“Shimming” versus “Skimming”: ATM service operators must take action

In the last six months, two reports from Europol[1] and from the European Association for Secure Transactions (EAST)[2] reveal that the threat against ATM services is rising, especially when it comes to terminal-related fraud attacks that exploit software vulnerabilities, either in the ATM’s operating system or in its connectivity to host.

The most important of these is still Skimming, which collects card details from ATMs for fraudulent use. Shimming is a more sophisticated version which shows that EMV cards can also be misused – writes Per Bjarne Valstad, Head of Sales, ATM Services, Tietoevry Banking.

Europol report that ATM malware attacks rose slightly between 2021 and 2022, while terminal-related fraud attacks using software vectors were up 8% last year, according to EAST.

As we discussed in an earlier article, there is a tendency to disregard ATM threats as cash use declines, but this is a serious mistake.

Below, we outline how modern ATM networks are being hit by criminals – and how network operators can combat these threats.

Malware attacks may be down – but skimming is up

While there are now relatively few malware attacks against ATMs compared to five years ago, the cost per breach can be significant.

Malware attacks typically happen in two phases: a criminal first prepares the ATM by infecting it with malware, which remains undetected on the ATM until the criminal triggers a dispense command via a special PIN or touchscreen command.

“ATM software attacks cost an average of €35,000 per incident last year.”

As with malware attacks, there may now be fewer terminal-related fraud attacks (TRFAs) – a category which includes “skimming” – than five years ago, but the losses per attack have grown.

The recent study from EAST shows that although software-related events were down by 40% last year, losses grew by 8% to an average of €35,000 per incident.

Skimming was overwhelmingly the most frequent attack vector, at more than 99% of all fraud attacks.

In Shimming, malware intercepts card and PIN data at the ATM, allowing the criminal to copy the data and later create counterfeit cards for use at non-EMV compliant ATMs.

Once the ATM PC is infected, the malware is active on the ATM’s PC during normal operation – a twist from Skimming.

“Shimming vs Skimming – the difference between two fraud types”

While the bulk of losses caused by Skimming continues to be on international cards (as with Shimming), domestic issuer losses still rose 6% in the first six months of 2023.

Network operators should act now

It’s often said that constant vigilance is the price we pay for security – and that’s true here.

Notwithstanding the long-term decline in ATM fraud, network operators should not be complacent about the security of their systems.

Europol’s report provides helpful tips on specific actions operators can take to fight Skimming – such as geo-blocking and monitoring ATM transactions conducted over their network for anomalies.

However, such steps will not solve direct software attacks against your ATMs.

To defend against software attacks such as skimming (or shimming, for that matter), operators of ATM services should introduce comprehensive, full-spectrum defences that prevent the manipulation of your ATM’s PC, its operating system, and its dialogue with your host systems.

In an earlier article we set out how Tietoevry Banking’s ATM Service division has created a Multi-Vendor ATM Suite, or MV Suite for short, to defend ATM networks from criminal attack via software vectors.

Our previous article outlined protections such as Bitlocker Drive Encryption, which prevents tampering with an ATM’s hard drive, and Applocker, which prevents unknown apps from being run on your ATM.

When it comes to specific protections against skimming, our MV Suite supports software that enables anti-skimming hardware, including TMD Security’s software development kit for hardware sensors to detect changes in PIN-pads or card readers, and Diebold Nixdorf’s ASKIM II system to detect device disturbance and secure card readers.

Tietoevry’s MV Suite also protects your ATMs by remotely loading encryption keys that ensure your ATM is in dialogue with a valid host system, rather than a counterfeit set up by criminals.

No room for complacency

Despite declines in the use of cash and the number of ATMs in use across Europe, the figures from Europol and EAST show there is no room for complacency as losses increase and the cost of fraud per successful attack rises.

As a full member of EAST, Tietoevry Banking’s ATM Services division actively contributes to the fight against fraud of all kinds.

Our MV Security Suite provides best-in-class protection from all kinds of software attack on ATMs, including skimming.

With more than 25 years’ experience of protecting over 100 financial institutions across Europe, we are a market leader in the identification and prevention of fraud – and are ready to help operators all over Europe cut their fraud losses and, by extension, reduce the cost of providing cash services to their customers.

To discuss better protection for your ATM network, get in touch with Per Bjarne Valstad at Tietoevry Banking’s ATM Services division.


[1] Europol, December 2022, “Guidance and Recommendations regarding attacks on ATMs

[2] EAST, November 2023, “European Payment Terminal Crime Report


The post “Shimming” versus “Skimming”: ATM service operators must take action appeared first on Payments Cards & Mobile.