7
[BEATING THE MACHINE]
A few years ago, the head of security at Bank of America called me at home at night. I could immediately tell from his tone of voice that he was a little flustered. “Say, we’ve got a really serious problem, and we need your advice,” he said. “We’re losing something like $40,000 a day out of our ATM machines. It’s got to be a ring, but we can’t figure out how they’re doing it.”
I asked him if the cash-dispensing machines being targeted were high-profile ones, those found in heavily-trafficked, very visible locations. He said they were. I told him he had shoulder surfers. Go out to some of the machines, I advised him, and look for a van parked within a block of any of them. The culprits were caught the next day.
“Shoulder surfers” is the name that’s been bestowed on criminals who lurk behind you, trying to peek over your shoulder at what you punch into the automated teller machine (ATM) keyboard. However, it’s become something of a misnomer because savvy criminals don’t stay that close anymore. That’s too obvious and too dangerous. They’ve become long-distance surfers who camp out fifty or more yards away, and pick off personal identification numbers (PIN) numbers with a high-powered camera or binoculars. This was a team who would set up in their van across the street from an ATM and then train a video camera on the machine.
In this caper, one of the conspirators would first go and take twenty dollars from the machine under surveillance. He’d examine the receipt, which would show the time of the transaction. Then the video camera in the van would be synchronized to that time. As customers used the machine, the camera would be locked on the keypad and would record their finger movements. The thieves weren’t interested in seeing you, no matter how good-looking you were. They were interested in your fingers. By taping them, they could tell what your PIN was.
After they retrieved their cash, nine out of ten of the people using the machine did the typical thing: they took a quick look at their receipt and tossed it into the wastebasket. At machines where the bank hadn’t provided a wastebasket, the crooks were courteous enough to furnish one of their own. At the end of the day, one of the thieves hustled over to the machine with a garbage bag, emptied the receipts into the bag and took them with him.
When they got back to their house, they dumped the receipts on a table and began to sort them by the time stamped on them. They then stuck the videotape into their VCR, played the tape of all those fingers, and matched the receipts to the fingers. In that way, they attached the account numbers printed on the receipts to their respective PIN numbers. The beauty of the receipts was that they allowed the thieves to see the balances in the accounts. Oh, this guy’s got fourteen dollars left. They’d throw it away. This guy’s got five hundred dollars. That’s a keeper.
Once they had the account numbers and PINs they wanted, they went to an office supply store and bought some blank credit cards. With a hand embosser, also easily acquired, they encoded the cards with the account numbers, took them to ATM machines, and began withdrawing money.
This was one case at one bank, but it goes on all the time.
There’s no denying that the swift growth in ATMs has revolutionized consumer banking. But ever since their introduction in 1973, ATMs have been viewed as attractive targets by criminals, luring everyone from brazen armed robbers to crafty scam artists. Despite all this, I think that ATMs are pretty safe, a lot safer than your checkbook. Generally, you can’t withdraw more than two hundred dollars in a single day from any one account, which is an effective safeguard. In addition, an account holder is only liable for up to fifty dollars if an account and PIN are compromised, and banks typically waive that. ATMs, therefore, are not the problem that fraudulent checks and embezzlement are. Still, the ATM machine is how we get our money every day, and wherever there’s money, criminals lurk.
There have actually been some astounding sums withdrawn with a single card in just a few days of frenzied activity. A woman in Gresham, Oregon, was at a high school football game on a Friday night. She had left her bank card in her purse in her van out in the parking lot. Two men and a woman who were working together broke in and stole it. Leaving it there was mistake No. 1. Mistake No. 2 was that she had scribbled down her PIN number on her Social Security card, which was also in her purse. The thieves, I’m sure, were quite thankful that she was so obliging. They wasted no time in satisfying their needs.
Within minutes, they were at a bank machine a few blocks from the football field. Before the next series of downs was completed, they had made their first withdrawal. They kept on going, traveling at a hundred miles through five counties, stopping pretty much every time they spied an ATM. Even though the standard limit on a withdrawal in a given day on one card is generally a few hundred dollars, there had been a computer program change at the credit union where the victim banked, and there was no limit at all on that particular weekend. In a 54 hour time frame, the thieves made 724 withdrawals from 48 bank machines. They collected $346,770. Talk about being lucky. Before they were caught, largely because of hidden cameras at five of the machines, they even managed to find the time to buy a new pickup truck. So you can see why it’s vital for banks to keep a lid on how much cash can be withdrawn.
