Local police are investigating ATM skimming attacks at four New York hospitals. Security experts warn that fraudsters will likely continue to target locations, including hospitals, where ATMs are not closely monitored and around-the-clock access to the terminals is available.
See Also: Secrets to a Simpler Security Incident Response
"These skimming attacks are actually a major problem at ATMs in many locations," says financial fraud expert Shirley Inscoe, analyst for the consultancy Aite. "Skimming is currently the No. 1 threat at ATMs in the U.S. The problem is even growing at many financial institution locations, because they have outsourced ATM servicing, and staff no longer perform daily inspections as they did when the machines were serviced internally."
But when ATMs are placed in remote locations, the risk of skimming is even greater, Inscoe adds. Fraudsters often disguise themselves as service technicians or armored car personnel, fooling passersby into thinking they have a reason to be tampering with the ATM, she says.
"ATMs that are out of the way and not monitored are obviously at risk," Inscoe says. "But frankly, any machine can be compromised, since thieves work 24x7 and people don't really question anyone working on a machine. If they are wearing some type of official-looking uniform, people assume what they are doing is legitimate."
The New York Police Department has not yet revealed how it believes fraudsters successfully compromised ATMs in this most recent attack. For now, the department is focused on finding two individuals it believes are behind the attacks, according to a media alert sent to Information Security Media Group.
"It was reported to police that skimming devices were installed in hospital ATM machines between Wednesday, Aug. 24, 2016, and Tuesday, Nov. 1, 2016," the alert states. "The individuals used victim's personal information to make duplicate cards to make several unauthorized cash withdrawals."
So far, skimming devices have been found at ATMs located in Memorial Sloan-Kettering and New York Presbyterian Hospital in Manhattan, New York Methodist Hospital in Brooklyn, and Jamaica Hospital Medical Center in Queens, according to police. The theft of more than $40,000 has been linked to the attacks, reports CBS New York.
Back in 2012, eight hospitals in Toronto were targeted as part of a similar ATM skimming scheme (see ATM Attacks Exploit Lax Security).
Hospitals Are Easy Targets
Financial fraud expert Avivah Litan, an analyst at the consultancy Gartner, says ATM fraudsters gravitate to the points of least resistance - which often includes hospitals.
"Hospital staff can barely keep up with the ER waiting rooms, let alone worry about ATM security," she says. "Hospitals make perfect targets for ATM skimmers, and I'm sure we will see more of these ATM skimming attacks at hospitals and other understaffed, undersecured healthcare facilities in the coming year or two."
The best solution, Litan says: Install tamper-resistant ATMs. "I expect that will also start happening in the next year or two," she says.
Al Pascual, head of fraud and security at Javelin Strategy & Research, says it's unlikely that only four hospitals were targeted in this scheme. "Hospitals and ATM operators throughout the New York metro area should be inspecting ATMs installed at hospitals, as this is likely to be a far more pervasive crime than has been reported," he says.
ATM Skimming: Growing Worry
Banking executives see ATM skimming as a growing problem, with 68 percent of executives recently surveyed by Aite ranking ATM skimming as a "severe" or "very severe" threat, Inscoe says.
John Buzzard, fraud specialist at CO-OP Financial Services, a credit union network that provides ATM, card payment and mobile services, says detection of skimming at off-premises ATMs remains challenging.
"When skimming crews use fraudulent cards sporadically over a long period, it makes detection harder," Buzzard says. "This may explain the two-month distance from exposure to fraud. Keep in mind that circa 1999 it took an average of three months from skim to fraud, so we are sort of tone deaf to just how rapid these skimming cases blossom in today's world. Two months seems long, but I'm sure they were staggering their unauthorized withdrawals to evade detection."
Pascual says that's why ATMs managed and operated by third parties, outside the bank or credit union, are a top area of fraud concern. These ATMs are less likely to be inspected on a regular basis for skimming devices and/or other tampering relative to their bank-branch counterparts, he says.
"I wouldn't say that the security of hospital ATMs, in particular, is a significant concern for our issuer and bank clients but, rather, third-party ATMs in general," Pascual explains. "These ATMs are much more likely to suffer from physical and logical security issues, when compared to bank ATMs."
The continued use of magnetic-stripe debit cards, which can be easily skimmed, is a cause for concern, says William Murray, an independent financial fraud consultant. "While ATMs are being upgraded to EMV [chip] and a few banks are implementing "cardless/mobile, they continue to accept [information] on mag-stripes," he says. "There is no (U.S.) end-of-life plan for mag-stripe," because all EMV chip cards still retain magnetic-stripes, Murray adds.
"There is not even a plan for EMV-only cards," he says. "This vulnerability is likely to be around for a long time."