Criminals Focus on Weak Link in Banking: A.T.M. Network

R. A. Hettinga rah at
Sun Aug 3 16:04:43 EDT 2003


The New York Times

August 3, 2003 

Criminals Focus on Weak Link in Banking: A.T.M. Network 

He fenced stolen jewels, committed bank and credit-card fraud and had been accused of having links to an Albanian-Yugoslavian criminal gang. Cloaking himself in nine aliases and Armani jackets, he was a smooth, multilingual master of the con, investigators and people who knew him say. 

His name is Iljmija Frljuckic, and by all accounts,  he had no business being around anybody else's money. 

Yet after being deported in the late 1990's, he slipped back into the United States and set up shop as a banker, not in a marble lobby under the watchful eyes of auditors and regulators, but in the virtually unregulated world of privately owned automated teller machines. 

To tap into this electronic network, Mr. Frljuckic (pronounced Furl-YOU-kich) did not have to produce so much as a valid driver's license. After buying these machines - the kind commonly found in convenience stores, delicatessens and other retail outlets - he and his associates installed devices that captured, or "skimmed," personal bank account information from at least 21,000 people, prosecutors say. They used that information in 2001 and early 2002 to make fake A.T.M. cards, then stole at least $3.5 million, mostly from A.T.M.'s in New York City, according to the latest federal charges filed  about  two months ago in Manhattan. 

Before Mr. Frljuckic came along, small-time crooks had made crude forays into A.T.M. fraud. But in its size and technical sophistication, investigators say, the Frljuckic case is a con of an entirely different order - a new turn on identity theft, a jolting warning of the vulnerability of an A.T.M. system that has exploded in size in the last few years. 

No one can say precisely how much is lost through A.T.M.-related crimes. In fact, no government agency knows how many cash machines are operating, where they all are  or who owns them. Though banks are reluctant to discuss their losses, they say there is no cause for alarm. But from Canada to Malaysia to the United Arab Emirates, investigators report new assaults on A.T.M.'s. 

The criminals, both foreign and homegrown, include gangs, embezzlers and, on occasion, money launderers, according to investigators and public records. And while A.T.M. industry officials say the Frljuckic case shocked them into tougher self-policing of privately owned machines, they also confess that the thieves are remarkably resourceful, shifting their attention now to bank-owned machines.  In recent  months, skimming devices have been attached to bank  machines around Boston and  Chicago. 

"A.T.M.'s have been viewed as a  weak point in the banking chain - and so the criminals have focused on that," said Tom Harper, president of the A.T.M. Industry Association, the leading trade group. 

The global wiring of banks to A.T.M.'s means consumers can gain instant access to their money around the world. But with the government monitoring only part of this electronic network, a thief using cheap equipment and a little imagination can steal someone's banking identity in Manhattan and within hours withdraw money from that person's account at a cash machine in Europe. 

A.T.M. crime may also be a national security issue. Federal officials are investigating incidents in which suspected terrorists may have used the machines to fraudulently generate income, says  Dennis Lormel, chief of the  terrorist  financing operations section of the Federal Bureau of Investigation. 

Banks are supposed to reimburse victims of A.T.M. theft. But unlike credit card fraud, in which banks are stuck with bills for unauthorized purchases, A.T.M. thefts take cash from consumers, who may bear the burden of proving that withdrawals were unauthorized. 

Kelly Quick of Studio City, Calif., said that when he reported $1,420 missing from his account early this year, his bank did not  believe him. "They basically said that since I didn't give out my PIN number, it had to have been me," Mr. Quick said. Similarly, Mark Evans of Los Angeles said his bank was "basically  accusing me of stealing the money." Both men say getting their money back involved a fight. 

Complaints like these prompted the comptroller of the currency in September 2001 to warn banks of their obligation to make A.T.M. victims whole. 

"Unfortunately there are people who say they have been defrauded when they have not," said John Hall, a spokesman for the American Bankers Association. As banks learn more about A.T.M. fraud, he said, they are getting better at helping customers. 

