In the first six months of 2016, police in Europe cataloged 492 explosive attacks on ATMs (automatic teller machines), up from 273 attacks for the same period in 2015. The European ATM Security Team reports that 110 involved solid explosives, while the rest utilized explosive gas.
U.S. ATM operators faced an October 21 deadline from MasterCard to make their machines EMV-compliant—Visa's deadline follows one year later—and the attack report is a reminder that fraud isn't the only challenge when it comes to trying to secure ATMs.
ATMs—especially aging ones—have long been a target for attackers who are able to physically access the device and override security controls via black-box attacks, or to launch remote attacks using malware that allows money mules to "cash out" or "jackpot" the machines, instructing them to spit out cash.
But some attackers opt instead to launch physical attacks against ATMs, which may involve "ram raids" that utilize a heavy object to knock them down, enabling attackers to drag them away and use drills to penetrate the safe. Explosive attacks, meanwhile, often involve pumping explosive gas, such as a combination of acetylene and oxygen, into the ATM's safe using flexible tubing, then detonating the gas to gain access to the safe.
Earlier this year, card analytics firm FICO reported that it saw a 546 percent increase in ATM fraud in the United States from 2014 to 2015. FICO declined to detail how many such incidents it's counted, but it predicts that criminals will continue to target unattended ATMs that aren't EMV-compatible.
MasterCard has now shifted the EMV liability shift for operators of ATMs in the United States. As of October 21, operators will be responsible for any fraud that involves an EMV-enabled card used in their ATM, unless the ATM is EMV-compatible, in which case the card issuer is liable for the fraud.
The upside of an EMV chip is that it can be used to generate a behind-the-scenes, one-time cryptographic code to authenticate that the card itself is legitimate. Security experts say that should take a big bite out of skimming, in which thieves intercept card details—enabling them to use cloned cards to steal cash—because EMV chips more difficult to clone.
Another challenge, however, has been getting EMV debit cards into consumers' hands. To date, only one-third of branded MasterCard debit cards are chip-enabled, compared with 88 percent of its branded consumer credit cards. Visa, meanwhile, tells The Wall Street Journal that 42 percent of its branded debit cards have chips, compared with 64 percent of its branded credit cards. Visa’s EMV liability shift deadline is October 1, 2017.
For information about credit and debit cards, contact Tanya Finken or Jeri Hanson, GRSB card services representatives.
(218) 326-9419, ext. 288