As financial transactions become more technology and Internet oriented, so have the methods that criminals use to circumvent security measures in place at ATMs. Around the country, and most recently in the Boston area, the latest scam to beset banking consumers has come in the form of a scanning device attached to ATMs that captures customers’ personal identification numbers and refuses their requested cash amounts.
In a recent incident in Boston, police say a scanning device was attached to an ATM in an effort to steal customers’ bankcard numbers and develop fraudulent, duplicate cards. A sign advising customers to use the device instead of the normal card entry mechanism was placed on the ATM by the alleged perpetrators, who were arrested.
ATM fraud has been around since the first automated teller machine was installed in 1969 and, while it is not considered one of the major areas in which fraud occurs, scams involving ATMs may have devastating effects on the victims, according to industry experts.
The most important fact to remember, say industry officials, is that criminals can only access a bank account by means of an ATM if they are in possession of a consumer’s ATM bankcard or their secret personal identification number.
With the advent of a wave of more sophisticated crime, members of the banking community and local law enforcement officials are releasing another series of education alerts geared toward bank customers and bank managers offering ways to educate the public on fraud.
Security experts say one difficulty in combating such fraud is the simple design – which has changed little over the years to ensure worldwide networks remain compatible – incorporated into bankcards everywhere. Consumers must therefore remain vigilant, they say, because technology cannot offer failsafe protections.
“The issue is that cash cards are fairly inexpensive and the standard for the cards have been here quite a while,” said Jerry Brady, chief technology officer Guardant, an information security services company based in Waltham. “It’s an old mechanism and one of shared secrets. The model is, loosely, something you have and something you know, but in both cases it is easily recorded.”
However, Brady said it is not so much a bank problem as it is a consumer problem.
“Users need to show a little more common sense and notify their bank if there is something suspicious,” said Brady. “When you’re in a rush and you want cash, people don’t understand security relevance.”
Brady said consumers often rely on their banks to bear the brunt of a scam, and while bank policy usually does suggest repayment of stolen cash to accounts, Brady said he believes consumers are the ones who suffer the consequences of increased costs in the end. To curb fraud, banks must rely on users to be involved and relay information to security officers.
“The most important thing right now is continual consumer education and encouraging consumers to be diligent,” said Melodie Jackson, senior vice president and director of public affairs for Citizens Bank of Massachusetts. “Don’t keep PINs with cards, make sure checking statements are accurate and now, with this latest issue, we are telling customers be diligent on their surroundings and the systems they are using.”
Citizens Bank, along with many other banks in the state, currently offer educational tips for consumers to avoid fraud, and the bank takes safety precautions by setting expiration dates on ATM cards and placing daily limits on amounts of cash that consumers can withdraw.
The banking industry needs to work together in an effort to educate and help consumers be more diligent with their banking practices, according to Jackson.
Industry officials acknowledge that many devices similar to the one used recently in Boston, often referred to as “skimmers,” are available on the Internet, but officials say that software engineers and programming experts currently use a majority of the devices for legitimate reasons.
“This is legitimate equipment that can be used for legitimate purposes,” said Daniel J. Forte, president and chief executive officer of the Massachusetts Bankers Association. “The equipment can come from anywhere – it doesn’t have to come from the Internet. This scheme is to fraud consumers and the way to nip this … is to educate people.”
Behavior Patterns
According to Forte, the most recent wave of scams is an attack on consumer behavior and criminals have designed scams “that feed off innocent human behavior.”
Local investigators say the alleged ATM scam is just the latest in a long list of ways devised by scam artists to steal bank and credit card information.
Reports from Arizona, Florida, California and New York have also described ATM fraud similar to the recent Boston case, and after investigating sites on the Internet, Banker & Tradesman found ATM fraud is an increasing trend and accessibility to those devices via the Internet is as simple as a click of a mouse for any thief.
In one Internet search, Banker & Tradesman found available for sale numerous ATM devices used to skim cards and secure card numbers and identification numbers. Ranging in price from $30 to $1,350, the devices are legal and most often used appropriately by members of the banking community. However, the distributors selling their products on the Internet will sell to anyone.
A series of links from one Internet scanning device seller’s Web site leads to another site that gives would-be scam artists step-by-step instructions on how to implement a scam. The site gives instructions on reprogramming an ATM with custom software that removes more money than is printed out on the receipt. If a customer requests to withdraw $20, they get the $20 and the screen on the ATM convinces them that everything is as it should be.
In reality, the ATM would transmit a $40 withdrawal to their bank and keep half of it. There would be two processes going on: the real ATM transaction between the bank and the ATM and what the customer sees displayed on the ATM’s screen. The offenders would launder the money through a series of accounts to mask its final destination from investigators.
But industry officials point out that such scams have been around since the birth of the ATM, and while technology is more advanced and consumers can rely on their statements and bank information, an educated consumer – one who may be more likely to spot unusual devices on ATMs – is a better line of defense than more sophisticated ATMs.
According to Brady, a more sophisticated and difficult-to-use ATM is likely to be less attractive to many customers, so ATM machines have remained in form much like the original models. Furthermore, the process of building a mechanism to outsmart scam artists would be a costly one.
Should ATM machines be refigured in an effort to enhance their technology, systems all over the world would have to incorporate the updated changes, Brady said, and the cost of reconstruction likely would be significant to banks and consumers, adding greatly to ATM fees.
“Going to a bank and retrofitting the machines requires an awful lot of hardware and it’s expensive,” said Brady. “The costs are one thing, but this is a [complex] system that requires everyone in the system to make the same changes. It’s very difficult to do that, and someone has to accept the cost.”
In the latest case of ATM fraud, industry groups such as the MBA and local law enforcement officials stressed that consumer awareness is the best possible defense and asked that ATM users be part of the bank security system and look for odd warning signs.
In the Oct. 18 incident, investigators said the suspects secretly attached a “skimmer” onto several ATMs in the Boston area and used the device to read the magnetized strips on users’ bankcards. The device, which is the size of a legal pad made to look like an interactive screen of an ATM, could store up to 5,000 card and personal identification numbers.
After a bank customer pulled the skimmer off the bank machine because the machine was not disbursing his cash, police investigated and charged two Columbian nationals with the crime.
The MBA, local and community banks and security officers have reissued tips to consumers in press releases and in bank lobbies, intended to assist an ATM customer in avoiding becoming a victim of ATM fraud.
“This is not fraud of bank, this is stealing from the consumers,” said Forte.
The best response, said Forte, is to increase consumer education. Through press releases, education campaigns within banks, incorporating information about scams as part of a banker’s training program and continuing to work with law enforcement, Forte said, “these types of crimes can be solved, but should always be taken seriously.”