Bear with me on this post; it makes a more important point than you might anticipate.
Reader Jim J sent this item from the Daily News, which tells of the indignities suffered by Citibank customers in New York City (including Jim himself) of having their ATM withdrawal limits reduced by half with no advance warning. Jim was skeptical of the explanation, namely, security problems, since he bank had previously reduced the permitted size of transfers from $10,000 to $2,000 for the same reason.
Now I can’t comment on whether the limit on transfers was really security driven, but I am pretty sure the cut in ATM withdrawal limits was. Why? First, this move is almost certain to be costing Citi, and second, I’ve heard stories of some pretty advanced ATM hacks lately.
ATMs are a godsend to banks. They are vastly cheaper than having customers queue up and get dough from tellers, which was the only option in the stone ages of banking. And it increases customer convenience, so it is a rare win-win.
Customers are going to need cash regardless of what Citi does with its ATMs. A few may decide to pay fees and use a non-Citi ATMs, but now that they know they can call the bank and get the restriction lifted (it seems on a single transaction basis), some will go that route, while others will use tellers or make withdrawals over two days.
Even as cheap as an ATM transaction is, more transaction mean more costs. And increased calls to customer assistance and heavier use of tellers is even more expensive. Plus the restriction creates ill will and not very good press.
So why would Citi be doing this? It isn’t to conserve cash; depositors will get their funds, albeit with some hassle and delay. And per above, Citi is not saving money on the expense side, so the idea that it is trying to reduce losses appears valid.
The other reason I am inclined to believe Citi’s party line is a story I heard in my friendly bank the other day (first hand, BTW). An elderly man described how he had gone to the Bank of America to move funds from his savings account to his checking account and discovered his savings account balance was too low by $800. He immediately went to a branch officer who pulled up his transaction record. It showed that he had withdrawn $40 dollars from his checking account at an ATM, then returned 10 minutes later and withdrew $800 from his savings account via ATM from the same branch.
But the man had never gone there the second time. The bank restored the missing funds to his account.
Now here is the troubling part: The man was told that someone had managed to install a device in the ATM while pretending to make a withdrawal that enabled them to read the account information and the keystrokes when people put in their PIN. They apparently loitered in the area with a device that looked like a cellphone that was reading the data.
This activity had occurred in one particular branch in the area, but not in another, and the man was encouraged to shift his activities to a different branch. The compromising of the machines appeared to be temporary, but the targeted branch was hard by a major subway stop on three train lines, so it may have been targeted for ease of escape.
Those of you who have read Cryptonomicon won’t find this implausible. The keystroke reading may be a form of Van Eck phreaking.
Now to the larger significance. Citi must be suffering from a similarly sophisticated hack; otherwise they wouldn’t respond in such an extreme and invasive manner. And I am not up on the profitability of retail banking, but I guarantee you that a loss of $800 represents many years of profits on that customer. And that $800 doesn’t included the cost of dealing with the upset account holder and investigating the loss. Too many incidents like that and you have a real profit problem. Yet the fact that each theft isn’t large makes them costly to pursue relative to the magnitude of each theft.
Perhaps the banks will find a simple way to combat these attacks, but if fraudsters can exploit security failings in the ATMs themselves, the banks have a real problem. The solutions would probably entail either modification or replacement of the ATMs themselves, and possibly replacement of the customer’s ATM cards. This would be expensive and comes at a time when banks are in no mood to undertake costly investments.
9 comments
Comments are closed.
Great story about keystrokes, but OT:
The major complaint being pursued against Bear Stearns appears to be that the failed hedge funds were being sold to investors as low risk options when, according to one noted expert in the field and reported in BusinessWeek, more than 60 percent of the net assets in one of the funds, “were so illiquid or obscure that management randomly assigned their value.”
In the meantime, Massachusetts Secretary of State William F. Galvin is continuing his assault on Bear Stearns, who he has charged with engaging in inappropriate trading. An allegation he says is based on records, which apparently show the company traded from its own account with the hedge funds without the making required notifications to the funds’ Cayman Islands-based independent directors.
Thanks for the Bear update. It has been grinding away in the background and occasionally gets some press, usually when there is a juicy legal development.
The Caymans business is particularly surprising, My impression is that it isn’t all that onerous to comply with the requirements for running an offshore entity (as in making sure you do the things so that its off-shore standing is valid) and Bear didn’t bother. Ironically, the firm had had the reputation of running a tight ship.
Van Eck phreaking? Take off the tinfoil hat! The PINs are more likely than not being spied with a simple video camera. Most people don’t make any effort to hide the buttons they’re pressing.
Andrew,
They had to get the account numbers, and to be able to transmit them into the ATM as if they had a mag strip, and do it in the middle of the day when there were people around (that’s when the old man’s incident happened). That alone required considerable sophistication. Getting the PIN is the easiest part of the hack.
I observe most people do stand pretty close to the ATM when there are other people around. By contrast, I’ve noticed they aren’t too careful in trying to hide their keystrokes when using them in grocery stores.
In Britain we depend hugely on ATMs and they are under fraudulent attack the whole time. A bank teller recently told my wife that she won’t even use the ATM in her own branch: she reckons it’s safer to buy some groceries and get a “cash back” at the store.
dearieme,
Thanks for the info. Funny, I’ve long preferred getting cash when shopping, maybe due to a reptile brain memory of the days in NYC when you did have to worry about your physical (as opposed to fiscal) safety.
But since this problem is so acute in the UK, I wonder why the US banks seem so flatfooted. It was obviously going to show up here.
Yves
This hack was prevalent here a couple of years ago-think it originated in Malaysia. The hackers move from bank to bank-I’m surprised it hasn’t popped up sooner.
CrocodileChuck
ps agree with your comment on customer lifetime value (retail banking)
I agree with Dijo…
It’s most likely a device fitted on top (or “over” depending on how you visualize it) the slot where you stick in the bank card into the ATM, in addition to the mini camera.
This way, the bad guy gets to read the strip before the card formally enters the ATM, and the camera sees the pin code.
The bad guy then programs a blank card (easy to do if you have the right equipment) with the magnetic strip info from the original card. Coupled with the Pin, you have all you need.
I’ve seen pictures of these devices circling on the net. They look pretty realistic, and some have the bank’s insignias / logos silkscreened professionally on them.
Van Eck is too complicated, and too prone to interference. Too much sci fi.
Embedded RFID challenge response chips in card would be impracticably difficult to defraud. These have been used for some years in luxury cars and the rate of theft dropped dramatically.
The real story here is that the credit card companies have been relying on a system that is laughably insecure. They need to shell out the seeds and install modern equipment in high risk areas.
The credit cards with RFID chips can continue to use the magnetic stripe for non-secure, low value transactions. That would allow stores with low tech readers to continue without an upgrade. The RFID chip would only be required for high amount cash advances, over dollar limit purchases, and fund transfers. The readers would only be in bank machines and high end retail stores.