The Great ATM Scam of ’02

There was a ATM fraud controversy several years ago that wasn’t highly publicized (if at all) in the newspapers or on TV.

And I happened to be in on it from almost the very beginning!

“I’m telling! I’m telling!”

Not ripping off people, silly, but in identifying what was happening!

It was a Saturday morning in September of either 2002 or 2003, the first day of the 3-day Labor Day weekend. And here’s how that story goes…

I’m at home, doing some emails, when I get a phone call from the Control Desk at CitiPhone. Apparently, several customers have been calling in regarding “unauthorized ATM cash withdrawals”.

Now in banking, and it’s really no different at Citibank, we often receive tons and tons of “UNRECOGNIZED cash withdrawals”…claims where the customer doesn’t remember performing the transaction, or gets confused as Saturday & Sunday withdrawals “post to the account” on Monday, or where the customer’s spouse actually withdrew the cash.

These are, usually, easily & quickly resolved.

But UNAUTHORIZED ATM cash withdrawal claims are another matter entirely!

These claims are where the customer adamantly denies that either he or another authorized signer performed the transaction nor did he give someone else permission to do so (and provided that person with his card & code).

Now, if a customer loses his card or has their wallet/purse stolen, there very well could be unauthorized withdrawals as many customers (believe it or not) actually write their PIN/Personal Identification Number on the card itself! (Note: BTW, you are NOT liable for unauthorized cash withdrawals if you lose your card & you had your code written on it! Now, that’s different than giving access to your card & code to someone else.)

What was unusual about all these UNAUTHORIZED withdrawal claims is that all the customers STILL HAD THE CARDS IN THEIR POSSESSION!!!

The ATM cash withdrawals were often occurring in different cities, different states & even, different countries from where the customer lived & worked! Looking at customer accounts, I saw withdrawals in San Francisco, England & South Africa, yet none of these customers had ever traveled to these sites!

They’ve always had the card in their possession…never traveled to or visited the site of the unauthorized ATM withdrawals…and had absolutely no idea of what was going on!

One of the first things I asked the person calling me was “Why aren’t you discussing this with the ‘officer of the day’?”

Not that I was “bothered” by the call or that it “didn’t wanna help”…not in the least!

You see, it was regular practice on a Saturday (because we received thousands of customer calls, even though it wasn’t a business day) to have a senior officer, a VP or Asst VP, on site to oversee things. We would receive about 25,000 calls on a Saturday, ~40-45% of a normal business day’s volume. The officer of the day was an on-site resource to assist the managers, to help the reps, to provide a calming influence with any & all situations.

I was FURIOUS when I learned that there was no officer of the day on site (although, as things turned out, it was probably better as I may not have been contacted for assistance). As it turned out, there were no senior officers on site that day! It was the Saturday of a 3-day weekend & apparently, all the senior officers in CitiPhone were out at one of the employees’ wedding…that’s why they called me!

(Note: They SHOULD have asked me, earlier in the week, if I would’ve served as officer of the day. I surely would’ve agreed! But…)

It was fortunate that they recognized that something was amiss. Normally, we would receive an unauthorized claim here & there, but it was almost always associated with the customer losing their card or having it stolen.

But I immediately sensed that we had a serious problem on our hands as that wasn’t the case! Dozens & dozens of unauthorized cash withdrawals, across the country & globe…while the actual cards are still in the customers’ possession…signals REAL TROUBLE!

I gave instructions to the Control Desk officer who called me to immediately page & call one of the chief fraud officers at Citi. He was a former FBI agent with all the right connections. I told our person to tell him that I personally instructed them to call, provide the details of the customers’ claims & tell him that I truly believed that this was, indeed, a major red flag & possibly, just the tip of the proverbial iceberg!

I needed to be kept in the loop on everything that was happening. I instructed them to also call the Weehawken Data Center & have them contact the appropriate senior officers in Systems, Retail Bank & Fraud/Operating Losses. This was NOT a drill or a scare tactic…we were under attack!

As it turned out, we got hundreds & hundreds of unauthorized ATM claims throughout the 3-day weekend & into the following week(s)! And these crooks were sharp, too.

Our cash withdrawal limits were based on EACH individual account! If the customer had a Checking, Savings, Money Market & Ready Credit account, all “tied together” to the same card, the crook could easily withdraw from each account (or even transfer funds from Checking, then withdraw from another account!)

In addition, our individual cash withdrawal limits were the highest in the country…$1000 per business day, per account ($2000 for CitiGold & Private Bank)! And considering all the accounts that can be linked together on one card (yet maintain separate & distinct withdrawal limits), we’re easily talking about several 1000s of dollars per person!

Other banks in the New York metropolitan area were also experiencing similar situations (as we soon found out). We worked very closely with the FBI, Secret Service and data analytics experts to try to figure out what common thread existed that tied all these customers together.

Finally, after weeks of exhaustive investigative research & interviewing many of the victims, it was discovered that every one of the impacted clients (both Citi customers as well as the other banks’) had used a certain “ATM” in northern Manhattan at a local bodega.

We found out that they all used this ATM back in June & each one had the same exact experience…they dipped their card, entered their PIN as instructed by the machine, then a screen was displayed, telling them that the ATM was either out of order or out of cash.

The customers thought nothing of it & merely went somewhere else to get their cash.

But NONE of these incidences appeared on any of the banks’ records. That’s because it was a “dummy ATM”!!!

It was never connected to the ATM network…it was just a “front” used to capture the user’s card # & PIN.

There was no signal sent out. It was programmed to automatically display that error screen.

Once they (the crooks) collected enough legitimate card #s & associated PINs, they removed the “ATM”. They waited awhile, then produced hundreds (thousands?) of pieces of “white plastic”, blank cards with the prerequisite magnetic stripe containing the customer’s card number & other appropriate information.

