News
Skim scam man
A recent case in which skimming devices were placed inside of ATMs was one of the more sophisticated frauds of its type, according to the Secret Service. While two of the thieves have been apprehended, the scam's leader is still at large.
June 4, 2003
Skimming, a form of fraud in which thieves use a handheld device to illegally obtain data stored on magnetic stripe cards, is most often practiced by waiters, gas station attendants and other retail clerks who are handed a card, then surreptitiously skim it before returning it to a customer.
The skimmed information is then transferred to a piece of white plastic to create a phony card, which can be used to access an account at an ATM.
But a recent skimming case featured a new twist: a thief who allegedly placed skimming devices inside of ATMs. The man used the retail ATM business to his advantage, buying machines from four ISOs in three states and moving them repeatedly, to stay ahead of the federal authorities pursuing him.
Though he did not divulge specific details of what kinds of devices were used or how they were attached to the ATMs, Secret Service agent Gregg James said they were located inside the machines. In the past, external devices have been used -- typically in the keypad or the card reader -- to capture PINs and/or actual cards.
James, a special agent with the Secret Service's Financial Crimes Division, said the Secret Service had shown the device to several ATM manufacturers so they could consider making modifications to their machines to thwart future skimming efforts.
In a presentation at the recent NYCE Electronic Delivery Conference, James said that the man's accomplice, a man he identified only as HF, was apprehended in January. Also arrested was a "runner" who visited ATMs in New York City and withdrew cash using the stolen information.
On the lam
The alleged leader, a man James calls IF, is still at large. Federal agents believe that IF, a Russian who uses at least 30 aliases, has ties to organized crime and has orchestrated check fraud scams in the past, is living somewhere in the Caribbean.
 |
IF, the man on the left, allegedly led a sophisticated ATM skimming scheme that the Secret Service believes may have impacted up to 1,400 financial institutions. He is still at large. |
Federal agents are also concerned that IF may be planning to try ATM skimming elsewhere. According to James, he tried to get one of the four ISOs to provide ATMs to deploy in the UK.
Agents believe that up to 1,400 financial institutions may have been impacted by IF's skimming scheme, which took place in California, Florida and New York in late 2001 and early 2002. Only about 60 have reported losses, however, for a total of about $4 million.
Following the trail
The Secret Service worked with the NYCE network and with several victims, most notably Citibank, to identify ATMs where fraudulent withdrawals were made. Those efforts led them to the runner, who in turn led them to IF's accomplice, HF. In addition, a photo of IF was identified by one of the ISOs who sold him machines.
While none of the ATMs with the skimming devices were in the NYCE network, dozens of NYCE machines were used to make fraudulent withdrawals. NYCE became aware of the problem through its use of an HNC software program called CardAlert Fraud Manager, which analyzes transaction data to identify fraud in its early stages.
According to Stephen Platt, HNC's vice president of issuer risk management, CardAlert Fraud Manager can identify "points of compromise" at ATM and point-of-sale locations, then analyze them and produce reports that notify financial institutions of all accounts which may have skimmed at those locations. A typical course of action is to block the accounts and issue new ones to customers, Platt said.
While the fraud committed by IF was the largest ever identified by HNC in terms of points of compromise and affected cards, Platt said it was not the first to be committed by a well organized group of criminals using a relatively sophisticated method of skimming.
"As the scope of debit card skimming cases continues to escalate, so too will the value of our service," Platt said.
With the help of HNC, NYCE, Citibank, transaction processor Core Data Resources and others, James said the Secret Service was able to determine when and where fraudulent withdrawals occurred, practically in real time. Using this information to establish patterns, agents began tracking the runners. They believed that four people were illegally withdrawing cash.
James said the criminals were sharp enough to change their MO as authorities closed in on them. Apparently having figured out that Citibank was assisting the feds, they began visiting ATMs owned by Chase Manhattan instead. And they stopped making withdrawals at night and began doing so during mid-day when the city was crowded with noshing workers, making pursuit more difficult.
Gotcha
The Secret Service apprehended one of the runners in November when "he got greedy," James said, lingering at ATMs for up to half an hour and feeding fake cards into them. He broke his ankle running from two agents and two "good Samaritans" who joined the chase.
It would have been easier to crack the case and possibly to catch IF, James said, if the ISOs had maintained better control of their business affairs. One of the applications IF had filled out to purchase an ATM lacked such basic information as a Social Security number and driver's license number, he said.
James isn't sure if any of the four ISOs that sold ATMs to IF were aware of his illegal activities. He loaded the cash into the machines himself and insisted on being present any time an ATM required service. "He changed the locks so the ISOs would have to call him anytime anything needed to be done to the ATM," James said.
A pound of prevention
James believes that the ISO industry should be regulated more closely. "It bothers me that you've got ATMs that are sitting on the critical banking infrastructure, with very little oversight," he said.
Susan Zawodniak, vice president and executive director of the NYCE network, said that NYCE hoped to launch an initiative to create common standards for ISOs and their sponsor financial institutions. She said such standards would need to be adopted by most, if not all, networks to be effective.
"NYCE could strengthen its rules, but if only NYCE does it, it won't work," she said. "ISOs would just take the path of least resistance and put their ATMs into other networks."
Networks seem to be moving in that direction, if enhanced ISO risk standards introduced by Visa U.S.A. in January 2001 are any indication. The new standards require financial institutions that sponsor ISOs into Visa's Plus network to provide more documentation concerning the activities of their ISOs. (See related story Visa: New ISO risk standards will help prevent fraud)
James said he would like to see informational meetings attended by representatives of all areas of the ATM industry, including ISOs. "I think it's important to keep everybody in the loop," he said. "The little guys might want to comply, but they just don't know how."
NYCE has presented semi-annual risk management forums for its member financial institutions for the past three years, Zawodniak said, including one last month that featured James discussing the ATM skimming case in greater detail. Also at that meeting, a representative of an ISO gave a presentation on the retail ATM business model.
"We want to create greater awareness among our members," she said. "We've got to keep consumer confidence in the banking system high so they'll continue to do those millions and millions of transactions every month. If they don't, we'll all suffer."