THINKING OF GLUE
In terms of ingenuity, one of my favorite ATM scams took place at the Miami Airport. Like a lot of cash machines, the ATMs there used to have little revolving doors on them. Once you punched in your transaction, the door opened and you stuck your hand into this little well and collected your cash. The well had a small light inside it that told the machine that a hand was reaching in there, so don’t close on it. This criminal went and used one of those superglues to glue the door shut. When a customer tried the machine, the door didn’t budge. Assuming the machine was malfunctioning, the customer would press “cancel” and nonchalantly move on to the next machine.
Just because the door didn’t open, however, didn’t mean money wasn’t being dispensed. The cash would get spit out of the bowels of the machine, bounce against the rigid door, and just sit there in the well. Another customer would come; more money would pile up on top of that money, and more and more. After about ten people had used the machine, the guy would come up to it, put his card in, and hit the door with his fist. The door would pop open and reward him with a fat stack of twenties.
So you’ve got all this technology and all these safeguards built into the machine, and yet no one thought of the possibility of a criminal gluing the door shut. These days, new machines are no longer manufactured with doors. They simply have slots that shoot out the money. But there are still plenty of older generation ATMs with doors on them. If a door doesn’t open, don’t shrug it off. Notify security.
Sometimes you’ll put your card into the ATM slot and, tug as you might, it gets jammed and you can’t get it out. So you leave it there, intending to contact the bank when you get to a phone or the next morning if it’s after banking hours. While it might be a broken machine, I wouldn’t bet on it. The odds are it’s a card-withholding scam.
Here’s what happens. A thief puts an adhesive of some sort inside the card slot. He steps aside and waits until someone comes and tries to use it. When someone does, the card gets glued to the slot. Then the crook slips into line behind that person and watches him enter his PIN. Sometimes, just to be on the safe side, the thief will position a sign on the ATM machine that says, “If your card gets stuck, enter your PIN three separate times to retrieve it.” If the thief can’t pick up your PIN number after three tries, he needs to find another line of work.
After you leave, frustrated by the experience, the thief moves in and removes the card with a pair of pliers. He then proceeds to use your card at other ATMs.
In Massachusetts, two men worked a card-withholding scam in ten towns in the Boston area, preying on young women. When a woman’s card got stuck, they would come up and sympathize, meanwhile memorizing her PIN as they tried to help her remove the card. Once she left, the thieves would extract the card using a fingernail file. If they weren’t able to get the PIN, one of the men would later call the customer and pretend to be a bank official or ATM security officer and get the number that way. The men stole more than ten thousand dollars from twelve different women before they were caught.
WHAT TO DO
The tip to remember here is, before you insert your card into a slot, take the time to inspect the card slot for any residue. If you notice any, don’t use it. And if you see a notice on a machine advising you to enter your PIN multiple times, don’t even think of using that machine. Believe me, the bank didn’t put that sign there.
Police in New York arrested a man who had been stealing PINs at ATM machines in Manhattan and then tricking his victims, usually senior citizens, into reinserting their card under the guise of “clearing the machine.” Once the customer did so and left, the thief would linger, punch in the stolen PIN and make additional withdrawals. There’s no need to “clear a machine.” Once your transaction is done, there’s never any reason to insert your card again, no matter who tells you to.
Common sense is always the best defense against any form of crime, but it astounds me how often people neglect to use any sense at all. Consider this con that succeeded in netting its perpetrator a nifty one hundred fifty thousand dollars. The man positioned himself outside the locked door of an ATM enclosure, and posed as a bank security officer. When customers approached the enclosure to use one of the ATMs, he would introduce himself and tell them he needed their assistance in catching a dishonest bank employee who had been driving management crazy. Could they please leave their bank cards under the locked door? He’d personally assure them he would get their cards back to them by the next day.
For those who complied, the con man would then fish the cards out from under the door. The next day, an accomplice would call the cardholder and report that the employee had been apprehended. He wanted to thank him for his help. Then he would point out that since the dishonest employee had come into contact with the card, the bank would have to give the customer a new PIN. Could he please have the old PIN to verify that he was speaking to the actual cardholder?
Incredibly enough, more than three hundred ATM users fell for this ruse. As enthralling as it sounds, I can assure you that a bank is never going to use a customer to assist it in nabbing a crooked employee. It will use a security guard or enlist a police undercover detective. Real life is nothing like the movies.