A.T.M.'s  have been around for decades, but became ubiquitous on the American landscape in 1996, when new surcharges on withdrawals made it possible for private entrepreneurs to profit by owning machines. Since then, the number of machines, which cost as little as $3,000, has tripled, to an estimated 370,000, fueling the growth of companies that sell and service them. 

This growth, in turn, has spawned criminal activity that goes beyond just the skimming of bank account numbers. Embezzlements in recent years have involved companies that supply cash to the expanded A.T.M. market, including a New Jersey company, Tri-State Armored Services, where $50 million turned up missing. By contrast, the biggest bank robbery in the last 25 years, according to federal statistics, involved $11 million. 

Banks call credit-card and check fraud a much bigger problem. Besides, they say, rare cases of A.T.M. fraud are a small price to pay for convenient cash. But banks are not eager to publicize breaches of A.T.M. security. 

"They don't want to give people ideas," said Nessa Feddis, a lawyer with the American Bankers Association. 

Another reason, some financial experts say, is that banks do not  want to undermine confidence in a system that cuts their overhead while making them billions in fees, collected when their  customers use private A.T.M.'s or machines owned by other banks. Several large banks also own parts of a network that connects the machines  and financial institutions. 

"These fees are cash cows for the banks," said Edmund Mierzwinski, of the U.S. Public Interest Research Group in Washington. 

A former president of a Federal Reserve bank  said:  "You write your story and they will hate it because it will say, `Be careful where you stick your card.' " 

4,000 Accounts Vulnerable 

The nation's biggest A.T.M. fraud began in late 2000 with trial runs in California, Florida and New York. At 13 sites, thieves started installing machines rigged internally to capture bank data and personal identification numbers. 

They were in no hurry; the longer they waited, the more account numbers they could steal. In four months, with just the dozen or so  machines, they had the electronic keys to 4,000 accounts, fraud investigators say. 

Only when the gang began siphoning money did banks and customers realize they had been scammed. By the time the rigged machines had been identified, they had vanished, along with their owners and tens of thousands of dollars. 

By the end of June 2001, banks had identified the compromised cards and electronically blocked them. 

"They covered their tracks throughout the process," said Michael Urban, who works for a division of Fair Isaac, a company that helps financial institutions detect electronic fraud. "We didn't know anything other than they had good PIN's, good cards." 

Investigators say the machines were bought in the names Michael Dokovich and Michael Bugatti, who turned out to be the same man: Iljmija Frljuckic. 

He is believed to have first entered the country in 1981. By the early 1990's, federal authorities had linked him to "an Albanian/Yugoslavian organized crime gang." The government wrote in court papers that the group "is believed responsible for a host of serious crimes, including arson, insurance fraud, bank fraud, large-scale mail theft, drug trafficking and sophisticated jewelry heists." 

Mr. Frljuckic married the daughter of a Florida law enforcement official in January 1994, telling her that he was Michael Illyriani, an international businessman, court records show. He did not say he was facing federal bank fraud charges, filed in 1992, and was out of jail only because, hoping for a plea bargain, he had agreed to inform against the Albanian gang. 

Actually, officials say, he was conning the government, too. While he helped on a few minor investigations, prosecutors say he provided "absolutely no assistance" in exposing the gang. Then, before the first case was settled, he was arrested in a new bank fraud. 

After his release from federal prison in June 1996,  a judge ordered him deported to Yugoslavia. But he soon returned to the United States,  and by then the A.T.M. system had opened its doors to private entrepreneurs. 

Surcharges Fuel Industry 

The system that beckoned Mr. Frljuckic runs on the ever-accruing stream of money from the surcharges first widely permitted in 1996. Today, many customers pay twice - usually $1 to $3 to the owner of the machine, and $1 to $1.50 to the bank that issued the card. A.T.M. fees now add up to $4.5 billion annually, according to Dove Consulting, a Boston-based firm. 

