2013 was certainly not a shrinking violet in terms of card skimming and associated card fraud scams. With 2013 card compromise data in hand, I thought I’d share the latest year-over-year trend breakdowns and offer a few predictions for the year ahead (an update to my post last year on ATM fraud trends).
The chart above reflects ATM points of compromise within the United States that were analyzed by FICO® Card Alert Service. Looking at overall volume of activity, we instantly see a continued increase in card skimming at bank-owned ATMs over the past couple years. As this segment increases each year, point-of-sale (POS) card and PIN skimming has somewhat diminished in comparison.
You might wonder: “How is it possible that POS is contributing less towards card and PIN skimming when we are staring down on one of the largest retail data breaches in history?” Keep in mind that the data used to create this chart is reflective of fraud spend at ATMs only. Most of the recent publicized data intrusions did not develop into wide-scale PIN fraud, aside from some isolated social engineering scams that may have netted criminals access to consumer PIN data.
Looking ahead: 2014 fraud threats
In last year’s fraud trends post, I mentioned “memory scraping” malware as an emerging fraud threat. At the time, there were many who had little familiarity with the term. Today, by contrast, RAM or memory scraping is something that’s on countless tongues, as numerous articles proliferate on the BlackPOS Trojan tool, a variation of which was used to compromise Target and other companies.
I expect we will continue to be immersed in malware intrusions this year. In particular, we will probably hear about more corporate intrusions, involving complex, customized malware that are nearly impossible to detect. It’s likely these malware programs will be flexible and adaptable after they are introduced—many worming their way through systems looking for entry points that can be infiltrated in stages.
Increasingly, risk on payment cards will develop in two phases. Fraud spend may initially be signature-based, and then, after a significant time has elapsed, the same group of affected cards could see PIN fraud develop on cards that were not previously reissued. This criminal strategy points out the danger when we focus only on the risk at-hand without considering the potential exposure of other data elements, like PIN numbers, that might have previously been ignored.
Another growing threat: Carders will continue to sell and purchase cards based on bank identification number or BIN. This will dilute the detection of data breaches by making the fraud appear to be specific to a certain financial brand.
To help you stay one step ahead of fraudsters, my fellow fraud bloggers and I will continue to post new information on the latest fraud trends and anti-fraud best practices—so please stay tuned!