ATM Fraud Increases Identity Theft Risk

Robert Siciliano Identity Theft Expert

A spate of recent news reports highlight growing ATM fraud. Law enforcement in New York City reported a gang had stolen $500,000 from bank accounts via ATM skimming. They installed cameras and skimming devices on the machines, and recorded the magnetic strips and the PIN numbers.

A recent survey points towards ATM fraud rising 5-9 percent. Seventy percent of those poled experienced a jump between 2007 and 2008. Many of the large data breaches that have occurred over the past few years may have contributed to the fraud.

It’s simple enough to hack into a database and compromise cards and pins. It’s even easier to affix hardware to the face of an ATM machine and do the same. Once the data is compromised the identity thieves clone cards and turn the data into cash as quickly.

Bankinfosecurity.com recently published “7 Growing Threats to Financial Institutions”. This post is a play on that; “7 Growing Threats to You”

#1 Skimming; Hardware readily available online that is attached to the face of an ATM records user card information and pin codes. In this case you may still be able to perform a transaction.

#2 Ghost ATMs; A card reader is blocked off and replaced with hardware that supersedes the machine and records all your data without allowing a transaction. The machine reads “Can’t complete transaction”.

#3 Dummy ATMs; In some cases an ATM is bought off of eBay (do a search) or elsewhere and installed anywhere there is foot traffic. The machine is set up for one purpose; read data. The machine might be powered by car batteries or plugged in the nearest outlet.

#4 Ram Raids; ATMs built into a wall or stand alone are being rammed by a truck and/or wrapped with chain and pulled out then loaded onto a truck. Once removed the thieves blow torch the machine taking the cash. This is a hot topic in Mexican banks, buy certainly happens everywhere. A bank would be smart to install battery backed GPS in any machine.

#5 PIN ID’s; Sophisticated criminal hackers break into a database or skim magnetic strips. They then go to an online banking site with a hacking software that plugs in various well known PINs. These PINs might be consecutive numbers, peoples names, pets names, birthdates, or other various simple pass phrases people use. When it finds a match it gives the criminal access to your account.

#6 Automated PIN Changes; Criminals go through the banks telephone banking system to change the customers PIN. They may try to change the customers ANI (Automatic Number Identification) is a system utilized by telephone companies to identify the DN (Directory Number) of a caller. This might be accomplished via “Caller ID Spoofing”. They use publicly available data on the card holder such as name, card account number and last four digits of the social security number to “verify” them as the banks customer.

#7 SMS Attacks; AKA Smishing or Phexting – phish texting. Customers receive a text from a bank on their smartphone requesting login information.

#8 Malware or Malicious Software; Researchers found a virus that specifically infects ATMs and takes over the machine logging card numbers and pins.

How to protect yourself;

First and foremost; Pay attention to your statements every two weeks. Refute unauthorized transactions within a 30-60 day time frame.

1. Pay close attention to everything you do at an ATM. Look for “red flags”, anything out of place. If your card sticks, odd looking configurations on the ATM, wires, two sided tape.
2. Use strong PINs, uppercase lower case, alpha and numeric online and when possible at an ATM and for telephone banking.
3. Don’t reply to phishing or phexting emails. Just hit delete.
4. Don’t just use “any” ATM. Choose ATMs at locations that are “more secure” than in the middle of nowhere.
5. Make sure your McAfee anti-virus is up to date.
6. Invest in Intelius identity theft protection and prevention. Because when all else fails its good to have someone watching your back.

Robert Siciliano Identity Theft Speaker discussing ATM skimming

Check Fraud Identity Theft is Rising

Robert Siciliano Identity Theft Expert

As opening new lines of credit becomes more difficult, identity thieves are gravitating toward check fraud.

