Please do not leave this page until complete. This can take a few moments.
While the rest of Maine celebrated a long weekend, Scott Chretien discovered thieves had installed a skimming device to read bank cards at the drive-through teller at the York County Federal Credit Union's Sanford headquarters.
“I was angry,” says Chretien, president and CEO of the credit union, when recalling the incident. “We try to use our members' money wisely as a cooperative.”
He later heard from the Maine State Police and the FBI that criminals who skimmed and cloned credit cards from all types of terminals were moving north from Massachusetts and New Hampshire. His credit union is just over the New Hampshire border. Kennebunk Savings Bank also was hit in recent months, along with several point-of-sale terminals in Gray and New Gloucester, including at gas stations. It is not clear whether the same criminals were involved in each incident.
Skimming typically is a Class D misuse of identification crime in Maine punishable by up to one year in county jail and a fine of up to $2,000. Additional fines and jail time could add up depending on how the stolen information is used.
The skimming devices, which typically fit over the original bank or credit union name and add only a fraction of an inch to the card slot, also include a camera that can videotape passwords as they are entered. Some skimmers have built-in sensors and software that can determine a password as it is typed.
“Change your password often, and cover the keyboard when you are typing in your password,” Chretien advises.
There's been a dramatic, and alarming, increase in skimming attacks on ATMs in the past year, in part due to an opportunity left by the time it's taking banks, merchants and gas stations to change from magnetic cards with stripes to those with EMV, or Europay, MasterCard and Visa, chips.
“The chip is very complicated in the United States,” says Rebekah Higgins, vice president of the Maine Credit Union in Westbrook. She says other countries' governments mandated and helped fund the chip conversion, whereas in the United States it is run by the credit card companies and must be implemented by banks and merchants. The key is that as of October 2015 there was a fraud-liability shift, meaning that merchants that did not have readers for the chip cards could be liable for any losses due to fraud rather than the card issuers.
“This is the last effort [by skimmers] before the stripes go out,” Higgins says.
Not everyone has made the move to chip cards, leaving opportunity for thieves to get personal data from magnetic stripes, she says. The same thing happened in Europe, she adds, before it completed its transition to chip cards.
“Not everyone understands the value of their personal information to everyone else,” she says. “People need to realize this information is valuable to anyone.”
FICO, a software company based in San Jose, Calif., that measures consumer credit risk, has been issuing a series of alerts about large and sudden spikes in ATM skimming attacks. On April 8, for example, FICO said its fraud-tracking service recorded a 546% increase in such attacks from 2014 to 2015. The company also said criminal activity was highest at non-bank ATMs, such as those in convenience stores, where 10 times as many machines were compromised in that one-year period.
One retailer that was vulnerable was 7-Eleven, and some providers of ATMs to those stores, like Trailhead Credit Union in Portland, Ore., stopped allowing its members to withdraw cash from 7-Eleven ATMs.
Though Chretien of York County FCU says he wishes he had known about the illegal activity in neighboring states so he could have been more proactive, the first discovery of skimming at the headquarters drive-through was by luck. A service person working on the terminal that Saturday discovered the skimming hardware before those who installed it retrieved and cloned it, so no customer card information was stolen. Chretien figures the skimmer was installed in the early morning hours that Saturday, May 28.
But that discovery led to a not-so-fortunate incident at a walk-up teller machine at a York County FCU in downtown Sanford that had been compromised earlier, on May 21, and discovered later, on July 10. The skimmer had been removed by the perpetrators, and customers were posting complaints about losses on Facebook. The credit union put a notice on its website and on social media, Chretien says, as well as issued a press release.
Chretien says all customers affected by the attack have been made whole, and anti-skimming hardware has been added to the credit union's terminals that will cause the ATM to stop if someone tries to unscrew a panel or insert something other than a credit card. He would not comment on how many customers were affected or the amount skimmed.
He adds that the perpetrators of the Memorial Day skimmer installation were identified through the credit union's security cameras, but he does not know if the Maine State Police or Secret Service has those involved in custody. He is not sure who installed the other skimmer or their status.
Chretien says State Police or the Secret Service have the device. “Once we identified the device and how it happened, we looked at how to mitigate future risk. We worked with our vendor to purchase anti-skimming hardware.” Such hardware comes with newer ATMs, but can be fitted onto older ones.
The credit union, established in 1954, has 21,000 members, 85 employees and five branches in Maine as well as $247 million in assets. Chretien says it is one of the three fastest-growing credit unions in the state, adding more than 1,000 members a year. It is the eighth-largest credit union by assets in the state.
Skimming not only costs banks and credit unions to make affected consumers whole and to beef up their security. It also requires hours of bank staff explaining to customers whether their account was breached, whether their money will be safe in the future and how to protect themselves in the future by changing passwords often and other means, Chretien says.
Chretien says he's surprised about how brazen some of the thieves are. “They wear a baseball cap, but they look right into the video,” he says. “And we can't necessarily prove fraud resulted from the situation. The people who do this do a very good job.”
He says federal examiners have been focusing more on cybersecurity over the past three to five years. It can cost $300,000 to $500,000 per year for a bank or credit union to mitigate risks, Chretien says. “That's a lot more than 10 years ago. But it's a cost of business.”
CORRECTION: Kennebunk Savings was mistakenly referred to as Kennebec Savings in an earlier version of this story. Kennebunk Savings was hit with skimming devices recently. We regret the error.