying to get, train their branch personnel to upsell a customer, but you know, the advantage of utilizing our system to provide those types of notification services allows the banks to have prepare their branch personnel to have more engaging, more targeted questions and suggestions to that consumer when they come into their facility.


Yeah. So then it really helps to give financial institutions another tool, like you said, to offer for quality services for their customers, but I also find that interesting, right, that Parabit is collaborating with financial institutions beyond just a client relationship of providing a solution and being done with it, right, but actually kind of helping use that solution to morph and evolve strategies around, card skimming risk mitigation and more generally security strategies.


I'm curious if y'all could expand on some of that, these partnerships and collaboration that you have with financial institutions and your thoughts on the benefits of those kinds of extended more holistic, collaborative partnerships.


Well, I think, you know, when there there's collaboration around security integrators around solution providers and end users, the financial institutions themselves, in transparent collaboration around where are the highest risks? What are the exposures? When you look at types of deployments, as Rob alluded to the safety around an ATM lobby, there may be a higher convenience drive up, but you're also at your highest exposure.


So there's, you know, pros and cons to solutions. So some sometimes that, you know, market prevalence and certain markets may drive, one, a preference on certain types of ATM deployments.


But again, once you put an enclosed technology and assets into a more secure environment where there's, it's, there's surveillance in more, security around that in safety. It just reduces risk. If you're a criminal evaluating what you what you want to target, exposed sitting out on the curb, exposed against the side of a building where a drive up can happen or inside of an enclosed secure space that you have to access. Right, and what we've also done is in in in a lot of our products, our security products that we develop, we always evaluate and research what type of retail applications can benefit from the security products that we create.


As I mentioned before, notifying branch personnel of who just entered their lobby to be able to engage them more effectively integration into the digital signage. So it's a and plus retail is a profit center. Security is a cost center. So if you create solutions that retail can leverage to provide a better customer experience, a quicker, customer experience, but also protect the customer is a win win for both security and retail.


And then that's our, you know, and that's our mission as a company as we develop products because, you know, security has a difficult time raising and creating funds to support initiatives like this because, they're doing they're putting out a lot of fires and know, there's unfortunately crime is not on the decrease, so they're constantly trying to stay ahead of all the criminals that are providing, you know, that are acting upon them and creating bad events for them, compromising their assets, compromising their customers.


I mean, there's a significant amount of hook and chain theft of ATMs. I mean, I think Texas is probably one of the greatest states that is seeing the highest number of, you know, incidents where people are just ripping ATMs off of islands and off of remote locations. So from a, from an asset perspective, and, and there's really hasn't been a really proven solution to, like, mitigate that. It just it still occurs, as well as explosion attacks. And then you have ATMs that are through the wall, They still may be compromised by, skimming devices, but, you know, they're less likely to be exposed to an explosion attack, but they still could be.


Whereas an ATM that's inside a protected environment and a pleasant banking experience for customers is probably the best practice for a bank because they're protecting their assets as well as their customers.


And I think some of that collaboration in the conversation also is, as solution providers as consultants and security integrators, you know, helping the the bank understand that, even though this is a security conversation, how do I need pull in other colleagues from other strands of the branch to be able to realize the benefits to have that collaboration to actually help fund what is perceived. It's a shift in perception on what type of solution you're actually delivering. Right. Is it just a security solution or how do we get other stakeholders involved that can be aware and understand the benefits to the retail side.


And so then with that in mind too, as we start to wrap up the conversation, if you had to look ahead, because that FICO data that we referenced earlier in the conversation also revealed that card skimming is just one piece of the larger fraud ecosystem, other types of fraud that impact brick and mortars, especially financial institutions, are also seeing increases, including, for example, authorized push payment scams.


That's just one example. And I recommend folks in the audience go check out that report because it's very detailed, but how do you guys see this general landscape of card skimming strategies, but also generally ATM Security, how do you see that ecosystem evolving in the next few years?


And, how might that create more opportunities for card skimming or decrease those opportunities, right, and actually increase security around, potential card skimming events. Thoughts?


Like I had mentioned before, a lot of banks are looking at, moving the credential from the card to the mobile device because that's people are are holding in their hands at all times. They can authenticate themselves on their phone as well as with the, ATM or a payment terminal. So, really, that's the, I think, the method of choice to be able to control know, because it's difficult to to duplicate a phone, but it's easy to duplicate a card. So I think that is, and that will take, several years. You know, I know that there's some deadlines where Visa and Mastercard would like to see, the cards eventually disappear. But in the same token, they want to keep it because it is their brand. But mobile credentials for processing transactions is really the ultimate, method to mitigate skimming at point of sale devices, as well as, ATMs.


We've seen the the actual mobile device can actually be authenticated with a card as well because of n f NFC. So there could be multiple levels of authentication, you know, between iris recognition, facial recognition, entering your pin on your mobile device tapping your card to the back of the mobile device in order to do have multiple steps of authentication in order to mitigate future skimming or or compromises at point of sale terminals by migrating to a mobile solution, because as well as because of the encryption that comes behind the backbone of the mobile system.


Yeah. I think just that growing awareness, I think banks, those that are slow to shift, are gonna realize quickly how important that is. And we still see customers out there that are still have not even converted to NFC. And, and that's something that that needs to happen, because because of the risk. If you look at the point of sale terminals that that get compromised, criminals can slap an overlay on so quickly, even in a retail environment from a consumer standpoint, it's so important to always protect your pin. And, but I think as that consumer awareness grows that should kind of help push push banks and and and credit unions to make sure that they're evolving with the times, which will be critical of the future success. Well, I think on that note, we'll go ahead and wrap up the conversation.


So thank you so much to the two of you for sitting down with us in studio, and giving us your perspectives on the larger, threat of card skimming, its evolutions, how it's impacting financial institutions and other brick and mortars, and how Parabit's technologies fit to, strategy ecosystem of technologies and otherwise to help mitigate those risks. So thank you again to the two of you. It's been great.


Yeah. Of course. And, again, folks, we've been chatting with Rob Leiponis, CEO of Parabit, and Heather Glezen business development manager, with Parabit. Now folks wanna learn a little bit more about y'all solutions, specifically around card skimming or otherwise, where should we point them?



Easy enough. Right? Yeah. Under our resources, we have a media center with some videos. We have our homepage that, hosts the clips of our A Bit About page.

So Perfect. Alright. Parabit dot com folks, make sure you head there for previous episodes of the show. As well as more information about Parabit's, card skimming, risk mitigation solutions, and the larger ecosystem of security solutions they provide for the industry.

So thanks again, Rob. Thanks again, Heather. Really appreciate chatting with both of you. Thane. Thank you.


And thank you everyone for tuning in to another episode of "A bit About" a Parabit podcast. Like we said, head to our website, Parabit com for previous episodes of the show, and make sure that you're subscribing on Apple Podcasts and Spotify for a full catalog of previous episodes and notification when we drop new ones. I'm your host Daniel Litwin, the voice of B2B. We'll catch you on the next episode of a bit about.


Contact the Parabit team at sales@parabit.com.

留言


bottom of page