An A.T.M. entrepreneur   needs a machine and cash, which can be borrowed, to stock it, and a bank account, so that when a cardholder withdraws money, the cardholder's bank has some place to send the reimbursement. What the owner does not need is a license or government approval. 

New owners are supposed to be evaluated by what are known as independent service organizations, or I.S.O.'s, which connect privately owned machines to the network. Each I.S.O., in turn, must be sponsored by a bank. 

But the I.S.O.'s and banks have a spotty record of oversight, according to some in the A.T.M. industry. Fraud investigators, for example, have sometimes had trouble establishing the owners and locations of  specific A.T.M.'s. 

"It's harder to switch a registration on your car than to move around an A.T.M.,"  said Gregg James, a Secret Service agent    who investigates financial crime. 

The system, if not properly supervised, can be used to launder money. An owner can stock a machine with the proceeds from crime and then, after withdrawals, be reimbursed from customers' banks with "clean" currency. 

The American Bankers Association says its members do not see money laundering as a problem.  "That's not something that's come to my attention," said John Byrne, a lawyer with the association. 

It has, however, caught the attention of the Secret Service and other federal officials. In 2000, an Indiana man pleaded guilty to laundering money through his machines. Another A.T.M. money-laundering case is awaiting trial in California. 

"When I found out what he was doing I thought, `Ah, the perfect scheme,' " said Donna Eide, the prosecutor in the Indiana case. "It's a perfect way to get cash back into the system without reports being filed." 

Small Store Owners Used 

Nasser Alomari is typical of the small New York store owners who became unwitting accomplices in Mr. Frljuckic's widening fraud, investigators say. 

Mr. Alomari, a Yemeni immigrant, had originally owned his own A.T.M. in his delicatessen,  now the 10th Avenue Gourmet, in Manhattan. A private company serviced the machine, paying him $1 for each withdrawal. In a good month, that meant $600.   And until one day in January  2002, that seemed enough. Then a stranger wearing a gold Rolex with diamond insets offered him a better return - $1.75. 

He said the man insisted on installing his own A.T.M. Investigators say it had been fitted with a skimming device. 

Federal records show that the man Mr. Alomari dealt with used an alias, as he had in buying 21 other machines. Investigators say he was Hamdija Frljuckic, brother of Iljmija. Hamdija Frljuckic began buying machines in August 2001 from a New Jersey independent service organization called Money Marketing. 

"They knew the deep ins and outs of this  business," a company spokesman, Eric Park, said. Money Marketing's vetting process conformed to the industry standard back then, he added, and included a review of a buyer's business records and driver's license. "I've never had a fake driver's license," he said. "How can you ever tell?" 

Money Marketing says A.T.M. buyers now undergo criminal background checks and must produce, among other things, tax returns. 

By early November 2001, investigators say, the thieves had collected account information from about 17,000 New Yorkers. The trap was set. 

Similar Fraud Patterns 

The first sign that something had gone seriously wrong came over that Veterans Day weekend. 

Just as bank customers began to miss money in their accounts, unusual withdrawal patterns were being detected by computer analysts in the Arlington, Va., office of  Fair Isaac. The analysts noticed something else: The patterns echoed those observed  that year in California and Florida. 

"Our investigators were 90 percent sure it was the same guys," said Mr. Urban of Fair Isaac. Investigators had another tactical advantage: With the highest daily withdrawal limit usually around $1,000, the thieves had to spend a lot of time feeding fake cards into machines. And during that time they were vulnerable. 

Once Fair Isaac had identified compromised cards, their numbers were sent to NYCE, a company that connects A.T.M.'s and banks. Then, when a suspect card was used again, NYCE, using a software program called Rooster, pinpointed the location and contacted the Secret Service within seconds. 

In New York's congested streets, though, getting there in time was a problem. "We had agents getting out of cars, running up the street," said Mr. James, the Secret Service agent. 

