Are you Interested in Generating Some Extra Cash?


Cons, frauds and scams in the world of electronic money.

High- tech security of money is a joke. Thieves of the mid-90's all know the easiest way to rob a bank has nothing to do with guns and getaway cars. Just use a computer. The latest in a long series of fraud against ATM's, Automatic Teller Machines, the cash dispensers all but the most privacy-conscious of us use, goes as follows:

Install one of those PIN changing machines somewhere with a big sign encouraging people to change their PIN's because of the possibilty that someone has shoulder-surfed their old PIN. Away you go; it could even change their PIN for them. In other words, it could be a real PIN changer. This is a lot cheaper than a fake ATM machine and something that high-tech thieves have already done with success in the U.S.

With the PIN, new or old, they embed fake cards and proceed to vacuum your bank account. You will not lose, however. In some countries, including the USA, the banks have to carry the risks associated with the new technology.

In Britain, the regualators and courts have not been so demanding, and despite a parliamentry commission of enquiry which found that the PIN system was insecure, bankers simply deny that their systems are ever at fault. Customers who complain about debits on their accounts for which they were not responsible. After these so-called "phantom withdrawls" are told they are lying, or mistaken, or that they must have been defrauded by their friends or relatives. The result in the UK has been a string of court cases, both civil and criminal. The pattern which emerges is not surprising: miscarriages of justice over the years.

A teenage girl in Ashton-ubder-Lyme was convicted in 1985 of stealing $80 from her father. She pleaded guilty on the advise of her lawyers that she had no defence - and then disappeared. It later turned out that there had never been a theft, merely a clerical error by the bank.

A Sheffield police sergeant was charged with theft in November 1988 and suspended for almost a year after a phantom withdrawl took place on a card he had confiscated from a suspect. He was lucky in that his colleagues tracked down the lady who had made the transaction after the disputed one; her eye-witness testimony cleared him.

Charges of theft against an elderly lady in Plymouth were dropped after enquiries showed that the bank's computer security systems were in a shambles. Likewise, all over Britain, people are awaiting trial for alleged thefts in cases where the circumstances give reason to believe that phantom withdrawls were actually to blame.

How the banks steal your money: "the computer is always right". Many frauds are carried out with some inside knowledge or access and ATM fraud turns out to be no exception. Banks in the English speaking world dismiss about one per cent of their staff every year for disciplinary reasons and many of these sackings are for petty thefts in which ATM's can easily be involved. A bank with 50,000 staff which issued cards and PIN's through the branches rather than by post might expect about two incidents per business day of staff stealing cards and PIN's.

In a recent case, a housewife in Hastings had money stolen from her account by a bank clerk who issued an extra card for it. The bank's systems not only failed to prevent this but also had the feature that whenever a cardholder got a statement from an ATM the items on it would not subsequently appear on the full statements sent to the account address. This enabled the clerk to see to it that the lady did not get any statement showing the thefts he had made from her account. This was the reason he managed to make 43 withdrawls of $400 each. When she did complain she was not believed, and subjected to harassment by the bank. The theif was only discovered because he suffered an attack of conscience and owned up.

Technical staff also steal client's money knowing that complaints will probably be ignored. At one branch in Scotland a maintenance engineer fitted an ATM with a hand-held computer which recorded customers' PIN's and account numbers. He then made up counterfeit cards and looted their accounts. Again, customers who complained were stone-walled.

Most thefts by staff show up as phantom withdrawls at ATM's in the victim's neighbourhood. British banks maintain that a computer security problem would result in a random distribution of transactions round the country, and as most disputed withdrawls happen near the customer's home or place of work, these must be due to card-holder negligence. Thus the pattern of complaints which arise from thefts by their own staff only tends to reinforce the banks' complacency about their systems.

How outsiders rob your bank account "jackpotting" as in a recent case in Winchester two men were convicted of a simple but effective scam. They would stand in ATM queues, observe customers' PIN's, pick up the discarded ATM tickets, copy the account numbers from the tickets to blank cards, and use them to loot the customers' accounts.

This trick had been used a few years before in New York where a ATM technician had been fired and managed to steal 80,000 US dollars before being caught by the bank saturating the area with security men and catching him in the act. These attacks worked because the bank printed the full account number on the ATM ticket and because their was no cryptographic redundancy on the magnetic strip. In England, the bank which had been the main victim of the Winchester case only stopped printing the full account number after an outcry on TV.

Another technical attack relies on the fact that most ATM networks do not encrypt or authenticate the authorisation response to the ATM. This means that an attacker can record a pay response from the bank to the machine and then keep on replaying it until the machine is empty. This technique, known as "jackpotting" is not limited to outsiders. It appears to have been used in 1987 by a bank's operations staff who used network control devices to jackpot ATM's where accomplices were waiting.

Postal interception is reckoned to account for 30% of all U.K. payment card losses, but most banks' postal control procedures are dismal.