AND WITH SOME HEAVY EQUIPMENT . . .
Some criminals will physically assault an ATM. A thief in Norfolk, Virginia, broke through the ceiling of an ATM enclosure and used a crowbar and a blowtorch to try to get into the machine and collect the cash inside it. The machine put up a good fight, but it really took a pounding. There were scorch marks on the ATM from the blowtorch. There were scars from the crowbar. The handle of the door was broken off. The combination lock was destroyed.
A crook armed with the proper tools can break into many ATM machines within fifteen minutes. ATMs are actually rated on how resistant they are to physical assault. A certain model may have a TL-15 or a TL-30 rating, the number indicating the time it would take for a skilled thief to break into it with the right tools, and given a suitable environment. But a thief rarely has that much time, because ATMs are outfitted with detectors sensitive to things like vibration and heat. These detectors are usually silent, so the criminal doesn’t know the police are on the way.
There was a mechanical engineer, however, who was very successful at breaking into ATMs. At one time, he used a burning bar on ATM vaults. Later, he used an industrial magnetic drill. Then he manipulated the locks and combinations on the ATM chests. He was ultimately caught, but not before he did a lot of damage and collected a good deal of money.
I always tell banks, keep the ATM area well lit and free from obstruction. Don’t create hiding places with bushes or ornamentation near the machine. Put video cameras in the ATM enclosure to record criminals on tape. There are various types of alarms and time locks and relocking devices. If time locks are used, you can bet that no criminal is going to wait around for the time to elapse.
Generally speaking, it’s not that easy to find an environment where a crook can spend even as little as fifteen minutes with a blowtorch opening up a machine without attracting attention. That’s why crooks who are after the cash inside a machine—a convenience store machine may have as much as ten thousand dollars in it and one at a bank could contain something like seventy-five thousand dollars—will more likely just cart the whole machine off with them. A few years back, two criminals walked into a convenience store and identified themselves to the seventeen-year-old clerk as representatives from the bank. They said the ATM needed to be repaired, and they put it on a dolly and made off with it.
For the most part, though, relatively few thieves bother risking pulled muscles when they can make so much more money by ripping off card numbers.
THERE’S NOTHING LIKE OWNING YOUR OWN
Criminals are pretty nervy, and I’ve learned to never be surprised by what someone will try to get away with. And, given the right circumstances, you can get away with almost anything—up to a point.
The nerviest form of ATM fraud is when the thieves actually set up their very own bank machine. Here’s a case that I still shake my head over. One weekend a few years ago, two men dressed as bank employees arrived and set up a perfectly ordinary-looking ATM in a popular shopping mall in Manchester, Connecticut. Mall officials had swallowed their con that they were from a New Jersey outfit called Electronic Cash Machines. I’m not sure they did any background check on them whatsoever.
In any event, the machine didn’t dispense money. It wasn’t even connected to a phone line that would have enabled it to be linked to a bank network. It was simply plugged into an electrical outlet. What the bogus machine did do was record the card numbers and personal identification numbers of customers who inserted their cards in futile attempts to get some cash. That was all the thieves needed. They then manufactured counterfeit cards with the customers’ numbers, went to working machines in New York, and gradually drained their accounts.
Even though the phony machine was real in appearance, it did take a certain leap of faith for customers to actually try to use it. Or perhaps I should say, it took downright gullibility. After all, the machine wasn’t tucked into a wall the way real ATMs are. Instead, it just sat there on wheels, outside one of the mall’s busier department stores, looking like it was still waiting to be installed. There was no bank name inscribed on it, just a few stickers affixed to it advertising various ATM networks.
And the machine never spit out any money, even though one of the thieves, posing as a repairman, spent an awful lot of time crouching next to it, doing his best to look like he was industriously working on its mysterious problems. Again and again, he would pronounce it fixed, and yet it never was. But he was a nice-looking young man, and he sounded persuasive. “I think it’s fixed now, c’mon and try it,” he would invite people. “I think it was a problem with the dedicated phone line.”
Incredibly enough, more than a hundred and twenty customers went ahead and gave the machine a try, much to their subsequent regret. There was a man who sold Nordic Trak equipment who worked nearby. He’d notice customer after customer using it, never once getting any money. He’d see that same persistent repairman constantly at work on it, never seeming to make any headway. So what did he do? He went ahead and swiped his own card in the machine. A few days later, two hundred dollars was missing from his account.
