High-tech Thieves Snatch Data From ATMs

R. A. Hettinga rahettinga at earthlink.net
Thu Jan 10 15:32:32 EST 2002


http://dailynews.yahoo.com/htx/abc/20020110/bs/atmfraud020110_1.html



Thursday January 10 03:26 PM EST

High-tech Thieves Snatch Data From ATMs
By Paul Eng ABCNEWS.com

Thieves can steal an account number from an ATM or debit card, and secret pin.

	  At the corner market, the skim is in the refrigerated milk - and
perhaps in the store's cash-dispensing ATM.

But this particular "skim" isn't good for customers since it involves the
poaching of an unsuspecting consumer's bank card data.

Thieves have found a way to steal not only someone's account number from an
ATM or debit card but also the person's seemingly secret personal
identification number. With this double dose of information, thieves can
electronically rob unsuspecting victims of their cash.

The scam has been reported in New York, Florida, California and points in
Canada.

The cybercrooks' technique is so clandestine that consumers often don't
know that they've become victims until they check their monthly bank
statements - or when checks start to inexplicably "bounce" due to lack of
available funds.

Suddenly Sapped of Cash

Chris Lundie, a 28-year-old market surveillance analyst with a Wall Street
investment firm, was one such victim.

Last month, Lundie and his fiancée checked their bank account online in
preparation to pay their Manhattan apartment rent. But, they noticed two
odd withdrawals - for $500 and $600 - made within hours of each other at
bank ATMs in Flushing, Queens.

"At first we questioned how this happened," says Lundie. "We don't work in
Queens and we've never been to those ATMs."

After calling his bank to stop further activity on the account, Lundie
called his local police precinct and discovered that he was the latest
victim of a high-tech crime ring that may have been targeting automatic
teller machine users for more than a year.

Detectives with New York City Police Department's Special Fraud Unit
wouldn't comment on the "ongoing investigation" into the ring. But
according to a recent report in the New York Post , the thieves may have
stolen as much as $1.5 million. Authorities told the Post they suspected
the scam was the work of the Russian mafia.

Snatching Data Clandestinely

Law enforcement officials did not disclose how the ring operated, but
industry sources gave ABCNEWS a hint at how the ring might have stolen
money from unsuspecting victims.

According to one source, the thieves may have targeted non-bank ATMs - the
stand-alone cash dispensers found at local grocers, bodegas, gas stations,
and shopping mall food courts. The machines are rigged with tiny devices
that can read a debit card's magnetic stripe as it is run through the ATM's
built-in reader. A special "logic board" or cover is placed over the ATM's
keypad and records when users enter their four-digit PIN codes.

Both the card's magnetic data and the user's PIN information are stored in
a separate memory module. The thieves retrieve the memory module and, using
commercially available computer technology, encode the stolen information
onto their own blank cards. These "cloned" debit cards can then be used
with the captured PIN to withdraw money from the victims' accounts using
other ATMs.

Con artists have targeted debit cards and ATMs in the past in a variety of
scams. Most schemes, such as the so-called Lebanese Loop, are fairly simple.

In that scam, robbers would purposely rig the card slot of the ATM to
physically capture a person's bank card. The scammer, posing as a good
Samaritan, would then suggest that the victim repeatedly enter their secret
PIN code in order to recover the stuck card from the machine. When the
effort fails, the victim often walks away - leaving the con artist to
retrieve the card and use it with the now-disclosed PIN code.

ATMs: Tempting Targets

Experts believe that the thieves may have targeted non-bank ATMs for
several reasons.

For one, non-bank ATMs are typically owned and maintained by independent
operators who may not know that such skimming devices are being added and
removed from their cash dispensers.

Most of these stand-alone ATMs also lack built-in surveillance cameras and
are placed in locations that aren't monitored closely, leaving police with
very little evidence to work with during their investigations.


Crafting Countermeasures

Rob Evans, marketing director for NCR, a leading ATM supplier, says the
industry has developed several technologies that can defeat these
clandestine card skimming setups. ATMs supplied to NCR's bank customers,
for example, can be equipped with enhanced card readers that can scramble
the card's data as it's being read.

"When a user puts his card in, it jitters the electronic signals so it
can't be picked up by a nearby illegal card reader," says Evans.

The banking industry is also looking into other high-tech measures such as
using software encryption and so-called smart cards that store data on
hard-to-duplicate microprocessors.

But industry officials such as Evans admits that it's a tough race against
cybercriminals. "You do what you can to make the ATM as unappealing as you
can to folks that want to use it for criminal purpose," says Evans. But as
ATMs - especially stand-alone versions - proliferate, "The bad guys are
going to keep coming at these things as quickly as they can."


Enduring Losses and Lessons

And that's disheartening news for both consumers and the financial
institutions that absorb the estimated billions of dollars annually lost to
bank card fraud.

Citigroup and J.P. Morgan & Chase - two of the largest institutions
reportedly stung hard by this latest ring of thieves - wouldn't comment on
the amount lost in the latest scam. But Mark Rodgers, spokesman for
Citigroup, says, "No [customer] funds were at risk and we regret any
inconvenience that may have resulted [from this crime]." Rodgers also says,
"We've worked with customers to resolve the issues on their account."

And that's good news for consumers such as Lundie. His undisclosed
financial institution restored the stolen funds to his account in about two
weeks. After all, "$1,100 is a lot of money living in [New York] City," he
says.

Still, he and his fiancée are keeping a close eye on their new account. And
he says: "I definitely make more of an attempt to use a bank ATM."

Email this story - View most popular  |  Formatted version
------------------------------------------------------------------------


Search Advanced
Search:  Stories   Photos   Full Coverage


Home | Top Stories | Business | Tech | Politics | World | Local | Entertainment | Sports | Science | Health 

------------------------------------------------------------------------
Questions or Comments
Copyright © 2002 ABCNEWS.com.


-- 
-----------------
R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'



---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com




More information about the cryptography mailing list