Bear with me on this post; it makes a more important point than you might anticipate.
Reader Jim J sent this item from the Daily News, which tells of the indignities suffered by Citibank customers in New York City (including Jim himself) of having their ATM withdrawal limits reduced by half with no advance warning. Jim was skeptical of the explanation, namely, security problems, since he bank had previously reduced the permitted size of transfers from $10,000 to $2,000 for the same reason.
Now I can’t comment on whether the limit on transfers was really security driven, but I am pretty sure the cut in ATM withdrawal limits was. Why? First, this move is almost certain to be costing Citi, and second, I’ve heard stories of some pretty advanced ATM hacks lately.
ATMs are a godsend to banks. They are vastly cheaper than having customers queue up and get dough from tellers, which was the only option in the stone ages of banking. And it increases customer convenience, so it is a rare win-win.
Customers are going to need cash regardless of what Citi does with its ATMs. A few may decide to pay fees and use a non-Citi ATMs, but now that they know they can call the bank and get the restriction lifted (it seems on a single transaction basis), some will go that route, while others will use tellers or make withdrawals over two days.
Even as cheap as an ATM transaction is, more transaction mean more costs. And increased calls to customer assistance and heavier use of tellers is even more expensive. Plus the restriction creates ill will and not very good press.
So why would Citi be doing this? It isn’t to conserve cash; depositors will get their funds, albeit with some hassle and delay. And per above, Citi is not saving money on the expense side, so the idea that it is trying to reduce losses appears valid.
The other reason I am inclined to believe Citi’s party line is a story I heard in my friendly bank the other day (first hand, BTW). An elderly man described how he had gone to the Bank of America to move funds from his savings account to his checking account and discovered his savings account balance was too low by $800. He immediately went to a branch officer who pulled up his transaction record. It showed that he had withdrawn $40 dollars from his checking account at an ATM, then returned 10 minutes later and withdrew $800 from his savings account via ATM from the same branch.
But the man had never gone there the second time. The bank restored the missing funds to his account.
Now here is the troubling part: The man was told that someone had managed to install a device in the ATM while pretending to make a withdrawal that enabled them to read the account information and the keystrokes when people put in their PIN. They apparently loitered in the area with a device that looked like a cellphone that was reading the data.
This activity had occurred in one particular branch in the area, but not in another, and the man was encouraged to shift his activities to a different branch. The compromising of the machines appeared to be temporary, but the targeted branch was hard by a major subway stop on three train lines, so it may have been targeted for ease of escape.
Those of you who have read Cryptonomicon won’t find this implausible. The keystroke reading may be a form of Van Eck phreaking.
Now to the larger significance. Citi must be suffering from a similarly sophisticated hack; otherwise they wouldn’t respond in such an extreme and invasive manner. And I am not up on the profitability of retail banking, but I guarantee you that a loss of $800 represents many years of profits on that customer. And that $800 doesn’t included the cost of dealing with the upset account holder and investigating the loss. Too many incidents like that and you have a real profit problem. Yet the fact that each theft isn’t large makes them costly to pursue relative to the magnitude of each theft.
Perhaps the banks will find a simple way to combat these attacks, but if fraudsters can exploit security failings in the ATMs themselves, the banks have a real problem. The solutions would probably entail either modification or replacement of the ATMs themselves, and possibly replacement of the customer’s ATM cards. This would be expensive and comes at a time when banks are in no mood to undertake costly investments.