The machine remained in the mall, standing on its wheels, for a full two weeks, collecting more and more card numbers and PINs. By the time the authorities finally caught on to what was transpiring, after customers complained about missing funds, the crooks had gotten away, and so did the machine. Apparently deciding enough was enough, the two men came in one day and loaded it onto a white truck. They informed the mall that it had to be taken in for repairs.
It was unclear how the thieves got their hands on the bank machine. It was speculated that they bought it on the used ATM market. Or they might have stolen it. Not that long before, there had been a wave of thefts in New England, during which a band of robbers wrested bank machines off of their foundations and took them away in trucks. In actuality, though, there are companies that make portable ATMs and will gladly sell them to anyone who wants one. You’d be amazed at the things that the general public can buy. There’s only one state in the country, Oklahoma, that doesn’t allow just anybody to buy a pay phone.
The Connecticut thieves managed to realize more than one hundred thousand dollars from their audacious crime. What tripped them up was they made the mistake of using their counterfeit cards for withdrawals in Manhattan bank machines. New York has a law requiring cameras on every teller machine. By inspecting photographs and withdrawal records, the police apprehended the two men about a month later. One of the thieves was a computer specialist. The other had a background in finance. When they were arrested, the authorities discovered that they had five ATMs, including the one used in the Connecticut caper.
There have been other extravagant variations of the open-your-own-ATM scheme. In a number of instances, a criminal has ventured into hotels, asked to see the manager, and introduced himself as a representative of a business that installs ATMs in commercial locations. He outlined a deal where he would put a portable machine in the hotel’s lobby. Every time a guest used it, his company would collect a service fee of one dollar fifty cents. He’d give one dollar of that to the hotel. It’s a deal that sounded great. The hotel would have a new convenience to offer its guests, and not only would it cost the hotel nothing, but also the hotel would make money off of it. So the manager said, go ahead, put it in.
The criminal rolled it in, and unlike with the mall caper, he loaded it with $1,500 so it functioned like a legitimate machine and actually dispensed cash. He didn’t mind this little investment, considering the returns he anticipated. His machine wasn’t connected to a bank phone line, either. It was simply registering card numbers and PIN numbers to allow counterfeit cards to be generated.
So don’t be fooled into thinking a machine must be real if it dispenses money. Criminals aren’t that cheap. They’re perfectly willing to invest some cash if the returns are much greater, as they inevitably are in scams like these. I’m always mistrustful of portable ATMs, and use them only if I have no alternative. When I go to a stand-alone machine, though, I always take a look behind it to see if it’s connected to a phone line. If it isn’t, it’s a fake.
JUST SKIMMING ALONG
The latest approach to ATM theft is skimming. Skimmers similar in function to the ones I spoke about for credit card fraud are specially manufactured for ATMs. Criminals fit them over the card slot on a standard ATM, and they have a magnet in the back that holds them in place. The skimmer is motorized, so that when you put your card in, the motor nudges the card along so it actually penetrates the real hole as well. That allows the machine to function normally. But while the card passes through the skimmer, your card information is stored on its chip. At the end of a day, the criminal retrieves his skimmer, as well as dozens of account numbers and PINs.
Anytime you notice something protruding from an ATM, be suspicious. The card slot should be flush. Someone I know once encountered a skimmer, yanked it off the machine, and went in and handed it to a bank officer. “You might be interested in this,” he told him. “I found it on your machine.”
WHAT TO DO
It’s the simple things that can prevent you from becoming a victim of ATM fraud, and so let me review the key safeguards to keep in mind. Never give out your PIN to anyone, especially someone who maintains that he’s a bank officer or a security guard. All a crook needs is your card and your PIN, and he can go to town. If others are waiting in line behind you to use the ATM, don’t be lackadaisical, and block the keyboard when you enter your PIN. Some banks have redesigned the ATM keyboard or enclosures to make it particularly difficult for an observer to watch the cardholder punch in his PIN, but even then you need to be watchful.
Never write your PIN on your card or on a piece of paper that you keep in your wallet or purse. I know some people who put it on a little sticker and attach it right to their ATM card. That’s credit suicide. If your ATM card is lost or stolen, immediately report it to your bank so that card can be disabled. Crooks move fast, and you need to move faster.
Don’t consider using an ATM unless you’ve checked out the area carefully. If people seem to be loitering by the machine, don’t assume they’re there for innocent purposes. And check across the street for people with cameras or binoculars, those long-distance surfers I mentioned. If something about an environment makes you uneasy, err on the side of caution and come back later or use another machine.
