Pulling the Plug on ATM Skimmers


By Robert Tie

 

2010-October-Sp2web-ATMSkimmer 

 

These days a savvy fraudster need not physically steal a bank debit card to access its owner’s account. Instead, the fraudster attaches an inconspicuous device to an automated teller machine (ATM) that copies a victim’s account information when he uses the compromised machine.

This form of ID theft can have enormous consequences. More than 2 million ATMs serve the world’s retail banking market, and the total grows each day. Skimming – the misappropriation of a bank account’s security information to fraudulently withdraw cash – is especially prevalent among America’s 425,000 ATMs. Europe has nearly as many machines, but European criminal organizations are focusing on the “softer” targets in the United States because it has a weaker ATM security protocol.

This article explains skimming techniques and devices and shows how to thwart them. CFEs can use these tips to help financial institutions protect themselves and work more effectively with law enforcement and prosecutors.

MAGNETIC STRIPE AND PIN 

A customer’s bank card and personal identification number (PIN) together verify his or her identity to an ATM. In the United States, a magnetic stripe on each card contains its owner’s account number. Unfortunately, it’s easy to copy and misuse the stripe’s contents.

First, a fraudster installs a skimming device, which fits snugly over the ATM’s card reader and appears to the untrained eye to be a legitimate, integral part of the machine.

When unsuspecting customers use their bank cards, the skimmer copies the account numbers from the cards’ stripes. Data from hundreds of cards can be stored on a single device.

To obtain the PIN, the fraudster also conceals a tiny digital camera in the ATM enclosure and films the customer’s keystrokes. Two unnoticeable, effective locations for cameras are above the ATM’s digital screen or behind a pamphlet holder.

The fraudster later retrieves the skimmer and camera or downloads their contents remotely if the devices are wireless. He then records customers’ PIN keystrokes and copies the misappropriated account data to inexpensive blank magnetic stripe cards, repurposed gift cards, stolen credit cards, or hotel card keys.

U.S. ATMs can’t distinguish between genuine and counterfeit bank cards. The fraudster can withdraw cash at will with valid PINs and phony, but functional cards.

CHIP AND PIN 

In Europe, however, an ATM must confirm a bank card’s authenticity before executing a transaction. When a customer inserts his or her card, a microchip on it informs the ATM that the card is genuine. The customer enters a valid PIN and makes the transaction.

The ATM Industry Association (ATMIA) cited a 2009 report by the UK Payments Administration. According to the report, “counterfeit ATM card losses in the United Kingdom fell by 68 percent between 2004 and 2008 because of the introduction of the chip and PIN system, which makes it harder for criminals to use fake cards in ATMs. … As more and more countries around the world progress their chip and PIN rollouts, it is expected that fraud will continue to shift towards countries such as the United States, which as yet has no plans to implement chip and PIN.”

The United States will continue to be particularly vulnerable until it converts its ATMs and cards to the European chip-based protocol. It might be years before the changes are made because of the expenses of an upgrade.

Meanwhile, U.S. fraud fighters are combining current tech-savvy and time-tested investigative skills to outwit and jail skimming crews.

THEN AND NOW 

The United States’ first ATM was installed in a Chemical Bank branch in Rockville Centre, a village in Nassau County, N.Y., in 1969. Today, as in many other jurisdictions, the county’s law enforcement and criminal justice officers are fighting a rising wave of ATM skimming.

Earlier this year, a gang of fraudsters slipped up in Lynbrook, a village two miles west of Rockville Centre. The following call was routed to the Nassau County Police Department (NCPD) unit assigned to ATM fraud:

“Crimes Against Property Squad. Detective Rispoli speaking.” 

“Hello, this is Starbucks at the Lynbrook mall. When I came in this morning, a van was outside with the engine running. It’s still there, and it’s making me nervous.” 

“You’re next door to the bank, right?” 

“Yes. The police were in there yesterday.” 

“We’re on our way. Don’t touch anything.” 

The day before, a skimming device had fallen off an ATM in the bank next to the coffee shop. The Lynbrook Police Department’s report on it had just reached Detective Ronald Rispoli and his CAP Squad partner, Detective Jeffrey Marshall, when they received the call from Starbucks.

Rispoli and Marshall sped to the caller’s location. They found no one in the van, but the engine was still running. Apparently, the fraudsters had been sitting in the van the day before, watching the bank, when their ATM device was discovered. They panicked and abandoned their vehicle. 

“We got a search warrant and impounded the van,” Marshall said. The detectives found an industrial adhesive the fraudsters had used to attach their skimmer and a pinhole camera to the ATM. The detectives set out to find the van’s owner. They hoped it wasn’t stolen.

TEAMWORK IS KEY 

Rispoli and Marshall routinely collaborate with the U.S. Secret Service (USSS), which, under Title 18, U.S. Code, Section 1029, Fraud and Related Activity in Connection With Access Devices, has federal jurisdiction over ATM fraud.

Their joint investigation determined that the van was registered to a Romanian boxer admitted to the United States on one of the up to 25,000 P-1 temporary visitor visas the U.S. Department of State grants annually to qualifying foreign athletes. Unfortunately, this suspect fled the country before he could be detained for questioning.

