18

My 21-year-old college sophomore daughter's SECU checking account debit card was skimmed 2 weeks ago at an ATM. She realized it the next day when she tried to use her debit card for a gas purchase.

She withdrew $20 the night before at an ATM with her card and somebody else withdrew $200 right after her. She reported the missing money, shut down the account and cancelled her debit card immediately when she realized it. She made a police report and the SECU called when they had the ATM photos for her to view. The first photo was of her using the ATM and the second photo showed a man she'd never seen before. The SECU had already captioned the second photo: "Girl hands card to guy to use". She was outraged. She asked me to go back with her to see the photos and the caption was still there. The bank reps actually told me twice that there was absolutely NO OTHER WAY for anyone to get money from my daughter's account unless they had her card in their hand and knew her pin number. I asked the question twice because I had heard a little about skimming fraud and knew this WAS possible. I have since then read everything I can get my hands on about the topic but still have a question I am hoping you will answer for me.... Because the second withdrawal (and photo of unknown male) was recorded exactly one minute after the $20 withdrawal my daughter made (and her photo recorded) the SECU says that there is NO WAY that this was a skimming incident. They say that this could not take place in one minute and that the card had to have been handed over to this unknown male by my daughter. End of story. She is absolutely furious and humiliated. I am furious!!

I cannot help but think that if someone has devised a way to retract credit or debit card info and use it for their own purchases, that it is certainly possible that the transaction time can be manipulated as well. I have also learned that it is during these late Saturday night/Sunday morn weekend hours that the computers are backing up/processing transactions and that often the time recorded is off. Am I right or wrong in my assumptions? Is it possible for a thief to skim a card at an ATM and retrieve money from the account recorded only one minute after the valid owner of the account used the card??

I very much appreciate any knowledge you might share with me concerning this matter!

Elizabeth
  • 181
  • 1
  • 1
  • 3

2 Answers2

23

Here is what I think happened.

Two conditions which are found often around universities:

  1. This is ATM at which you swipe your card and the card remains in your possession while the transaction occurs on the screen. This is not the kind which eats the card and keeps it and spits it back out at you.

  2. The ATM software after giving cash for withdrawal and printing a receipt -- resulting in me the user thinking the transaction is done -- then asks "would you like another transaction?"

I've seen this before and I've pointed out to people this behavior when I use the machine behind them.

What happened is that this 1 minute later person was waiting for someone to walk away with the screen on the "would you like another transaction?" prompt. They approach and say yes and can withdrawal money from the account.

There is no skimming required for this type of theft.

jrwren
  • 387
  • 1
  • 5
  • 1
    This is _very_ interesting. Could you please back this with a source/reference? – Adi May 26 '13 at 20:16
  • 2
    @Adnan What source would he need? The bank I go to also has this. You insert the card, remove it and do what you need to do. When done it asks if you want to make another transaction. This is a viable way to steal money, though I don't think the risk is worth the reward, as you probably will not find people forgetting to hit "no" very often. – ComputerLocus May 27 '13 at 20:38
  • 2
    @Fogest Not everybody is from the United States. In Europe, there's the EMV system, which is _totally_ different. Anyway, after a discussion at [the DMZ](http://chat.stackexchange.com/rooms/151/the-dmz), it appears that this is the most likely case. I think this should be the accepted answer. – Adi May 27 '13 at 20:43
  • @Adnan I'm actually Canadian. I had no idea though that other places had systems that differed a lot from this one. – ComputerLocus May 28 '13 at 00:40
  • 1
    This seems possible, but one would think the ATM operators would realize this could've happened instead of accusing her outright. It might also be observable from the screen, in the footage. – Anorov May 28 '13 at 05:53
  • This has happened to me personally. I've been standing in line waiting to use the ATM and people in front of me leave their session opened by not answering "NO" to the question. Which i then have to remind them to do. Good job jrwen to remember this. – Procommtech8128 May 28 '13 at 22:06
  • The atm's that ask if you have another transaction also make you enter your pin again. – longneck Jun 01 '13 at 18:14
  • The [discussion Adnan mentioned](http://chat.stackexchange.com/transcript/message/9624926#9624926) – CodesInChaos Nov 20 '13 at 10:40
15

For a successful attack of this kind to work and be carried out within a minute, two conditions must be met:

  1. The card contains a magnetic stripe.

  2. The ATM supports magnetic-stripe cards.

Since you said SECU, then you probably live in the United States, where the two conditions are met.

