14 DAY TRIAL // The European Network and Information Security Agency (ENISA) has released a report regarding the situation of ATM crime in the European Union. According to the agency, the rate of such crimes increased by 149 percent in 2008 and resulted in over 485 million euros being lost to fraud during last year.
The European ATM Security Team (EAST) of the ATM Industry Association (ATMIA) estimates that, in 2008, there were 383,951 ATMs in Europe, which is 6% more than in 2007. The same source also estimates that 72% of these machines are located in the UK, Spain, Germany, France and Italy.
As far as ATM crime goes, there were 12,278 such incidents reported in the European Union during last year. From these numbers, we can unscientifically conclude that roughly one in 31 ATMs installed across the Union was attacked in 2008, obviously without taking into account that one ATM could have been attacked multiple times.
In its report (PDF), ENISA describes several types of attacks against ATMs, breaking them in three categories: ATM-skimming, computer and network attacks and physical attacks. From these, ATM-skimming is, by far, the most popular, accounting for around 94% of the recorded ATM crime incidents.
ATM-skimming includes attacks such as card skimming, card trapping, manual skimming, cash trapping or installing fake ATMs. Card skimming involves installing a device for recording card magentic stripes over the legit card reader and hiding it up by making it look as if it is part of the machine or by covering it with a fake front. This device is accompanied by a rogue, hidden camera to capture the PINs as they are inputted by customers.
Card trapping is more simple and involves installing a device that traps the card inside, making the customer believe that this is the result of a technical problem. This attack requires some quick reaction on behalf of the criminals, who have to abuse the card until the victim has a chance to cancel it. Installing fake ATMs is even a more rudimentary and direct attack, during which the attackers try to make the victim believe that the machine is defective after they have inserted their card and inputted their pin.
Manual skimming is similar to card trapping, but requires more social engineering and at least two attackers. One is in charge of "shoulder surfing" to steal the PIN number and distracting the victim. The other attacker steals the card from the machine when the victim is not looking. Cash trapping is pretty much self-explanatory.
Computer and network attacks against ATMs are instances where thieves use specially designed malware to infect the machines or hack into banking networks to steal ATM data. Meanwhile, physical attacks range from ramming the ATMs, to using explosives and special cutting equipment to access the money inside them.
As far as personal protection goes, the agency recommends the use of ATMs located in banks rather than the ones in gas stations and other unsupervised locations. Checking the machine for signs of tampering is always a good idea before inserting the card, regardless of the location of the ATM.
Making sure the person behind you is at a safe distance before inputting your card PIN anywhere is also a common-sense rule. Additionally, it is important to periodically check your statements for suspicious transactions and to keep the bank's emergency number at hand, in case you need to cancel or lock your card as quickly as possible.