Atm Fraud

Joyce,

I'm confused by this statement:

Today I checked one of the accounts to find there was a $40 cash withdrawal from an ATM in Florida on November 30th.

Did you intend to write Florence instead of "Florida"?

If the withdrawal was done in Florida (USA), then that probably means that someone made a copy of your card here in the US & not in Italy.

Sorry this happened to you...

My ATM card was only used on my vacation in Italy. I never used that card here in the states. A fraudulent copy of my card was made and that card was used in Florida. My information was stolen from one of the cash withdrawals made in Italy.

If the withdrawal was done in Florida (USA), then that probably means
that someone made a copy of your card here in the US & not in Italy.

Not necessarily. When a card is skimmed, the details a bad guy captures are auctioned off on an underground site for big bucks. The person who wins that auction can be anywhere in the world, in this case the US of A.

Did this debit card have a chip in it? I cannot imagine how a chip-enabled card could be copied easily (and inexpensively).

Yes, it had a chip

I cannot imagine how a chip-enabled card could be copied

The data contained on the magnetic strip was copied. Until all ATM machines are converted into devices that can only read chip cards , and all cards just have the chip on it and not chip + magnetic strip, skimming will still be a thing.

Michael,
But do overseas ATMs read the magnetic strip at all? I thought they just read the chip, and each transaction has a unique code. I really don't know what a skimmer is or how it works when one puts in a card fully into a machine that just reads the chip as opposed to sliding the magnetic strip up and down.

Joyce,

Sorry to hear that you had problems and thankfully you didn't sustain any significant losses. Your practice of using the cards only for holidays is prudent as that way the scammers wouldn't have access to the cards you use at home (and accounts with more money in them).

A few questions....

• You stated that the cards were equipped with a chip. With both purchases and ATM withdrawals in Europe, were the cards skimmed rather than using the chip?
• Are the cards Chip & Signature or Chip & PIN (EMV) cards.
• Are the cards equipped with an RFID chip (ie: PayWave, PayPass or whatever your bank calls them)?

I suspect the cards were compromised using "skimming" as that's very easily done. If the card is equipped with an RFID chip, that's another easy way to obtain enough information to duplicate the card, without even touching the card. However, I'm not quite sure how they would know the PIN to use the duplicate card at an ATM in Florida (I've heard of that happening before, so there must be a way of setting the PIN on a duplicate card).

If the card is a true EMV "Chip & PIN" and was inserted into the POS terminal and a PIN used to verify the transaction, in that situation it's extremely difficult to obtain card details. That's not something the average scammer would be able to do. I've only heard of it happening in a University setting by some extremely well educated people who had a lot of sophisticated technology to work with.

Thanks for posting this, as it's a good reminder.

Ken,
Sorry, way too technical for me. There is a chip in the card and I can use a pin or sign, as it is a visa debit card. However, I only used it for ATM withdrawals. I had to put my pin in for the cash withdrawal.

The same thing happened to me in 2008. I only used the card for the trip and had only 5 dollars in the account. Eight months after we got home someone in British Columbia took out $500...my bank took money out of my savings and put it in my checking so I wouldn't have an overdraft ( and charged me a huge fee to do it) . It did trigger a fraud alert since the card had not been used in months and they were denied more. I got all my money back but it was a wake up call. I now change my pin every time I get home from a trip in hopes that will help. Sorry it happened to you. You are obviously a cautious person which saved you from an even bigger head ache. I think my card was skimmed in Venice but will never know for sure

But do overseas ATMs read the magnetic strip at all?

Yes, that's how people magnetic strip only cards are able to use them.

I'm a bit confused. Even if they got the card number how could they make a cash withdrawal unless they had the PIN number. PIN numbers aren't encoded on the card are they? So it must have been an ATM that had a skimmer on it that also collected the PIN. Pretty hard to imagine that at ATM's inside banks so had to be one of the other ATMs I guess. Is there any other way that could happen?

Card skimmers are connected to tiny video camers which capture the owner if the card typing the pin number into the ATM machine.

Joyce,

If you used the card only for ATM withdrawals, the most likely explanation is that scammers used an ATM skimmer over top of the real ATM. This video shows how it's done.....

https://www.youtube.com/watch?v=ll4f0Wim4pM

If they also had installed a small wireless camera above the ATM, they would have also captured your entry of the PIN.

