September 10, 2016 – Steve Weisman’s latest column for USA Today

While it may appear that ATMs are a safe and secure way to get money from your bank account, the truth is that ATMs are vulnerable to being hacked in multiple ways and we, as customers must be vigilant in order to protect ourselves and the security of our bank accounts.  Here is a link to my column from USA Today describing this problem.

http://www.usatoday.com/story/money/columnist/2016/09/10/how-safe-atms-skimming-not-very/89225960/

Scam of the day – August 31, 2016 – Massive ATM heist

ATM robbery is increasing dramatically.  According to FICO Card Alert Service, a company that monitors ATM activity for banks, ATM skimming attacks increased by 546% from 2014 to 2015 and this trend shows no indication of slowing down in 2016.  Skimmers are small devices that can be attached to ATMs either on the outside or inside of the machine that capture the data from your card when you insert it into the ATM.  This problem is exacerbated by the fact that ATMs still are using the old-fashioned magnetic strip cards rather than being updated to take the newer EMV chip cards that create a new code for every transaction that would render the skimmer useless.   The trade regulations requiring the switch over to chip cards for ATMs  go into effect for ATM transactions using MasterCard debit cards  October 1, 2016, but Visa’s deadline is not until October 1, 2017.  The regulations themselves are not laws, but rather rules of the banks and credit card processors that shift liability for fraudulent card use to companies not switching over to the EMV card readers before the deadlines.  It has been estimated by the National ATM Council that less than half of ATMs will be EMV card ready by October 2016.

However, things aren’t as bad as you think.  They are far worse.

Enterprising criminals recently managed to hack 21 ATMs of the Government Savings Bank in Thailand stealing approximately $350,000.  What was significant about this particular hacking was that in this case, skimmers weren’t used in the attack on the ATMs and money was not stolen from individual account holders as in the recent 13 million dollar heist from Japanese ATMs located at convenience stores over a three hour period.  In this case, the hackers inserted a malware infected card into the ATMs that reprogrammed the ATMs to allow them to withdraw money from the ATMs directly without being allocated to any particular account.  Inserting malware through portable USB external hard drives into ATMs and reprogramming them to release cash to hackers is exposing vulnerabilities in the security of many ATMs.

TIPS

The banking industry has got to keep pace with the attacks by sophisticated criminals upon ATMs.  Switching to EMV chip cards will help significantly from the less sophisticated hackers using skimmers, but it won’t help against the more sophisticated hackers attacking ATMs by changing the machine’s programming.  Better security needs to be implemented to combat this threat immediately.

Meanwhile as for us as customers, the best you can do is to generally refrain from using private ATMs and ATMs  that are not embedded in walls.  The stand-alone ATMs are more vulnerable to a number of different types of hacking.  You should also feel around to see if anything is loose where you insert your card and for any evidence of tampering and use another machine if you find any indication that the ATM has been altered in anyway.  Also cover the keypad when you insert your PIN.  Finally, monitor the bank account to which your ATM card is attached regularly to recognize any fraudulent use as soon as possible to avoid personal liability if you delay in reporting fraudulent use of your card.

Scam of the day – June 13, 2014 – ATM hacked by 14 year olds

Recently two 14 year old boys in Canada were able to locate online an operator’s manual for ATMs.  Matthew Hewlett and Caleb Turon then decided to try out the instructions to see if they could get access to an ATM.  They went to an ATM at a local super market and were surprised to find that the operator’s manual gave them all of the information they needed to reprogram the ATM with the exception of the password for the ATM, which they managed to guess on their first try by using 000000 which is a common default setting for many ATMs.  The boys did not exploit the lax security of the Bank of Montreal ATM they hacked, but rather reported it to the bank.  The boys did the hacking on their lunch hour and were late returning to school, however Bank of Montreal officials wrote them a letter on bank stationary requesting that their tardiness returning to school for afternoon classes be excused.  The bank should have paid them a reward for exposing their lax security.

TIPS

Too many companies and people still use the default passwords on many of their devices. This should be a good wake up call to everyone that it is important to have a different, complex password for all of your electronic devices.