Non-bank ATMs are typically located in convenience stores, service stations and sometimes in communities where there are few banks. Under Massachusetts law, they must be approved and registered with the state, and must disclose withdrawal fees, owner contact data and other information to consumers.Renegade machines that don't follow the rules may expose consumers to ATM skimming. That's when thieves attach hard-to-detect reading devices that copy debit card numbers, and hidden cameras or overlay keyboards that record users' tapping in their PIN. From there, fraudsters can burn the data onto a blank card to access account holders' cash.
"A consumer sees an ATM standing in the middle of a shopping mall and they assume it's legitimate. Some of these machines are ghost ATMs, they're just a shell," said Robert Vamosi, a security, risk and fraud analyst at Javelin Strategy & Research, in an interview. "Ghost ATMs" are boxes designed to look like the real thing, but they don't contain internal hardware to encrypt, send and receive data from a financial institution.
Vamosi pointed out many fake ATMs mimic the computer circuitry of real ones, so they're not easily recognizable. Skimming attacks have also evolved from basic card-data theft to sophisticated attacks on the software inside ATMs and networks. "This is the means which criminals have started to employ to capture PIN numbers -- by tricking you into going to a dummy machine," Vamosi said.
According to the Massachusetts governor's office's Division of Banks, which conducted the investigation, the number of non-bank ATMs in the state tripled the last 10 years, to approximately 5,600. Observers say it may be indicative of a wider trend.
"The growth of non-bank ATM companies is happening across the country. The problem is that not every state requires the registration of non-bank ATMs," said David Cotney, a spokesman for the Division. He noted consumers must have a high level of trust and protection when using a non-branded ATM, and the only way to ensure that is to register and bring into compliance all unregistered machines.
The 300 illegal ATMs in Massachusetts are required to cease operations until they are properly authorized. Click this list for locations.
In addition, 101 authorized non-bank ATMs inspected in Massachusetts also stood in violation of various state rules. The most common included failure to provide a 24-hour, toll-free contact phone number as well as contact information of the owner and operator. Failing to post the Division's contact information for consumer inquiries and unresolved complaints also was common.