Thanks Michael & Ken for explaining how this may have happened.

How can one make sure this doesn't happen to them?

I always try to use ATMs within a bank, but I suppose this can happen to anyone...

A couple of months ago, someone copied my DH's credit card and they went on a shopping spree spending over $2,000 at various businesses. The cc has a chip & magnetic strip, and we were told by our bank that someone must have made a duplicate and all they need is the cc number. When the bad guys try to use it by swiping the card, and it doesn't work, the number is then entered manually by the business & the charge goes through. Fortunately we were credited for all the fraudulent charges.

"How can one make sure this doesn't happen to them? "

I doubt that there's any way to totally prevent that type of fraud, but a few things that might help......

• When using an ATM (especially one that's outside of a bank foyer), inspect the machine to see if anything looks "unusual" (ie: the front of the machine looks different). Sticking a skimmer over top the of the legitimate machines is a common method.
• Cover your hand when entering the PIN and that way a camera mounted at the top of the machine won't be able to capture the PIN.

Also inspect other machines such as POS terminals attached to gas pumps. We had a situation here not too long ago where the evil-doers were attaching skimmers over top of the terminals at gas pumps when the stations were closed at night. Here in B.C. we use a "pay before pump" system, so using cards (either debit or credit) prior to filling up is the method most people use when filling up the family jalopy.

I had one of my Chip & PIN debit / ATM cards compromised about six months ago, and I believe that happened the ONE time I swiped the magnetic stripe at a local business, instead of using the C&P system. The first time I tried to use the terminal, it indicated that the C&P portion wasn't working so instructed me to swipe the card. The scammers had probably exchanged the POS terminal for a "modified" unit which captured information off the card. The fraud department at my credit union discovered the scam very quickly, and they issued me a new C&P card on-the-spot. This has been a frequent problem in the past, and as a result most businesses now have their POS terminals inside a steel frame and bolted to the counter with a stainless steel cable so they can't be switched to "modified" units by crooked late night cleaning staff or whomever.

The magnetic stripe is the "weak link" and I'll be glad when they get rid of that old-fashioned rubbish for good!

Thanks for all this info, fellow posters.

One more level of caution, if you do use a separate account for vacation funds only, is to not put all your money in it at once, but transfer money from your main account into the vacation account as you go.

It was probably the one time used where you don't recall what type of ATM it was where they got your info. Banks are very good at checking and keeping bad things from happening on their machines (not saying it is impossible, but more unlikely than the ATM sitting in the dark corner at a bar or restaurant or other store that only gets checked when they refill the cash once a month or so).

The scammers are smart. They have discovered ways to make a copied chip card work without the chip. This will continue to happen until the mag stripe is completely eliminated from cards. Not any time soon unfortunately.

Your approach to having a travel only account is good. It probably saved you from even more frustration if the card had been attached to your main bank account.

2nd day in Madrid, received a text from Chase asking if DW had tried to make a charge of almost $1100 from a health store in CA; replied "no," and CC was cancelled. The place she used it was to get our Metro tickets-the machine only took CC's not cash at that station. I have all my cards set up to text us on any odd charges or ATM transactions so it's basically instant notification, especially when I travel to out of the U.S. Should also note that I go the their websites and list where I will be traveling. Don't know why, but the Chase card has been compromised on three of our last 4 trips-the time before this while we were still in the D.C. train station. While in Sicily 4 years ago, a repair shop in Idaho tried to put through a $6000 charge-on that Chase called instead of texted.

I work at a bank and part of our team is the AM fraud department and I have handled ATM claims myself, with that being said I never worry about ATM fraud while traveling and i have seen it all. I take two cards from two different banks but only because I worry about my card being unable to communicate with my bank or systems going down. I worry more about my physical safety while withdrawing cash because I am usually withdrawing a large amount so I use all the regular precautions and use a machine either attached to or inside an actual bank. I know I am protected against fraud and that I will be refunded for any unauthorized withdrawals.

Another thing, I get "Purchase - Card Not Present" notifications almost immediately with Amex - probably can be arranged with other cards as well.

I know I am protected against fraud and that I will be refunded for any unauthorized withdrawals.

