Skimprot: Threat detection – Georgi Kanev

Skimming costs financial institutions and consumers billions annually. It's a worldwide epidemic that has grown by 15% in the past five years. Skimprot's marketing director Georgi Kanev describes how such fraud is able to thrive on an international scale, and the solutions being developed to counteract this threat.

Skimming has reached epidemic proportions. Some estimates are as staggering as €5.5 billion a year. In 2012, losses totalled over €1 billion in the US alone. The sensitive nature of the topic means figures may be masking the true extent of the problem, with banks unwilling to concede that discrepancies exist in their systems, and most victims are often ashamed by the ease with which they were duped.

No one is safe, and even the most attentive consumer can struggle to adequately protect themselves. In February this year, the CEO of Paypal David Marcus took to Twitter to vent his frustration at the lack of card security, when his card was skimmed in the UK. It is indicative of the problem - victims don't realise they've been conned until it's too late.

Research suggests that 80-90% of all card fraud is conducted via skimming methods. Regulators know this and, in some regions, the presence of counteractive devices has increased by as much as 50%. It still leaves 59% of European transaction terminals without any protection, and such diligence has been ineffective in stemming the flow of criminal activity, with year-on-year figures still rising.

"Skimming is proving to be a lucrative market in Bulgaria and Romania; a UK police report stated that 90% of all groups complicit were from these two countries," says Georgi Kanev, marketing director at Skimprot. "The financial crisis has had implications that are still felt in these areas. As a result, criminal gangs are better organised and more able to recruit members."

Skimming is defined by the FBI as the copying of data from the magnetic strip of bank cards by means of an illegal scanner (skimmer). It is the theft of information used in what is perceived to be a legitimate transaction. Criminals are now able to produce sophisticated skimmers for as little as €150, many so small they are undetectable by the average consumers.

The most popular approach to using skimmers is to rest them inside the card reader and conduct the illicit activities with consumers oblivious to the fact their account has been compromised. Other tactics that have been adopted include the use of dummy keypads to record data typed in, and even the replacement of entire ATMs with counterfeit machines, all with the purpose of either stealing the information held on magnetic strips or customer PINs.

"Even protecting your PIN with your hand is not enough now; we've seen sequences recorded with dummy cameras, consumers interacting with fake devices, and, with the rise of contactless cards, we've seen examples of pay portals being simulated. No authorisation is needed with these new cards, so taking money and stealing data from passersby is now even simpler," says Kanev.

Troubled waters

Skimmed terminals take an average hit of €36,000 in Europe. But the problem extends far beyond the realm of ATMs. There have been numerous cases of retail employees who are able to skim their clients' cards by means of miniature handheld readers. Even viruses have been developed that infect ATMs and POS terminals, assembling details and funds virtually.

Though the UK is still afflicted with skimmers - £38 million in 2012 - it offers greater protection to consumers relative to its neighbours.

"The UK laws currently in place dictate that the banks are obligated to return any money lost through skimming. In other countries, consumers are only covered up-to or after a certain value, if at all. In Bulgaria, for instance, you are insured on everything above €200, anything beneath is your responsibility, and banks will blame you for not defending your card or personal information," says Kanev.

"I am not sure skimming is a government issue though. Of course, they can adapt laws to include higher penalties, but I don't think this would change things much. The fault lies with the banks and the card-holders themselves. Banks need to spend more money on prevention methods, and on the education of their clients about the dangers posed to them. On the other side, the cardholders need to be more wary of suspicious devices."

Modern cards contain a chip and magnetic strip; 85% of skimming is achieved through exploitation of the latter. At present, there has been no instance where an EMV chip has been hacked. Though more secure, many regions, including the US, have yet to fully integrate the necessary hardware to read chips, and as long as magnetic strips are present on bank cards, the threat will remain.

Fully automatic

While software that automatically blocks cards deemed to have made unusual transactions is still the most popular defence against skimming adopted by banks, its limitations have been recognised, and new security features are gradually being released. A relatively new service provided notifies customers via SMS when money has been withdrawn. Though these strategies restrict the damage done by fraudsters, neither is able to prevent the problem from occurring in the first place.

Recognising this issue, the Skimprot team set about designing a solution that stops skimming before any money is withdrawn at all. Having spent time working in the department responsible for bank fraud in the Bulgarian Internal Affairs, Skimprot's members had a broad understanding of the mechanics behind skimming, and the most effective way to nullify its threat. After months of development and testing, it launched its credit card security application in January, which has the potential to drastically impede the efforts of skimmers.

Skimprot's recently launched high-technology sticker is applied to the strips to hide the information they store. It consists of four protective layers, and is programmed with a universal code so that when skimming devices come into contact with the sticker, personal details and account information are concealed, and, instead, the machines are instructed to use the chip, thwarting most fraudulent activity. It even protects against the recent malware viruses, such as the notorious Trojan.Skimer.18, which has infected many ATMs and gained sensitive card information.

"The solution benefits the bank and the consumer," says Kanev. "It reduces costs to the bank, can be used as a marketing tool and allows them to offer their customers added benefits. For the users its simple - it's cheap, ergonomic and reassures them that the transactions they make are secure."

The sticker is made with a specialised adhesive that is easily applicable, does not modify the card and can be easily removed. In most countries, 80% of ATMs are able to recognise chip technology, so instances where the sticker needs to be withdrawn are minimal. It can already be used in three quarters of terminals in Africa.

Trading only started in January this year, yet already Skimprot is hoping to take advantage of its global patent and team up with banking institutions, retailers and other international partners to help its products reach a wider audience. It already has a presence in Bulgarian, Polish and UK markets, and is in negotiations with Turkey, Germany and Greece. Talks are also underway with non-European sectors such as the Middle East, where the product has been tested to great success.

It is virtually impossible for the public to recognise modern-day skimmers; the onus for detecting them remains with the banks, which are able to correlate information gathered from fraudulent claim to search for relationships and trace the source. Tracking devices may be out of the consumer's hands, but shielding themselves from fraudsters isn't. With the multibillion-euro skimming epidemic showing no signs of abating, Skimprot's revolutionary sophisticated, protective sticker could yet turn out to be the shield the industry is crying out for.

Skimprot’s marketing director Georgi Kanev.
SkimProt is a protective sticker designed for the widespread chip-enabled bank cards.