Authentication & Security

Theft of Debit Card Data from ATMs at an All-Time High

According to insights from FICO, a credit scoring and data analytics firm, there has been a substantial surge in ATM fraud which has been evident since January this year. Criminals are stealing card data from U.S. automated teller machines at the highest rate in two decades, preying on ATMs even while merchants crack down on fraud at the checkout counter. According to FICO, debit card compromises at ATMs located on bank property jumped 174% from January 1 to April 9 as compared to the same period last year, while successful attacks at non-bank machines soared by 317%.

The incidents in which thieves steal information from debit cards to make counterfeit plastic are taking place at ATMs that are owned by banks as well as independently owned cash kiosks in shopping centers, convenience stores and restaurants. FICO has been tracking such incidents through its card-monitoring service for financial institutions that issue more than 65% of all U.S. debit cards. However, FICO hasn’t disclosed the exact number of such fraudulent use cases.

These incidents have surfaced at a time when banks are racing to issue new credit and debit cards with computer chips that make it more difficult for thieves to create counterfeits. However, most ATMs don’t accept the new EMV chip-and-PIN technology yet. JP Morgan Chase and Bank of America have already taken up the initiative and have started integrating the chip technology in their advanced machines. But the overall portrayal is that a large number of ATMs are vulnerable and criminals are capitalizing on that.

We had earlier talked about the EMV liability that is poised to go into effect as a mandate from October this year. That liability shift won’t take place for ATM operators until a year later at the earliest. Card issuers currently bear liability for most fraudulent transactions.

Many incidents of ATM fraud involve a long-established technique in which criminals install devices that capture information from the card’s magnetic stripe. The method, called skimming, sometimes also involves a tiny camera that records the cardholder entering a personal identification number. Criminals use this information to manufacture counterfeit debit cards that can be used to withdraw cash at an ATM or make a purchase at a store or online.

Common ATM fraud techniques involve the use of skimmers. Skimmers are basically fake devices which act as components of an ATM machine. Skimmers could be in the form of card slots, PIN pads. Besides skimmers, other techniques could involve the use of a hidden camera to capture both PIN numbers and card information. There have also been cases where a completely fake ATM machine has been placed in public places. Such machines simply capture the card information and give out an error when user tries to initiate a transaction.

For stakeholders, it has been difficult to quantify the amount of fraud losses that are associated with such attacks. Tremont Capital Group, a consulting firm that specializes in the ATM industry, predicts that thieves will make at least $1.5 million in ATM cash withdrawals this year.

Certain remedies have already been implemented to avoid ATM fraud. These include real time SMS alerts, routine security checks for skimmers, on-premise physical security, etc. But we believe that unless radical transformation has been brought to the machines themselves, the fraud certainly will not go down in number. It is yet to be seen whether the shift to chip-based ATM machines over the next year would have a substantial effect on fraud.


Shubha has deep interest in studying the intersections of the physical world with the digital world and writing about it. She is a techno-commercial person, a gadget freak and she has worked at Amazon in the past.

Apply to Become a Contributor