An offender or offenders recently placed an automatic teller machine skimming device on a drive-up Automatic Teller Machine (ATM) at the Bank of America at 200 East Kensington Road in Mount Prospect. The device was used to steal U.S. dollars from the Bank of America via customer accounts — after gathering credit card customer information when the customers used the ATM.
The skimming device (a criminal electronic credit card information capturing device) gathered data on October 11, 12, 24, and 24 and November 26th through 29th to steal over $20,000 from over 300 debit accounts. The skimming device was removed before bank investigators could find it in the ATM. Bank customers complained about unauthorized withdrawals on November 30, 2009, and investigators were able to pinpoint the ATM problem.
In Buffalo Grove $70,000 was stolen in a similar crime that occurred at an ATM at Chase Bank at 175 North McHenry Road. A security camera, reviewed after the incident, recorded two offenders placing a camera and recording device on the ATM inside the bank lobby at 3:40 am. November 14, 2009. The offenders returned on November 16 at 5:15 a.m. and used the recorded information to withdraw funds from multiple accounts.
Two months ago an off-duty police officer reported a possible skimming device on a gas pump at the BP gas station at Dundee Road and Kennicott Avenue in Arlington Heights. It is unknown if that was a bona fide incident.
On most modern ATMs, the customer is identified by inserting a plastic ATM card with a magnetic stripe or a plastic smartcard with a chip, that contains a unique card number and some security information, such as an expiration date or CVVC (CVV). Authentication is provided by the customer entering a personal identification number (PIN).
Instances of skimming have been reported where the offender has put a device over the card slot of a ATM (automated teller machine), which reads the magnetic strip as the user unknowingly passes their card through it. A mobile phone camera can be used as a PIN capturing device, with the image information then transmitted via the wireless device.These devices are also sometimes used in conjunction with a pinhole camera attached to a brochure holder near the ATM to read the user’s PIN at the same time that the skimming device is capturing the magnetic strip information on the credit card.
Skimming is difficult for the typical ATM user to detect because many devices are built into fascia that is made to fit over the ATM; but given a large enough sample, it is fairly easy for the card issuer to detect after the crime has occurred, even if it is not from a single ATM machine. The issuer collects a list of all the cardholders who have complained about fraudulent transactions, and then uses data mining to discover relationships among credit card customers and the merchants they use. For example, if many of the cardholders use a particular merchant, that merchant can be directly investigated. Sophisticated algorithms can also search for patterns of fraud.
Recently, cheaper mass production equipment has been developed and installed in machines globally that detects the presence of foreign objects on the front of ATMs, current tests have shown 99% detection success for all types of skimming devices. It is unknown if the Bank of America had a foreign object detection device installed.
Skimming also occurs with the theft of credit card information used in otherwise everyday legitimate transactions, such as restaurant payments, hotel payments, etc. Skimming often involves an “inside job” by a dishonest employee of a legitimate merchant. The thief can capture a victim’s credit card number using basic methods such as photocopying receipts or more advanced methods such as using a skimmer to swipe and store hundreds of victims’ credit card numbers. Common scenarios for skimming are restaurants or bars where the skimmer has possession of the victim’s credit card out of their immediate view. The thief may also use a small keypad to unobtrusively copy the 3- or 4-digit Card Security Code on the back of the credit card, which is not present on the magnetic strip.
If fake credit cards are produced from the skimming information and a third merchant accepts the fake credit card without verifying the identification of the card holder, the merchant is responsible for the loss of income, as they are not paid by the bank or financial institution that issues the real credit card.
Merchants must ensure the physical security of their terminals, and penalties for merchants can be severe if they are compromised, ranging from large fines by the issuer to complete exclusion from the system, which can be devastating to businesses such as restaurants where credit card transactions are common.