How can an attack be carried out?

The attacker could have installed the skimmer then sat somewhere near the ATM with his laptop. Once a card is used, the skimmer transmits the data to the attacker's laptop along with a short video of a hidden camera showing the PIN. While your daughter was withdrawing the money, the attack could be cloning the card and memorizing PIN. Once your daughter left, the attacker could go to the ATM, withdraw the maximum amount allowed, then take his skimmer and run.

Why is the ATM operator so sure that this wasn't a skimming attack?

Now that we saw that it's possible to carry out the attack within a minute, the only possibility left is that the ATM operator checked the footage of the security camera and saw that no skimmer was being installed/removed on that ATM, then sent someone to check the ATM and saw no skimmer.

One possibility is that your bank could have just thought it's less of a PR problem if they just blame your teenage daughter. It's a possibility, but I think it's unlikely.

Could this be really a legitimate withdrawal?

Absolutely. Your daughter could have agreed with a friend/boyfriend to do this. In their naive minds they might have thought that if he did it, they won't be caught.

Just an advice from a stranger on the Internet: Don't let the image of your daughter in your head affect your judgement.

My personal opinion

ATM cards skimming usually takes more than a minute, the abovementioned scenario is possible, but I think it's unlikely. I think this is just an successful attempt by a teenager to take money from her parents. You're not the first family, and won't be the last.

Adi
  • 43,808
  • 16
  • 135
  • 167
  • I would add skimmers usually target busy atm's and do it in batches, leaving the skimming in place for several hours just collecting data. And use a different machine (or even another country) to withdraw the money some time later. – ewanm89 May 25 '13 at 08:56
  • 1
    @ewanm89 While that is indeed true, in this answer I'm trying to explain the plausibility of such attack. Do I think that this case was an ATM fraud? No. But still, it's possible. – Adi May 25 '13 at 10:10
  • One thing that's left out of this answer is the possibility the daughter was coerced by the other man. Meaning she'd indeed be cooperating, but unwillingly and under threat, and later having problems disclosing that. Another possibility is that the skimmer device was not only capable of reading magnetic stripes, but also write to the next one inserted what it read from the first one, before it's read by the ATM's own card reader. If the PIN number is somehow retrieved and the next person informed of it (e.g. by a cell phone), it's quite possible to do this within a minute of last withdrawal. – TildalWave May 25 '13 at 12:17
  • Alternatively, the card in question could have been duplicated beforehand, and all the attacker would then need is the PIN. The daughter could've been followed, the attacker got lucky by shoulder-surfing her PIN and decided to cash on his luck a minute after. – TildalWave May 25 '13 at 12:23
  • 2
    @TildalWave I'm sorry but I'll have to disagree. All of these are really big leaps and speculations. To the best of my abilities, I tried to show the plausibility of the attack _according to the OP's story_. If the daughter was forced to cooperate and until now can't confess it, then the family has way bigger problems and police should be involved as this is a continuing threat. – Adi May 25 '13 at 12:46
  • Understand your suspicions, little background: ATM fraud took place on Saturday before daughter leaving to study abroad 2+months following week. Also in middle of end of junior yr. college exams, submitting senior thesis semester early, last week of internship will return to, cleaning/moving out of apartment to sublease, preparing/packing for study abroad. Stingy and protective of money, trying to save for trip. Mad,shocked; busy week to file police report, call, set up & meet w/CU 3 times. Enraged by CU's response. Friend with her adamant not another sole around them at ATM. CAN this happen? – Elizabeth May 25 '13 at 14:48
  • Daughter asked for any footage available. Either don't have or won't share with her. Says camera takes one photo every minute. – Elizabeth May 25 '13 at 14:51
  • 2
    @Elizabeth I'm sorry for what happened, ma'am. I feel for you, I really do. The problem is that this matter isn't something to be discussed on a public forum. As Tidal already said, there are tens of possibilities, but, unfortunately, we cannot help you figure out what happened. As an answer to your question, yes it is possible. Someone might have cloned the card before and just needed the PIN and got it on Saturday. I really wish I could help you more, but that's something you need to discuss with your daughter and the authorities. – Adi May 25 '13 at 15:26
  • I don't want to tell you something you already know. You might never find out what really happened, you might never know the truth. That's the thing about life, it's sucks with all its uncertainty. I wish the best of luck to you and to your daughter in her studies. – Adi May 25 '13 at 15:30