Forensic Accounting
Brand Protection
Computer Forensics
Corporate Investigation

Volume 9 - No. 1                    Download PDF

In this edition of
The Kessler Report:

Computer Forensics: Sherlock Holmes in the Information Age

What's Infecting
Your Computer?

Stop Harassing Email

The Trojan
Horse Defense

Automatic Thieving Machines: ATM Frauds Exposed

Q&A: Do It Yourself Investigation

Kessler's Corner:
The Growing Field of Computer Forensics

DOWNLOAD PDF

Automatic Thieving Machines:  ATM Frauds Exposed

It's a relatively mundane, everyday type of task… you go to the ATM, you slide in your card, you type in your PIN, you take your cash and you leave.  You've probably done it hundreds, maybe thousands of times, and chances are you don't often give security a second thought.  Sure, you keep your PIN a secret and you keep a close watch behind you in bad neighborhoods, but most people don't expect to get robbed at their local bank or corner deli during business hours.  And that's exactly what the criminals want.  Because even though you might be looking over your shoulder for hoodlums, today's technologically-advanced rip-offs often occur right in front of the victim's nose.

As surveillance and other safety features have been integrated over the years into ATMs, old tricks of the trade have lessened in popularity with crooks.  These days, instead of sticking a gun in someone's back or smashing open the machine, thieves often rely on technology to reap ill-gotten gains.  Increasingly sophisticated scams can range from simple card skimmers to complex data wiretaps, and victims usually don't know they've been cheated until they try to withdraw funds from an empty account.  Even more alarming, the victim usually plays a major part in the outlaw's success, unwittingly giving their PIN away to a total stranger!  In fact, most scams rely almost solely on the gullibility and the trusting nature of people who don't know how to spot an impending case of identity fraud.

Types of Scams
One of the most effective scams is known as skimming, using electronic devices to read and store information located on your bank card's magnetic stripe.  Skimming itself is not particularly new... villainous restaurant employees have been using it for years, swiping credit card information when customers pay for their meals.  However, it was not until just recently that readers were developed by criminals specifically for perpetrating ATM fraud.

Usually, the scam consists of two physical pieces of equipment that are attached to the ATM.  First, a skimmer that is designed to look like the card slot of that particular machine is attached, typically secured with double-sided tape.  This device often looks very authentic, and only the very vigilant notice the difference.  Sometimes this skimmer allows the ATM to function normally and sometimes it is just a false front, but either way it reads the info on the card.  In one creative (and successful) scam, a skimmer was disguised and labeled as a "card cleaner," which people actually used to clean the magnetic stripe on their cards! 

The second piece of equipment is a small camera, usually embedded in a long strip or other seemingly innocuous item (such as a brochure holder) that is attached to the top or side of the ATM.  This camera records the PINs that are input by bank customers.  While this method is most common, some sophisticated skimming devices are able to record PINs, and some crooks place a transparent plastic overlay on the keypad, which customers think is to keep the keypad clean, when in reality microchips in the device record every keystroke.  The thieves then take all this information and produce phony bank cards with equipment that often costs less than $200.  At that point, it's only a matter of visiting any ATM to withdraw as much money as they can.

Another relatively new scam involves a simple, often crude device commonly known as the "Lebanese Loop."  The apparatus used is basically a thin piece of magnetic tape (such as videotape) or other piece of plastic that, when inserted into an ATM card slot (excluding those that use the "dip" method), will prevent the machine from reading cards, trapping them inside the slot.  In most cases, when someone loses their card inside the slot, a "helpful" stranger advises them to input their PIN a couple times and press the cancel button, claiming it will release the card.  When this doesn't work, the frustrated customer leaves, assuming the machine has simply devoured the card.  Of course, all the crook has to do now is remove the tiny contraption, retrieve the card, and use the PIN that was acquired by looking over the victim's shoulder (an oft-used method called "shoulder surfing") to withdraw cash from any ATM location they wish.