Check fraud is a billion dollar problem. As predicted by the Identity Theft Resource Center, check fraud, which accounted for 12% of financial crimes in 2007, increased to 17% in 2008. According to the American Bankers Association Deposit Account Fraud Survey Report, $969 million were stolen via check fraud in 2006, up from a reported $677 million in 2003. Of the $969 million dollars lost to check fraud, 38% was stolen through return deposit scams, 27% was stolen using cloned checks, 28% was stolen using counterfeit checks,  and 7% was stolen by altering or washing checks.

In an article in The New York Post, a brazen ring of thieves enlisted crooked bank tellers to run a check fraud scheme that was brought down when the crooks made the mistake of forging checks from a NYPD account. Two criminal hacker ringleaders organized the counterfeit scam, using 950 “soldiers,” or “mules,” to deposit and cash counterfeit checks, netting them millions of dollars. Three bank tellers were involved, stealing and selling customer profiles which included names, Social Security numbers, and account numbers. Insider identity theft of this kind accounts for up to 70% of all instances of identity theft.

Check fraud victims include banks, businesses and consumers themselves. Our current system for cashing checks is somewhat flawed. Checks can be cashed and merchandise can be purchased even when there is no money in the checking account.

I presented a program on motivation and self-improvement at a women’s prison in Massachusetts a few years back. I requested a little background on the women I was speaking to, just because I watch too many movies and I wanted to know if there was any possibility I’d get shanked. The case worker informed me that about 80% of the women were incarcerated for check fraud and shoplifting. It seems that when some people get a checkbook, they consider it an opportunity to print money.

There are numerous forms of check fraud:

Forged signatures are the easiest form of check fraud. These are legitimate checks with a forged signature. This can occur when a checkbook is lost or stolen, or when a home or business is burglarized. An individual who is invited into your home or business can rip a single check from your checkbook and pay themselves as much as they like. Banks don’t often verify signatures until a problem arises that requires them to assign liability.

Forged endorsements generally occur when someone steals a check and cashes or deposits it. There’s really nothing anyone can do to protect themselves from this, aside from guarding their checks and going over their bank statements carefully.

Counterfeit checks can be created by anyone with a desktop scanner and printer. They simply create a check and make it out to themselves. In order to prevent your checks from being counterfeited, make sure you shred all canceled checks before throwing them away, and be sure to lock up any checks in your home or office. Consider a locked mailbox so nobody can access your bank statements. You should also seriously consider using online banking exclusively, and discontinuing paper statements.

Check kiting or check floating usually involves two bank accounts, where money is transferred back and forth, so that they appear to contain a balance which can then be withdrawn. A check is deposited in one account, then cash is withdrawn despite the lack of sufficient funds to cover the check. In this case, it’s generally the bank or whoever cashed the check that gets burnt, unless they are able to go after the person who used their own account.

Check washing involves altering a legitimate check, changing the name of the payee and often increasing the amount. This is the sneakiest form of check fraud. When checks or tax-related documents are stolen, either from the mail or by other means, the ink can be erased using common household chemicals such as nail polish remover. This allows the thieves to endorse checks to themselves. In this case, something as simple and inexpensive as a select uni-ball pen can help. Select uni-ball pens contain specially formulated gel ink (trademarked Uni-Super Ink™) that is absorbed into the paper’s fibers and can never be washed out. The pen costs two bucks and is available at any office supply store.

If you write a check to pay a bill and then put it in your mailbox for the postal carrier to deliver, you put yourself at a higher risk for check fraud. Thieves see that red flag up and go phishing for checks. I suggest using a uni-ball pen and taking checks directly to the post office, or dropping them in a big blue mailbox.

If you plan to do any online banking, which millions do, make sure your PC is protected with McAfee anti-virus software and all your critical security patches in your operating system are up to date.

Robert Siciliano identity theft speaker discussing identity fraud and security

ATM Skimmer Defeated By Customer

Identity Theft Expert Robert Siciliano

Its not often that I get to report on the victim becoming the victor. It’s nice to see the good guys win one.