Marshall and Rispoli also worked the case with the police departments of Greenwich, Conn., and New York City (NYPD) along with the Queens County District Attorney’s Office. In August, NCPD, NYPD, and the USSS executed a search warrant on the residences of other members of the Romanian crew suspected to be behind the Lynbrook skimming incident.

NCPD arrested several suspects and confiscated ATM skimming devices and installation tools, pinhole cameras, laptop computers, credit cards re-encoded with stolen ATM card data, and more than $40,000 in cash.

Marshall and Rispoli reported the results of their investigation to Diane Peress, chief of the Economic Crimes Bureau of the Nassau County District Attorney’s Office. The detectives presented the confiscated evidence and still images from bank security visual digital recordings. These photographs show the suspects installing skimmers and cameras and withdrawing part of the cash they stole.

THE EUROPEAN CONNECTION 

In July, the European ATM Security Team, a nonprofit organization based in Edinburgh, Scotland, reported that its ongoing analysis showed “the main criminal groupings engaged in skimming at ATMs in Europe continue to be Romanian and Bulgarian nationals.”

Is it fair or useful to surmise that Eastern Europe might be a significant source of ATM fraudsters entering the United States? Peress thinks it is.

“In the last two years, we’ve seen a tremendous surge in the compromise of ATMs by Eastern Europeans,” she said. “Theirs is a highly educated population skilled in electronics and mechanics.”

She acknowledged that some might think her observations border on criminal profiling. But Peress said investigators and prosecutors have to follow the evidence wherever it leads.

“If you don’t know which group you’re dealing with, you won’t be able to figure them out and detect their methods,” she said.

In Peress’ experience, American gangs focus on loaning skimmers to accomplices who work in retail shops and restaurants. Their target is credit card information that can be quickly skimmed when clerks or waiters briefly possess customers’ cards.

In contrast, Peress said, Eastern European skimming crews make full use of their technological expertise to rig ATMs. For example, the skilled Romanian gang “stole nearly $500,000 from 486 accounts at 50 ATMs in the New York metropolitan area,” she said.

In September, the Romanian gang suspected in the scheme was arraigned on charges of grand larceny, identity theft, conspiracy, and other offenses related to ATM skimming.

MAKING THE CASE 

Banks often invite Marshall and Rispoli to train their staffs on ATM security.

“We tell them to leave a skimming device in place if they find one,” Marshall said. “Put an ‘out-of-order’ sign on the ATM, and call us.”

The NCPD immediately assigns a plainclothes team to the case. The bank removes the out-of-order sign, and the surveillance team members wait to see who retrieves the skimmer and camera.

“We want to track legitimate use by customers and record any related skimming that victimizes them,” Peress said.

Prosecutors need at least two kinds of evidence to show how those two activities – one legal, one not – are related in a criminal event.

First, they need images of the skimming crew installing devices and withdrawing cash. Second, they need the bank’s transaction reports indicating that at the exact date and time the suspect was visually recorded, that particular ATM was skimmed or had cash fraudulently withdrawn from it.

These forms of evidence, if gathered properly and in a timely manner, can persuade a jury of a defendant’s guilt. But lack of preparation can upset an otherwise strong case.

“As soon as a bank becomes aware of a skimming incident, it should begin preserving any potential evidence, such as visual recordings of the affected ATM,” Peress said.

Some financial institutions, she said, overwrite their enormous digital visual files 30 to 45 days after they’re created.

“You have to secure tapes, transaction reports and other evidence while it still exists, even if you don’t yet have a suspect,” she said.

ONE AT A TIME 

A skimming crew will try to steal account information from ATMs in several counties and states. Peress therefore cautions investigators to proceed incrementally when approaching prosecutors.

“Call the prosecutor you have the closest contact with, and ask how much of your case can be brought in that jurisdiction,” she advised. “Get that answer before you contact other prosecutors. If you go to several prosecutors right away, you’ll wind up with multiple small cases and light sentences. Of course, it’s better to have one or two big cases and longer sentences.”

MAKE IT A HABIT 

Rispoli and Marshall focus on prevention and detection. They recommend bank staffs check their ATMs for skimmers and cameras three times a day: at opening, at mid-day, and at closing.

They also advise taking detailed photographs of secure ATMs so that all bank employees can detect tampering without disturbing evidence.

“Bank staff should look for gaps and glue and call the bank’s security center periodically to make sure surveillance cameras are in working order,” Rispoli said.

BE PREPARED 

Skimming gangs exploit every ATM security weakness they see. But banks can minimize such vulnerabilities by implementing the anti-skimming measures discussed here.

CFEs who share these recommendations can help financial institutions protect themselves and their depositors.

Robert Tie is a New York business writer. 

Editor’s note: Fraud Magazine thanks the Nassau County Police Department for the ATM surveillance photos linked in this article. Skimmer and pin-hole camera images are courtesy of Robert Tie. 

The Association of Certified Fraud Examiners assumes sole copyright of any article published on www.fraud-magazine.com or www.ACFE.com. ACFE follows a policy of exclusive publication. Permission of the publisher is required before an article can be copied or reproduced. Requests for reprinting an article in any form must be e-mailed to: FraudMagazine@ACFE.com.