Card tricks: outwitting ATM thieves who use 'skimming' devices
ATM thieves use a 'skimming' device, surreptitiously fitted into the ATM card slot, to steal your data, and then your cash -- but you can outwit them by protecting your PIN, says John Cradden
JUST when you thought you could let your guard down a little, some sneaky thieves are still looking over your shoulder.
Following the rollout of the 'chip and pin' card system from 2007 and the installation of anti-skimming technology in most ATMs around the country, the problem of ATM and card fraud appeared to have been virtually wiped out here.
But according to the Irish Payment Services Organisation (IPSO), the number of incidences of card skimming -- where thieves fit devices into the ATM card slot in order to copy your card details -- rose sharply from last April.
"We had seen a complete cessation of this type of crime from quarter three last year until the second quarter of this year," says Una Dillon of IPSO.
Out of 36 ATM skimming attempts made since April, 24 were successful, while the other 12 didn't work because they had anti-skimming devices installed.
It seems that thieves are still targeting the remaining few ATMs in the country that have not yet been fitted with these devices. These are due to be upgraded over the coming weeks, says Ms Dillon.
Of those attempts that were successful, it is understood that the card issuers blocked or monitored the cards used at the ATMs so cardholders were not affected.
During card skimming at-tempts, thieves transfer the skimmed data (contained on the black stripe on the back of your card) to a blank counterfeit card. In most cases, it is understood that the thieves don't even have to recover the skimming device from the ATM, as they can download the information remotely.
In addition, thieves use a micro-camera, usually hidden in metal to match the ATM being targeted, and glue it to the top of the ATM to capture the pin number as you key it in.
So if you've ever wondered exactly why every bank advises ATM users to cover their hand while keying in their PIN number, this is the reason.
"Regardless of the equipment that the criminals have used, the crime is based on capturing an image of the PIN while it is being input," says Ms Dillon.
"If they don't have that, then the electronic card details are of no use. It sounds simple, but it really does work." Even if thieves obtain the information from the black stripe and get the PIN number, it won't have the chip that would enable it to be used in a chip and pin machine, whether an ATM or a point of sale (POS) terminal. But there are still a few countries, including the US, that have not implemented chip and pin systems, so this is the loophole that the recent thieves exploit -- by using the copied cards in these countries.
As well as ATMs, you should also be vigilant about using your card at point of sale (POS) terminals in shops and stores.
Earlier this year, there were reports of criminals 'shoulder surfing' in supermarkets, then distracting people in car parks while an accomplice stole the card, purse or wallet.
One woman reportedly lost €25,000 over a number of days as a result of this type of attack.
"A number of gangs were arrested for carrying out this crime in the recent past, and it hasn't been obviously prevalent since then," says Ms Dillon.
Although Irish banks have refunded customers if a genuine ATM or card fraud has taken place, other countries, including the UK, are reportedly more reluctant to do so when they can find any evidence that a customer has been negligent.
According to Ms Dillon, banks here will not turn a blind eye to obvious carelessness, such as writing a PIN on the actual card only for it to fall into the hands of someone who then uses it.
"The PIN is the key to a bank account using a payment card," she says. "Customers are required under their bank's terms and conditions to keep their PIN to themselves and not share it or write it down.
"In cases where a customer clearly allows a criminal to shoulder surf and then access their card, this could be deemed as negligent, depending on the circumstances," says Ms Dillon.
While any extra security measures being put in place by the banks to prevent fraud are welcome, some of these measures can trip up the banks.
For instance, Bank of Ireland recently had to issue €3m in refunds to 43,000 customers who made ATM withdrawals between 2005 and 2009 but never took their money.
If a customer taps in a request for money from an ATM but does not take the money out of the machine, the money is normally taken back into the machine after 30 seconds. ATM cash not withdrawn is normally refunded automatically to the customer's bank account.
The Bank of Ireland's issue arose following the installation of anti-fraud measures, which had the effect of disabling this automatic refund response.