If you feel threatened while processing a transaction, press the “cancel” button and leave the area. If you sense someone is following you, drive to the police station or nearest business with a lot of people around. Once you’re done getting your money, don’t just stand there at the machine and count your cash, advertising your withdrawal. Put it away, leave the area, and count it once you’re in your car or back in the office.
The receipt that gets spit out of an ATM machine is a nice convenience for the customer. It’s also a great convenience for the criminal. It has part of your account number on it and how much money is left in your account. In some cases, it even has your PIN. Until a few years ago, federal law mandated that ATM receipts had to carry your full account number on them. That made it too easy for crooks. I was among those who testified in behalf of a change in the law, known as Regulation E. It was finally changed, and now receipts only have to carry half of an account number.
Even so, don’t throw away your receipts at the ATM machine in those receptacles banks (or crooks) put there. Criminals retrieve them and use even fragments of information to carry out shoulder surfing scams. Rip the receipts up before you throw them away, or take them with you. If you’re going to leave them behind, you might as well leave your bank card, too. When I use an ATM, I always choose the option, “No receipt.”
All ATM cards have a daily limit that prevents the cardholder or any other user of the card from withdrawing more than a certain amount of money in any one day. Cardholders, however, are seldom aware that certain banks allow a cardholder to go into the bank and withdraw larger amounts on the card using only the PIN and card. No further identification or signature is required at these banks. This allows a thief who has a person’s card and PIN to withdraw the maximum allowable at the ATM and then, after checking the account holder’s balance, to go into the bank and withdraw additional amounts at the teller. If my bank did that, I’d have them put the same limit on a teller withdrawal, unless further identification is furnished.
And here’s some advice about PIN numbers: be a little bit more inventive in your choice of number. Surveys of our habits are interesting fodder, but—guess what—criminals read surveys, too. They know that 70 percent of people use their birthday or their street address as their PIN. If a thief gets hold of your purse or wallet, he’s got your street address. If it’s a four-digit address, that’s probably your PIN. Any number of cards in your wallet will have your birthday. Another common choice is the first four digits or the last four digits of your Social Security number. Thieves love that, too. Use an easy-to-remember number that’s not tied to you, a number that isn’t going to be found on any piece of personal identification. I have three sons, and so I use their birthdays for my PIN numbers. I never forget my kids’ birthdays, and yet no one can find those dates on anything in my wallet.
LEAVE MY EYES OUT OF IT
Because PIN numbers are the weak link in the system, there’s been a lot of discussion about doing away with them. The hot new technology for ATMs is biometrics, which is the statistical measurement of biological phenomena. An array of devices have been invented that will identify people through physical characteristics, whether by hands, faces, voices, eyes, or even smells. One of the most promising is a machine that identifies you by your eye. When you insert your bank card, a pea-sized camera locates your face, homes in on the eye, and snaps a digital image of your iris. It can do this from as far away as three feet. The computerized “iris code” then gets compared with one that the customer furnished to the bank. If the two codes don’t match, the ATM won’t work. The entire process takes not even two seconds.
The key to mass deployment of these systems is that they work no matter what contingencies arise. For instance, face recognition systems get foiled when a man grows a beard or a woman dyes her hair. If someone puts on a significant amount of weight and his face gets pudgier, that alone will throw off the machine. But the iris systems work, even if a customer wears glasses or contact lenses. They work at night and in dim lighting. Face recognition systems are thwarted by twins, not that theft by one twin against another is one of the world’s major crime problems, but even twins have unique irises.
Fingerprints can change from injury or deliberate alteration. But not irises. From the time someone is about eighteen months old until a few minutes after they die, their iris is unchanging. For the purposes of an ATM machine, that’s plenty of time. And you can’t fool the machine by holding aloft a picture of the cardholder. The first thing the camera checks is whether the eye is pulsating, and thus alive. If the camera fails to detect blood flowing through the eye, then it concludes that it is looking at a picture or at someone who’s dead.
It’s fascinating technology, but I’m personally against these devices. I just think the whole idea is ridiculous. We’ve given up enough privacy in this modern age, so why should we be asked to give up anymore? The bank has enough information on its customers. Now it’s saying that it wants them to give up their irises? For what? Something they’re not even liable for. The most that crooks can normally take from one account is a couple of hundred dollars, and it’s the bank’s problem if it happens. So my feeling is, why insult your customer?