A couple of days went by; then, he checked his online statement. "I saw $8,000 deducted from my account in three days from ATM withdrawals," says Rabinowitz.
This was a couple of years ago and Rabinowitz says HSBC still is not able to tell him how the fraudsters were able to exceed his $800 daily ATM limit at all, let alone so drastically. After a week-long investigation, HSBC (HBC) credited him for the $8,000.
"It turns out this ATM -- and the bank -- never open, and this ATM was set up just to collect the magnetic strip number and a PIN," says Rabinowitz, a lead consultant for Silicon Associates in Beverly Hills. "The fraudsters then create a new plastic card magnetized with an exact magnetic duplicate, and of course they've also recorded the PIN. They likely worked in the banking/ATM network, so they were able to get the funds out using the 'new' card fairly easily."
Stories like Rabinowitz's are not rare. ATM skimming is responsible for in excess of $1 billion in losses annually, says Robert Siciliano, a McAfee consultant and identity theft expert.
The problem is growing. "According to IBM's 2010 Trend and Risk Report, there has been a surge in skimming -- it occurred five times as much in 2010 than in 2009, and all indications are the trend is continuing in 2011," says Jeremy Miller, director of Kroll's Fraud Solutions practice.
The Mechanics of a Skim Scam
Typically, skimming at an ATM occurs when a thief has installed a small, almost unnoticeable "skimmer" to the machine that can read the magnetic stripe on a card. Sometimes, the device is rigged to "capture" your card, holding onto it instead of just reading it, so that when you walk away to report the problem, the thief can simply step up and take it. To obtain your PIN, thieves use a number of ingenious techniques: cameras to record you punching it in, devices installed in the pad that record your keystrokes, and the tried-and-true "shoulder surfer" method, explains Miller.
Nor is skimming a problem restricted to ATMs: Thieves can rig any device that is meant to read a card with a magnetic stripe, targeting gas stations, checkout lines grocery stores, restaurants, etc. Sometimes, it is the employee that skims cards, although last year saw a surge in point-of-service skimming incidents that couldn't be traced back to any employee or insider, says Miller.
Skimming today is far more sophisticated than in the past. "Skimmers can include Bluetooth and texting technology that send the data to the criminal anywhere. Keypads can be compromised by devices that overlay the exiting pad and transfer the data remotely," says Siciliano.
Then there are "dummy ATMs." In some cases an ATM is bought on eBay or elsewhere, and installed anywhere there is foot traffic. The machine is set up for one purpose -- to read data. The machine might be powered by car batteries or plugged into the nearest outlet, says Siciliano.
There are also some decidedly low-tech skimming techniques. "A criminal might decide to steal either an ATM or POS terminal. Cash can be pulled from the ATMs, but both types of machines could store card numbers if misconfigured. A stolen machine is also valuable in order to learn about weaknesses or ways to physically attack it," explains Charles Robertson, Ph.D., a researcher and analytics specialist at high-tech security company Verafin.
With so many means of attack, there is a glut of card information on the market. Lazy criminals can simply buy card data, starting at $1 or less. Quality costs extra, but in the underground marketplace, there are products for everyone, says Robertson.
How to Protect Yourself
With so many tricks out there, how can you stay a step ahead of the bad guys?
First and foremost, pay attention to your statements, and check your account every two weeks, says Siciliano. In addition to monitoring your statements, you can also sign up for alerts that will tip you off when certain types of transactions occur.
Privately owned ATM's are the highest risk because skimming devices can easily be added to the inside of the ATM by its owner. And if an ATM is in an obscure place, it can more easily be tampered with, says Michael Gier, host of the Web TV show at www.ProtectYourself.tv.
Even bank ATM's are at risk because crooks can add fake card readers over the real card-entry slot, says Gier. However, such ATMS are checked more often by branch employees who would notice anything unusual, like a change in the appearance of the PIN pad or something inserted in the magnetic stripe reader, says Suzanne Lynch, assistant professor of criminal justice and director economic crime management program at Utica College in New York.
Look at the face of the ATM. If you see anything suspicious, such as a card reader that is loose or a different color than the rest of the ATM, or that looks as if it was added later because it covers part of the machine that includes text or the logo, do not use the machine, says Miller.
He also advises covering the PIN pad with your hand while entering your number to block cameras that can capture a PIN.
A Cautious Approach
The Better Business Bureau offers a few tips too. "Inspect the ATM. Avoid using ATMs in poorly lit or low trafficked areas. Look for new or suspiciously placed cameras and unusual signage. Don't hesitate to walk away and use another ATM if something appears out of the ordinary. Protect your PIN. When entering your PIN, cover the keypad with your other hand to protect your private information from any cameras in the vicinity. FICO also recommends you periodically change your PIN," it advises.
The ATM Industry Association has much to say on this topic: "Be especially cautious when strangers offer to help you at an ATM, even if your card is stuck or you are experiencing difficulty with the transaction. You should not allow anyone to distract you while you are at the ATM. Check that other individuals in the queue keep an acceptable distance from you. Be on the look- out for individuals who might be watching you enter your PIN. Follow the instructions on the display screen, e.g., do not key in your PIN until the ATM requests you to do so. Do not be in a hurry during the transaction, and carefully secure your card & cash in your wallet, handbag or pocket before leaving the ATM."
Gier keeps it simple, "The best option when possible is to not use ATMs."
Rabinowitz's $8,000 adventure changed his behavior permanently. "I do a couple of things differently," he says. "I am irritated that PIN pads have minimal physical physical shielding (the tiny 2-inch walls that surround the keypad) if any, and I'm more sensitive to that now. I always take my free hand and place it directly above my typing fingers where I am typing in my PIN. Otherwise, it's possible a security camera could record you putting in your PIN, and obviously a thief can recognize the pattern from the video."
He avoids going to standalone ATMs in stores, especially convenience stores. He uses his credit card whenever possible, even for small transactions.
"I still have confidence going to an ATM though, that's actually attached to a branch of a bank, physically, as long as it's in the U.S.," says Rabinowitz, "but I try to avoid needing cash off hours and would rather take the opportunity to interact with one of my banks during normal business hours anyway. I go much less frequently to any ATM."