This is true, but it misses the point of why some people set up separate vacation accounts. If a thief can drain your checking account, it creates all kinds of hassles and charges if that account has auto payments and debits (as most people do). Creditors and businesses might impose charges for missed payments or "in-sufficient funds" and those can be hard to get waived. It can take time for your bank to investigate the fraud charges and restore the appropriate funds to your account, leaving you without access to your account and money for that duration. And then one has to manually reset all those auto payments with the new account information.

Joyce's story is an excellent example of why a separate vacation account is a good idea. It may be a fairly rare occurrence (and can happen domestically too), but it was a wise investment in her case.

The other benefit of a vacation account is that one can use a provider that charges low or no ATM fees. Since most people's banks do charge fees, this is an easy way to protect yourself and avoid extra fees. Win-win.

I've had the experience of having to cancel a credit card with auto-payments attached during a European vacation. It is a concern and it's worth trying to minimize that risk, but my card company continued to accept automatic charges against the old card number for a good bit of time after the card was canceled and a new card issued (which I did not have in hand until I returned home). I assume their algorithms note the difference between one-time and recurring charges.

I also had to cancel my primary ATM card due to the same unfortunate event, and the automatic payments of (multiple) credit card bills continued to go through. If they hadn't, the fees and interest charges would have been really painful.

In theory, I agree that it would be a great idea to use separate cards for travel and for recurring charges, but I try to push everything through a no-foreign-fee mileage card. Love those free flights. (No, I do not select only hotels, restaurants and shops that accept credit cards. I go where I want to go, mostly to budget places, and if they don't accept credit cards, it's fine with me. But if they do take cards and I've spent a reasonable amount of money, I'm going to pay by card.)

acraven - your examples are different from the idea of a checking account being drained because of a copied ATM card. If there is no money in the account, then the bank either will not pay auto debits (meaning those creditors will charge fees) or may automatically transfer money from another account (allowing even more to be drained by the crook). In cases where a credit card or ATM card is compromised, the account remains fully operational for other set transactions; you just have to wait for a new card to be issued (and sometimes reset auto-payments and websites that "remember" your card info).

You're right, of course, in the case of a skimming operation or a well-organized theft after which the perpetrators immediately push the card to the limit. I was thinking of situations in which the holder of the card was able to get it canceled before much, if any, damage was done.

Regarding the transferring of money during a trip....I probably wouldn't do that except in an emergency, because I'd have to use unsecure hotel wifi.

"Regarding the transferring of money during a trip....I probably wouldn't do that except in an emergency, because I'd have to use unsecure hotel wifi."

I routinely transfer money between accounts during travels, using the App from my Credit Union. However, I switch off the Wi-Fi and only use LTE for that, as it's much harder to hack. So far no problems.

The dangers of using public WiFi are overblown. The issues you see reported are mainly based on anecdotal stories from the early days of the internet before everyone knew to use secure connections.

When was the last time you used a hotel WiFi anywhere that did not require a logon and password? Sure, the same logon might be shared around a hundred or so current guests at the hotel, but the specific link you are on is secured by that. I would choose a WiFi requiring a user ID password over some open one I find in a back alley in a third world country.

Every bank, and I mean every bank, uses HTTPS connections for their sites at a point way before your user ID and password is asked for. That information is sent 100% over secure connections. Even the Rick Steves Travel Forum (where you are right now) is secure. YouTube is secure. My email is secured. There is very little that is sent over the net that is not through secure connections today. Even if you are on an open public WiFi, the connection to your bank is still secured.

I'm not guaranteeing that somehow somewhere your information will never get stolen, but that comes down more to how the information is stored on your computing device. My information is all in my head with nothing that would allow anyone access to anything I don't want them getting into through the actual device. And I change my passwords on return home from any trip. But I use the internet including banking while traveling without worries.

Hmmm, interesting. So if they give you a password, it's okay, but open on a train or at the airport or at McDonalds it's not okay?

Never been to a McDonalds where there was no password. Last train I took with WiFi (London to Edinburg) I was given a password.

At the airport (or any place with no password login), the connection I establish with my bank is secure. What is less secure there is someone possibly sneeking into your computer device and copying files or inserting a virus. Best way to prevent this problem is make sure you have a firewall on your device and it is turned on.