By Karen M. Neeley
General Counsel, Independent Bankers Association of Texas
As the banking industry improves its security procedures, hardware and software, the bad guys are also stepping up their game. One of their weapons, skimmers, continue to get more sophisticated. At the same time, accountability on the part of businesses deploying unattended tellers has been hard to come by. The following is a quick look at some of the basics and recent developments relating to skimmers.
What is a skimmer?
When inserted into an unattended teller or payment terminal—such as an ATM, self-service cashier or self-service fuel pump—the device captures data from the debit and credit cards of those using the terminal.
How are they used?
The person or gang that has inserted the skimmer retrieves the data from the skimmer—typically via a wireless connection—and then sells the data or uses it to create counterfeit credit cards or identities.
How does the business or a consumer using an unattended teller/payment terminal detect such devices?
Candidly, it is getting harder. With older, clunkier skimmers, the fraudster had to open the gas pump door to install the skimmer. Thus, a seal or tape could be put across the door of the device and checked for tampering. Better locks for the dispenser door could also deter fraudsters.
However, newer skimmers are very slim and can be inserted into the card slot without accessing the interior of the device. Nonetheless, a customer may detect tampering if the card slot is loose or otherwise appears unusual.
There are consumer smartphone apps that allegedly can detect skimmers. However, too often they are simply detecting another Bluetooth connection in the area. This could be a skimmer gang, but it could also be a consumer in the next car with Bluetooth activated on her phone.
If a consumer’s debit card number is fraudulently used, who is responsible for the loss?
Not the consumer! Generally, under the Electronic Fund Transfer Act/Regulation E, the card issuer will be responsible for unauthorized transactions. Remember, too, that Regulation E clearly indicates that the consumer’s negligence will not prevent them from being made whole. In addition, with MasterCard and Visa’s “zero liability” policies, even the modest cost to consumers based on timeliness of reporting is eliminated.
Who are the fraudsters behind skimmers?
There are crime gangs involved. Some are from Russia, Eastern Europe and Cuba. Texas is establishing a “Fusion Center” to act as a clearinghouse for reports and information about skimming crimes. Hopefully, this will improve law enforcement’s ability to pursue criminals more effectively. Suspicious activity reports must be filed by banks with FinCEN, and these can help in detecting patterns.
Are steps being taken to reduce the risk and costs to the banking industry?
Yes—baby steps. First, when cards are all converted to EMV, the chip will not be susceptible to skimming. In the meantime, cards still have a magnetic strip that is used for systems that can’t handle the chip. EMV is not mandatory for gas pumps until October 1, 2020. The card payments industry believes that full conversion to EMV could reduce counterfeit fraud by 70 percent. Another possible shift could be to contactless payment systems—the consumer’s phone becomes her payment device.
What is the food and fuel industry doing in the meantime?
In Texas, that industry joined the banking industry in legislation establishing standards for unattended payment terminals, with specific merchant duties to be diligent and detect, remove and report skimmers. At press time, the Texas attorney general is working on regulations to implement the law. Merchants that violate the rules will be subject to enforcement action, starting with simple correction, but increasing to civil penalties for willful violations.
For Texas fuel dispensers, the Texas Department of Licensing and Regulation now licenses those merchants. It has established a website for reporting malicious devices on gas pumps: bit.ly/skimmerreports. The agency has stated that it will address every complaint entered into the database and check each location.
What can consumers do to protect themselves?
Watch for reports of skimmer events in their area and then avoid that merchant! Pay inside rather than at the pump. Avoid pumps that are in dark areas as these are more likely targets for the gangs. Look for torn security tapes and wobbly payment devices. Monitor debit and credit card statements for unauthorized transactions and report unauthorized transactions promptly.
Each payment method has its pros and cons—whether it is cash, check or card—for consumers, merchants and financial institutions. Convenience, too, often trumps caution. Cooperation among each segment of the payment system and careful use of technology should win the day.
Karen M. Neeley has served as IBAT general counsel since 1989. She is widely recognized throughout the financial institution community for her expertise in the areas of regulatory and compliance law. Contact her at email@example.com.
Published in Bankers Digest January 20, 2020