I met a charismatic gent on FOX and Friends named Sean Seibel. Sean has a unique job title at Microsoft: User Experience Evangelist. Sean’s job is to be on top of what’s new and what’s next in technology, in the next 5-7 years. He’s a futurist. He and I spoke in the green room of the show before we appeared together on a segment regarding ATM skimming.

ATM skimming often results in forms of identity theft, credit card fraud or bank fraud.

To be a User Experience Evangelist requires a certain vision, insight and the ability to go beyond what’s current or obvious. Sean proved his ability to see “more” by trumping a gang of identity thieves who set out to steal millions from ATMs but “only” got away with $500,000.

Sean stopped at an ATM to get some cash to pay his barber. When he inserted his ATM card in the machine, he noticed a bit of resistance. Most people wouldn’t think twice about this. But Sean doesn’t think like most people. Then the screen said the machine was unable to read his card so he tried again. The second time, the machine gave him an error message. Before he tried again, he thought about a report he had heard about devices that fraudsters attach to the outside of card readers on ATM machines and wondered if that was the source of his problem.

He says, “I’m looking at the thing and thinking, this can’t be. No way. There are all these stories and myths about it, but I actually found one in the wild.”

Sean was face to face with an ATM skimmer, one that he had just swiped his card through. His heart started pounding. Adrenalin was rushing through his body. He was concerned, not just that he might be scammed, but that criminals might be very close by, maybe even behind him or watching him. However, that did not deter him.

Sean says, “I tried to pull on the green plastic surrounding the card slot and found that it peeled right off.” This plastic ATM skimmer had an SD card built into it to store all the stolen data. Sean went into the bank and notified the branch manager, who had never seen an ATM skimmer and didn’t know what to do. She took the skimmer and thanked Sean.

Then Sean remembered, from numerous reports about ATM skimming, that there are usually 2 parts to the ATM skimmer. One is the skimming device itself, the second is a micro-camera placed somewhere on the machine, where it 1arecords the user’s PIN. The camera is often installed in a false brochure holder that taped to the ATM. In this case, it was behind a small mirror that alerts the ATM user to beware of “shoulder surfers.”

Sean went back to the still operational ATM, where people were waiting in line for their cash, and noticed a tiny video camera behind an extra mirror attached to the machine, positioned right over the key pad where it could record user’s PINs. Not being a bank employee and not wanting to alarm any of the people iwaiting, he actually got in line, waited his turn (knowing that the skimmer was gone and nobody was in danger) and pulled the camera off the ATM.

He brought the camera to the bank manager, who replied by saying, “Maybe we should shut 2b*that machine down, huh?” Sean said, “I think that’s a good idea.” The bank manager contacted bank security, shut down the machine and alerted other area banks. The identity thieves netted $500,000 from their scam, rather than the millions they might have stolen had Sean Seibel not foiled their operation.

Bank branch manager…ZERO
Identity Thieves……….$500,000
Sean Seibel foiling their operation and becoming a hero to many….Priceless.

Some great tips from Marite Ferrero, of CardSwitch Technology:

  • Skimming has been and will continue to be the most common type of ATM-related fraud.
  • Criminals attach skimming devices over card slots on ATMs to steal data as the machine reads the card’s magnetic strip.
  • Hidden cameras record victims typing in their PIN codes.
  • More sophisticated criminals use wireless keypad overlays, which transmit PINs to a nearby laptop, instead 3bof cameras.
  • The U.S. Secret Service estimates that annual losses from ATM skimming total about $1 billion each year, or $350,000 a day.
  • Bank ATMs are more vulnerable than standalone ATMs.
  • Standalone ATMs in grocery stores or on the street use technology that encrypts the PIN pad, making them more difficult for criminals to hack.
  • Standalone ATMs are often positioned near the watchful eye of cashiers or store owners, so it’s harder to install skimmers without being caught.
  • Bank ATMs are also more highly trafficked, which means a bigger potential payoff for the criminals.

Also, invest in identity theft protection and make to update your PC’s McAfee internet security software.

Identity theft expert Robert Siciliano discusses ATM skimming.