By Patrick Stark, CFP®
Cyber thieves are getting more and more creative these days, as I recently discovered. Someone made a $480 ATM withdrawal from my bank account – while my ATM card was still in my possession. How did they do it?
Most likely through a process called “skimming”. In skimming, a device is placed over an ATM card reader that records the information from the ATM card. This data is then used to create a cloned card. To get your PIN, thieves install tiny pinhole cameras to record your keystrokes or use an overlay on the keypad itself to record your PIN. Using the cloned card and your PIN, criminals are free to make ATM withdrawals.
How do you prevent something like this from happening? There’s no perfect solution, but there are a few steps that you can take to minimize your skimming risk:
- Use ATMs that are installed in banks.
Although any ATM can be tampered with, ATMs in non-bank areas are generally riskier – especially those in low-trafficked or poorly lit locations. If you must use a non-bank ATM, look for obvious signs of tampering (i.e. loose sections or parts that have a different color than the rest of the machine). Keep in mind that some skimming devices fit completely inside the card slot and are totally invisible.
- Disable your card.
Many banks give you the flexibility to turn ATM cards “off” or “on” using a mobile app or computer. You can keep the card turned off until you need to use it.
- Protect your PIN.
Cover the keypad with one hand while you type in your PIN with the other. This will prevent any cameras from recording your keystrokes, but it’s still possible that an overlay placed directly on the keypad can record your PIN.
- Get notifications from your bank.
You can get text or email alerts if an ATM withdrawal is made or if a transaction exceeds a certain amount.
- Monitor your account transactions periodically.
I was lucky that I happened to notice my fraudulent transaction the same day that it occurred. After I deactivated my ATM card that evening, two more attempts to withdraw money from my account were made the next morning.
- Get your bank’s fraud hotline number in case you need it in the future.
Banks will have a number to call to report ATM fraud, but these numbers can be unusually difficult to find – especially numbers staffed by a human being. And don’t be surprised if your bank doesn’t have a 24/7 number for ATM fraud (as I ruefully discovered during my maddening two-hour odyssey navigating Bank of America’s infuriating “Help and Support” options).
In Bank of America’s defense, they were very gracious and helpful once I was finally able to reach a live human being. My account was immediately given a temporary credit of $480 while the fraud was being researched. My ATM card was permanently deactivated, a new card was on its way, and a fraud investigation was launched.
After six weeks, Bank of America sent me the following letter:
“We’ve concluded our investigation of this claim. The previously issued credit for $480.00 is now permanent. We consider this matter resolved and closed. We’re here to help. We appreciate the opportunity to serve your financial needs.”
While it was nice to hear that my temporary $480 credit was now permanent, the letter didn’t address what I really wanted to know: Who did it? How did they do it? Was skimming involved? If so, which ATM was compromised? Were the police notified? Subsequent calls to Bank of America went nowhere – the department that conducts the fraud investigation is unreachable by the general public. And also apparently unreachable by any other department within Bank of America.
It’s critical that you report ATM or credit card fraud immediately. Acting fast limits your liability for charges you didn’t authorize. For credit cards, your maximum liability for unauthorized use is $50 – regardless of when you report it. But for ATM cards, it’s more complicated; your maximum liability depends on how quickly you report the fraud. If you report the fraud within two business days after you receive the statement that reflects the theft, your liability is capped at $50. If you wait longer – up to 60 days – your liability increases to $500. Waiting more than 60 days is the worst-case scenario: you would be liable for all of the money taken from your ATM account. Although many banks will relax these guidelines as a good will gesture, it’s best not to count on it and to report fraud immediately.