The first "deep insert skimmers" couldn't be removed from ATM card readers. They were installed permanently, and some wirelessly transmitted card data to a nearby pinhole camera. After leaving the skimmer in operation for a few days, the thief would retrieve only the camera, along with its card data and video of PIN entry.
The most sophisticated "deep insert skimmers" use magnets that snap into place inside ATM card scanners. They retain their own data and can be removed after harvesting ATM card data.
Used with pinhole cameras, they're very close to being undetectable.
Here's video of a "deep insert skimmer" being demonstrated by an ATM thief.
You'll note that all this skimming activity involves magnetic-strip cards. We now have chip-based cards, which are supposed to improve security.
The U.S. chip standard is called EMV, which are the initials of the three companies that created it: Europay, MasterCard and Visa. EMV cards are also backed by JCB, American Express, China UnionPay and Discover. Visa has given banks until October to support EMV cards at ATMs.
Sadly, there's an emerging version of ATM skimming for EMV cards called "shimming." This kind of theft is hard and rare, so it's not a major threat yet.
Worse, most cards that use chips still require the magnetic strip that's so easy to scan. And most ATMs that support chips will require cards with magnetic strips, even if they read the chip for data.
Isn't ATM skimming over now that we have cardless access?
It would be tempting to assume that fingerprint-protected, NFC-based authentication would end ATM crime. Unfortunately, that's not going to happen, and for three reasons.
1. Unsecure ATM methods aren't going away
Sadly, newer and better security schemes don't improve security if they are deployed in addition to the old ones, rather than as a replacement for them.
For example, fingerprint access to a phone is more secure than a four-digit PIN, but it's not more secure than both fingerprint access and a four-digit PIN. The PIN access is still there.
Banks like Wells Fargo are not in a position to force customers to give up unsecure banking habits. They add new methods without canceling the old ones. To illustrate this, Velline told me that Wells Fargo has 20 million mobile app users. But it has 70 million customers. That means 50 million Wells Fargo customers aren't even using an app.
The new use of temporary codes for ATM access is more secure. But all the less secure methods are still in place.
Banks will have customers with ATM card access, mobile app access or both. The banks will support ATM card access via cards that have chips, magnetic strips or both. They'll support mobile app-based access that uses passwords, fingerprints or both. And once the app is accessed, the ATMs will dispense cash to customers who choose an app-generated numeric code, NFC unlocking, or both.
Sign up for Computerworld eNewsletters.