...are just waiting for someone to doctor them up with card readers and PIN capturing capabilities.
I stopped using my ATM card anywhere except at the bank or at a grocery store where it is very unlikely that anyone has had a chance to tinker with the ATM reader. Cash is now the only safe currency of choice.
This has become so common in northern California that seeing people use the cash option at gas stations is the norm rather than the exception.
Identity theft is a fast-growing problem, and I’ve taken it seriously for quite awhile. I pay to have people monitor my credit to ensure someone doesn’t open accounts in my name, and I try to use temporary credit card numbers when I make online purchases. I shred personally identifiable information that I receive by mail, the better to deter “dumpster divers” who might use it. I’m also a stickler for using complex passwords on any site that provides access to financial information.
There are many, many ways, however, to have your identity stolen, and though from hindsight this should have seemed an obvious possibility, it wasn’t something that I had taken sufficient care to avoid.
As the title of this post implies, someone managed to fraudulently withdraw $2500 from my bank account using an ATM card that was a clone of the one my wife and I have in our wallets (I’m not sure whose card was the original source of the information). This was discovered the night before my birthday, and though I am sure to get all the money back (banks do insure for these kinds of things), it did mean that I spent all day Friday running around faxing, mailing, and filing police reports, which wasn’t exactly the way I intended to spend the day.
According to a detective at the West Hollywood Sherrif’s department, a group of individuals had apparently installed a device inside a gas station pump in the area. This device had access to all information entered through the payment point. This includes full details of information stored on the magnetic strip on the back of cards (why, oh why, aren’t smartcards as common here as they are in Europe), as well as anything entered via the keypad, such as a PIN number or a zip code. The device included a wireless transmitter that broadcast 300-400 feet, allowing someone seated in a car located nearby to capture all the information generated at the pump. At the end of a hard day’s work, the thief would use this information to print the data onto card “blanks.” Given that my information was for an ATM card, they used it to visit bank machines far from my area of town.
I was somewhat surprised, however, that my bank’s fraud detection routines did not flag these transactions. The individual (or individuals) who made the withdrawals took out nearly the maximum amount that was allowed in a give day, and did so repeatedly over the course of three days. Perhaps the first transaction would have been overlooked, but the second and third (followed by a fourth and a fifth a few days later)?
What brought the problem to my attention was the fact that my ATM card was not working, though oddly enough, not because of the fraudulent use of my account. Rather, the block was placed due to a “suspicious” transaction that sent some money overseas, and which was made by my wife. Foreign transactions, apparently, trigger a lockdown in ways that three straight days of withdrawals from my account (each of which was close to the daily limit) did not. I sure hope I never lose my ATM card in Las Vegas.
Anyway, I really should have been checking my bank account more frequently, and from now on, I’ll be a lot more careful about where I use an ATM or credit card. In fact, I used to be a lot more particular about that in the past. What changed, I think, was gas prices. Before, it never took more than $20 to fill my car. More recently, the cost was often more than I had in my wallet as cash.
I should, in other words, make it a point to have more cash on hand, though it does occur to me that that has its own security issues. People can spike ATM machines with card detection devices as well. ATM machines, however, tend to be a bit more secure because they contain large quantities of cash. Barring an epidemic of electronically-altered ATM machines, I’m unlikely to go truly old school and wait in line to withdrawal my money from a human teller.
It is odd, however, to think that modern technology is creating its own hindrance to a cashless society. I certainly carry less cash on hand these days than was the case before, as digital payment alternatives have spread their reach over the years. Such payment mechanisms’ popularity, however, rests squarely on our ability to trust in their security. Credit cards and bank ATMs may be willing to reimburse us for fraudulent charges in order to encourage us to use them, but it is still wise to reduce our dependence on them. Perhaps this will motivate more bulletproof security mechanisms, provided security problems prove a sufficient inconvience to trump the convenience of easy digital payments.
By the way, I’ll be at the Microsoft PDC in Los Angeles this week, thus continuing a trend wherein I opportunistically attend conferences as a member of the press when they come to my home town. I’ll be sure to write about anything I discover there (though keep an eye on Mary Jo Foley’s and Ed Bott’s blog, too, as they are both rumored to be in attendance).
But I doubt a gas pump is equipped an EPP the way ATMs must be. 