Another type of ruse is perpetrated by particularly ambitious thieves who make an investment in their pilfering, purchasing their own ATM and rigging it to collect customer information.  ATMs are widely available for purchase by individuals and businesses, often for less than a couple thousand dollars.  These machines are generally placed in small stores and other convenient locales, much like legitimate ATMs.  In fact, some fraudsters will even post "out of order" signs on the real machines that point customers directly toward the phony one!  For successful crooks, the new machine is easily paid off after a few withdrawals, and once they've pocketed enough cash, it's off to the next location.

Rounding out the modern scams is something that's more or less high-tech robbery, something that most people could only imagine happening in a movie.  Sophisticated wiretaps or "listening devices" can be used, primarily on stand-alone ATMs (like those at a mall or convenience store), to intercept and sometimes even change information that is shared between the machine and the computer system it connects to, wherever that may be.  With a few special skills and a laptop computer, countless account numbers and PINs can be recorded and copied to fraudulent cards.

Of course, there are plenty of lower-tech cons that target the naïve bank customer.  One of the more popular schemes is for the shyster to call an ATM user whose card he has found or stolen, posing as a bank employee, police officer or other authority.  The PIN is obtained by telling the user that it is required by law to give their PIN to recover the lost card, or that they must verify their old PIN to obtain a new one.  Either way, many people readily give up their number in order to comply with the supposed law, and soon find their bank account is a lot lighter.

How to Fend Off ATM Fraud
If there is one silver lining to this dark cloud, it's that ATM frauds usually to not result in great permanent loss for the bank customer.  Banks are all FDIC insured, and under the Federal Electronic Fund Transfer Act, customer liability is minimal, as long as the loss is reported as soon as possible.  Some states, for instance, have followed the lead of credit card giants Visa and MasterCard, and capped consumer liability for ATM and debit card transactions at $50.  However, if the loss is reported quickly enough, most customers who are ripped off will not lose any of their money, just a portion of their time and sanity.

Still, there is no reason for anyone to simply dismiss safety and privacy when it comes to ATM use.  This type of fraud cost American banks an estimated $51 million in 2002, and both financial institutions and ATM manufacturers are taking notice.  Increasingly sophisticated alarm systems, tamper-proofing methods, and other types of protection are being developed, such as software that can track ATM users' spending habits, flagging unusual transactions and even geographical anomalies, just in case someone halfway across the globe decides to use your card the same day as you.  Some legislators want to take it a step further, and create laws that would make background checks and licensing requirements mandatory for those who wish to purchase and operate an ATM.  Clearly, the industry is hoping to curtail the progress of thieves as much as possible.

However, the losses eventually become more than just the corporations' problem, as user fees continue to pile up to compensate for the damages.  Thankfully, even the simplest measures can keep you from becoming a victim of yet another ATM flimflam:

•  Never, under any circumstances, give your PIN to anyone, write it on your card, or leave it in your wallet or purse.

•  Make sure nobody can see you punch in your PIN.  Stand close to the machine and use your hand to shield the keypad.

•  Key in your PIN only when prompted by the ATM screen.

•  Try to avoid stand-alone ATMs if possible.  These are usually privately-owned and more susceptible to fraud.  Use a bank ATM instead.

•  Avoid ATMs in poorly-lit or generally unsafe areas, and leave immediately if you feel suspicious of people nearby.

•  Never accept help from strangers when using an ATM, and always be wary of people asking for help.

•  Never use an ATM with a blank screen.

•  Inspect the machine for any signs of tampering, such as false card slots or Lebanese Loop devices.

•  Never count your cash at the ATM.  Put it away and count it in a safe location.

•  Cancel your card immediately if it is lost, stolen, or retained by an ATM, and report the incident to your bank or police.

•  Lower your withdrawal limits to an amount that suits you, but will not allow potential crooks to empty your account.

•  And finally… don't forget your card!

While guidelines such as these seem like common sense, a majority of people tend to be relatively careless in their ATM use, and that's exactly what the criminals are banking on.  By keeping these tips in mind, you'll be able to stay a step ahead of the scoundrels who aim to cheat the system, and you can rest easy knowing that your identity is safe.

BACK TO THE NEWSLETTER ARCHIVE       BACK TO THE KESSLER HOME PAGE

Copyright © Michael G. Kessler & Associates, Ltd. 2004. All rights reserved.