In an escalating game of cat and mouse, the thieves began making withdrawals during lunch hour, when sidewalk and street congestion was at its worst. And they stopped feeding large numbers of cards into a single machine, instead slipping from one location to another. 

"They would go in, hit an A.T.M., get on a subway, then go to the next A.T.M.," said Susan Zawodniak, executive director of the NYCE network. 

To improve their odds, agents  began staking out the sites of suspicious withdrawals. For five days, nothing. Then, on the evening of Nov. 15, Citibank told an agent,  "approximately $7,000 had just been withdrawn from different accounts in rapid and successive transactions from the same A.T.M.," according to a Secret Service affidavit. 

The agent  rushed to the bank, where he found two other agents  on stakeout. After a brief chase, they arrested a man seen leaving the bank. He was Fikret Korac, whom a federal prosecutor called "a criminal for most of his adult life." In his possession, agents  said, they found 11 white plastic cards with magnetic strips and about $30,000. 

Investigators viewed Mr. Korac as a low-level "runner." But after his arrest, prosecutors say, he called Hamdija Frljuckic, who quickly tried to withdraw $150,000 in cash from an account in a false name at J. P. Morgan Chase . But when he asked for the money in $100 bills, a suspicious bank officer refused, according to the Secret Service. 

Within weeks, Hamdija Frljuckic was arrested - after visiting the machine at Nasser Alomari's store. 

He is awaiting trial on charges relating to the A.T.M. thefts.  But Iljmija Frljuckic remains at large. 

"The main older brother flees with several million in a suitcase," an investigator said. "We have intelligence that he put A.T.M.'s in other places in the world." 

Reached overseas by telephone, Mr. Frljuckic told The New York Times that he was willing to be interviewed where he was living, in Montenegro. But after several conversations to arrange the interview, he stopped returning calls. 

In all, investigators say, the thieves withdrew money from 500 machines around  New York City. The hardest-hit bank was Citibank, which lost about $1 million, said people close to the investigation. 

Banks are reluctant to discuss the case. "Our hard and fast policy is we just don't discuss these sorts of things," a Citibank spokeswoman said. 

At the state banking department, a spokeswoman, Bethany Blankley, said she knew little about the case because the compromised machines were not the agency's responsibility. 

"We regulate the safety of the A.T.M. machines only for banks," she said, "not for supermarkets or little stands where you get cigarettes." 

Industry Looks Inward 

Last March, the A.T.M. industry gathered in Miami to meet with fraud investigators for some self-examination. The New York case was not the only one on their minds. 

In late 2002, four Russians were arrested on charges of looting A.T.M.'s in Canada. Cardholders found their money disappearing in European cities they had not visited, including Paris, Amsterdam and Milan, according to a report filed by bank investigators. 

The Canadian fraud seemed to replicate what prosecutors accuse Mr. Frljuckic of having done. 

"The thing we found troubling," said H. Kurt Helwig, who runs the Electronic Funds Transfer Association, was that "this was organized crime." 

An industry task force - including machine manufacturers, electronic networks and private machine owners - is  fighting fraud through, among other things, better background checks and machines  less prone to tampering. The hope is that these efforts  will keep the government from stepping in. "It's a marketplace issue,"  Mr. Helwig said. 

Because of their efforts, task force members say, skimming from private machines is not the danger it used to be. But concerns remain. 

In March, Fair Isaac sent  an "urgent notice" of thefts from A.T.M.'s in San Francisco and the Los Angeles area. Investigators say they believe those card numbers were stolen through skimming devices in privately owned machines. 

But now more A.T.M. fraud seems to be occurring at bank-owned machines, industry officials say. They are refocusing their attention. 

"It's almost as if the criminals were listening and watching," said Ms. Zawodniak of NYCE. "We build a 10-foot wall, and they build an 11-foot ladder." 

R. A. Hettinga <mailto: rah at>
The Internet Bearer Underwriting Corporation <>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list