Consumer 10.0: High-tech thievery lurks at ATMs

Joan Moore and her husband, Jim, don't use cash very often. So it's probably an understatement to say they were surprised by their December statement from Bank of New York Mellon.

"I say to my husband, 'What are all these weird withdrawals?' " Moore recalls.

Weird, as in $400 here, $580 there - 23 in all, over a weeklong period. All told, a thief looted about $11,000 from their account, cutting a swath across Montgomery County from Royersford to Limerick, Wayne, and King of Prussia.

The Moores, retirees who live in Worcester Township, suffered more hassle than harm. Joan Moore opened her bank statement the day it arrived and reported the unauthorized withdrawals immediately to her bank - steps that can be crucial to limiting your liability if your ATM or debit card is lost or stolen, or even if your account is looted by other means.

Other means were plainly at issue here. Neither Joan nor Jim Moore lost possession of their bank cards. Instead, they were apparently victims of a high-tech crime known as "skimming," in which thieves use sophisticated devices to steal the data encoded in a payment card's magnetic strip as it is read by a machine.

In one form or another, skimming has existed nearly as long as credit cards have come with magnetic strips, says Robert Novy, a spokesman for the U.S. Secret Service, which investigates payment-system fraud.

ATM-card skimming is more complicated, because the cards require a secret PIN code to gain access to your funds. But the tools to simultaneously steal both a card's data and its owner's secret code are increasingly available - sometimes even sold via contacts made in Internet chat rooms.

For her part, Moore raises reasonable questions about the risks she encountered, apparently just by making an ordinary withdrawal outside a suburban bank branch.

"It's their security issue, not mine," she says. "If they can't make these machines secure, why should we use them?"

Is there much you can do to avoid skimmers? Perhaps not. Still, a little knowledge about the crime can't hurt.

Moore uses a credit card for most purchases, so she was fairly confident she knew where the skimming took place. She zeroed in on her last actual withdrawal: on Dec. 4 at a Citizens Bank in Audubon, three days before the looting began.

Moore's suspicions were confirmed by a Citizens Bank spokeswoman, who acknowledged that a security breach occurred at the bank but wouldn't confirm whether a skimming device was found.

"There were a handful of customers affected, and they'd all been contacted and had their funds returned," says Citizens Bank spokeswoman Sylvia Bronner. "For security reasons, we just don't want to talk about specifics."

Skimming experts say the theory of the crime is simple. The keys are designing devices that fit over the face of a cash machine without raising suspicions, and that capture both the magnetic-strip data and the customer's PIN code in a way that can be stored or transmitted for criminal use.

What's simple in theory is challenging in practice. Since crude ATM skimmers were first reported more than a decade ago in places such as Brazil, they have become increasingly sophisticated, according to experts such as Brian Krebs, an investigative journalist who runs the website KrebsOnSecurity.com and has communicated online with people who claim to sell skimming devices.

"The price goes up as the complexity increases," Krebs says. Some skimmers store data until an installer returns, but "with the state-of-the-art stuff, you get the stolen data by text message." (To see Krebs' pictures of skimmers, go to http://go.philly.com/skimmers.)

Some skimmers include overlay membranes that capture PIN codes as you punch them. Others rely on pinhole cameras that record your finger strokes. Either way, time stamps link the PIN to the magnetic-strip data.

This sophisticated technology comes at a price, of course, as each version must be designed to match a specific ATM model. But the better it gets, the more lucrative the payoff.

Krebs has seen ATM skimmers offered for about $8,000 to $12,000. "That may sound like a lot, unless you're making five or six times that," says Krebs, who says a typical skimmer operation takes in about $60,000. "You've got to spend money to make money."

So how can consumers limit their exposure?

A couple of possible clues come from Mike Urban, senior director of fraud product management at Fair Isaac Corp. Urban says skimmer designers so far seem to favor ATMs fitted with motorized card readers, which pull in your card and return it, rather than "dip readers," which require you to manually insert and retract your card.

Urban says, too, that skimmers appear more likely to favor high-volume locations at financial institutions rather than low-volume ATMs inside stores.

"Generally, the criminals look for a location where there are enough people going through to make it worthwhile," he says.

But Urban cautions that this is a cat-and-mouse game - and that consumers will always be the hapless mice up against the ever-wily felines.

Several years ago, he says, one ATM maker designed a card reader encircled with flashing green lights, figuring that the machine's users would notice if they couldn't see the lights. But skimmers designed an overlay that matched it, green lights and all.

"Every criminal is different - they're looking for where they can get away with the crime," he says.

Today, that may be outside your bank's branch. Tomorrow it may be elsewhere. All you can do is look closely for signs of tampering - and watch your balance.