They wrote the actual PIN on the card itself.

Then they waited for the Labor Day weekend to hatch their plot!

They would go to different ATMs around the city to withdraw cash. Apparently, they also “sold” (or sent)  some of the card/PIN info to accomplices around the country & the globe! I remember working directly with the Secret Service & the FBI as they actually tracked one of these goons as he went from ATM to ATM, wiping out as much as he could from these customers’ accounts. Often times, the ATMs would run out of cash (some could hold up to almost $100K)! They seemed to love Citi as we always had at least 2 machines at every site…some Manhattan sites would have up to 20 ATMs!!!

The only limits the crooks faced was the customer’s available balance in the account, the maximum daily cash withdrawal limit imposed by his bank & the amount of cash in the actual ATM.

When the authorities finally apprehended one of the henchmen, his coat & pants pockets were absolutely stuffed full of white plastic & cash.

Lots of each.

I don’t believe that the authorities ever caught the masterminds behind the scheme (or if they did, it certainly wasn’t made public). You also have to realize that this information gets sold, over & over again, on the black market & the “dark Internet”. I know, for a fact, that Citibank lost millions and millions of dollars (somewhere north of $25MM!) & other banks probably suffered similar losses.

Months later, I’m watching an episode of the Sopranos and there’s a shady deal going out at a bar with somebody selling a sheet of paper with legitimate ATM numbers and PIN codes that have been compromised. One of the characters commented that this goes on constantly!

Especially in today’s world, there are so many “card skimmers” at ATM machines, especially at gas stations, with devices that are placed on top of card readers or, in the case of some gas stations, placed inside the pump, to steal and capture/transmit card & PIN information.

My own daughter recently got ripped off as her Green Dot card information was somehow hacked. She was hit with three fraudulent $300 cash advanced as well a $.31 store purchase! Of course, she didn’t do any of these. She still had her card in her possession!

She got an alert at noon on a Saturday, saying that her payroll direct deposit just hit her account. Minutes later, she looked at her account and there were these 3 unauthorized $300 cash advances that occurred in Houston. She happened to have just purchased a coffee from Starbucks in San Antonio & then immediately withdrew the rest of her cash. She couldn’t withdraw the remaining $17.31 so she transferred $17 to “the vault” (Green Dot’s savings acct), leaving 31¢ in Checking. The crooks then went to a kids clothing store in Houston and did a signature-based Credit purchase with her card info. Green Dot allows the purchase up to your available balance so they OK’d the 31¢ (with the customer owing the store the rest).

That turned out to be great evidence that 2 cards (my daughter’s legitimate one & the crook’s manufactured one) had to perform these transactions as it’s physically impossible to have done cash advances in Houston, then bought coffee & withdrew cash in San Antonio, then went back to Houston for the $.31 in-store signature-based purchase…all in a couple hours!!!

It takes at least 3 to 3 1/2 hours ONE WAY so a San Antonio-to-Houston ROUND TRIP is impossible to do in 2 hours!!!

But, of course, the idiots at Green Dot denied her claim, saying everything was done in the “same geographical area”. Apparently, they didn’t look on a map & just saw that each location was in “TX”!

Oh, yeah, their Investigations Unit was based in India!

When I learned this, I told my daughter to write letters to their CEO & COO in Pasadena, CA & send them FedEx. (The COO was rather new but had been President of Citibank-California & a former colleague of mine. He’s actually back with Citi now.)

We threatened to contact every Federal & state authority, every consumer protection agency, every politician, every newspaper & media outlet, then sue Green Dot bank for 4x the damages if they didn’t honor the claim!

She promptly got her money back.

Duh.

This stuff is so rampant nowadays. All I can say is make sure you keep your card in your possession at all times, but that’s still not gonna stop you from getting ripped off!

When you go to an ATM, tug on that card reader as hard as you possibly can…try to pull the sucker off!

Don’t worry, if it’s legit, it’s not gonna move. If it’s fake, you may be able to unhinge it. When it’s fake, it lies right on top of the real one and steals the information. You still can get money out of the ATM because the ATM is still accepting your card, but you won’t realize that, in between, there’s a “middleman” who’s stealing all your information!

And when you go to a service station to buy gas, not only should you pull HARD on the card reader at the pump, but also take out your cell phone & turn on Bluetooth.

If you see that your phone’s Bluetooth is searching for a signal nearby (it will display a whole bunch of changing numbers and letters), that means there’s a good chance that there’s a Bluetooth device inside the pump that’s trying to steal your information. Do not use that pump & tell the manager/owner of the station. Also, call the police.

Hate to say it, but I guarante, er, would guess that some of the gas station staff are somehow involved with the schemes. I will never understand why the big oil companies, and ALL station owners, don’t make it mandatory that their pumps are checked a few times daily to see if these physical skimmers (on the outside of the card readers) or the Bluetooth devices (inside the pump) are present.

Now to get back to the Great ATM Scam of ’02 (or ’03)…

A major reason why it was never really publicized was the fear of “unnecessarily” causing consumer unrest. Banks maintain huge reserves for losses (just like insurance companies do for natural disasters) & as such, have pretty high operating expenses that are not immediately evident.

(Wow, I sound like an official spokesman for the banking industry.)

It’s all part of the cost of doing business as they take as many precautions as possible & have many safeguards in place to combat this stuff. But there are so many devious people out there & it always seems that the banks are playing catch-up with the crooks! Every night, I pray to God that these crooks would sometimes use their intelligence and brains for a good cause, something that’s going to help mankind. I’m convinced that if they did, we would’ve cured cancer a long time ago!

Oh, well, it’s the eternal battle between good & bad. Good luck with your particular one…

As always, thank you so much for listening!