ATM skimming costs banks billions each year and is on the rise, as technically adept criminal rings continue to find ways around ever-increasing security counter-measures. Watch video
ENGLEWOOD--The bank robbery occurred at the Citibank branch in a quiet North Jersey suburb.
There were no alarms, no guns, no menacing notes and no threats of violence. More than $52,000 was taken and the bank in Englewood didn't even know it had been robbed until long after the cash went out the door.
That same day in December 2012, just a week before Christmas, the same guys hit another Citibank in Florham Park. And over the next three weeks they would target additional branches of the bank in New Jersey and New York--walking away with more than $1 million in cash taken from Citibank ATM machines through hundreds of counterfeit bankcards encoded with personal information stolen from unsuspecting customers.
The ring responsible, in what has been described as one of the largest ATM skimming operations ever uncovered, hit TD Bank and Wells Fargo as well before they were caught, ultimately draining $6.5 million from the accounts of victims across the country, say federal prosecutors in New Jersey. But even after the arrests of 16 men--most of them Romanian nationals in this country illegally--ATM fraud in the United States is soaring.
"It's getting more sophisticated," said assistant U.S. attorney Rahul Agarwal, who helped prosecute the New Jersey case. "Banks take one step and these guys come up with a new and more sophisticated methods."
Card and PIN skimming at bank-owned ATMs in the US increased 174 percent in the first four months of 2015, compared to the same period in 2014. Non-bank ATM compromises increased even more, by 317 percent, according to credit-reporting group FICO.
The incidents, at banks and gas stations and convenience stores, occurred on busy highways, shopping malls, and neighborhood banks across the country:
- In February, seven men were charged by the U.S. Attorney's office in Manhattan in a skimming scheme that spanned from Las Vegas to New York.
- A Miami teenager last month pleaded no contest to planting skimming devices in gas pumps around the state of Michigan.
- In January, police in Union Township in New Jersey caught two New York men--also Romanian nationals--installing a skimming device on an ATM at a 7-Eleven on Route 22.
- Nutley police are investigating the tampering of an ATM at another convenience store.
- In Middlesex County, the prosecutors office said 20 ATM thefts had been reported since December.
Authorities say skimming is growing even faster at gas station pumps, although less so in New Jersey.
"The presence of fuel attendants at New Jersey gas stations may serve as a deterrent to criminals looking to install skimming devices on pumps," observed Lisa Coryell, a spokeswoman for the state's Division of Consumer Affairs, who said county and municipal officials who conduct inspections of gas pumps have been instructed on what to look for during routine inspections.
While a skimmed credit card cannot be used to empty out someone's bank account, like an ATM card and stolen PIN, a gas pump is easier to rig than an ATM and can be accessed by readily available master keys.
Feeding frenzy?
Sarah Grotta, director of debit card advisory service for Mercator, a research and advisory firm for the banking and payments industry, said criminals focus on the path of least resistance and with the U.S. still using easy-to-hack magnetic stripe cards, this country remains a land of opportunity for skimming gangs.
By some accounts already a $2 billion-a-year industry, skimming may be spiking nationwide in advance of new encryption technology now slowly being introduced that could make it all-but-impossible to hack into the cash machines we depend on daily.
Industry officials say organized gangs who honed their skills in Eastern Europe are increasingly targeting the United States before banks turn to chip-embedded cards or smart phone mobile payment systems, and finally abandon the conventional magnetic stripe that has always been the Achilles heel of ATM security.
"There is a feeding frenzy to skim as much as possible while they are able," observed bankcard expert John Buzzard. "I have had my card replaced more times in the last 365 days than I have in my entire career."
Bank officials will say little about the security measures they employ.
"We don't discuss our anti-fraud practices publicly," said Andrew Brent, a spokesman for Citibank, which was repeatedly hit by the gang in New Jersey.
TD Bank, which was also targeted by the same group, said it regularly monitors for unusual or suspicious activity and deploys multiple layers of security to protect its customers.
"In addition, we evaluate our security measures on an ongoing basis to address security threats as they evolve," said spokeswoman Judith Schmidt.
Making changes to bank ATM machines and card readers at gas stations, though, is an expensive task and even many retail stores have been slow to deploy new equipment to read chip-enabled credit cards. Officials at NCR, which supplies ATM machines to banks, said the U.S. is behind the rest of the world in the adoption of smart card technology.
"Crime always migrates to the weakest point," remarked spokesman Jeff Dudash.
Prosecutor warns of increasing ATM fraud
At the same time, U.S. Secret Service officials say the equipment used by the bad guys to hijack ATMs is getting better and more ingenious, even as banks and manufacturers try to devise new ways to thwart them.
Secret Service spokesman Robert Hoback noted that the devices that surreptitiously record bankcard PIN numbers and the magnetic stripes on cards carrying a customer's account information are getting smaller, and have begun to employ wireless technology so they can capture keystrokes and passwords remotely without ever returning to the ATM to collect the illegally recorded data.
A new way to rob banks
ATM skimming is by no means a new crime. Experts point to what might have been the first major case back in 1993, when thieves posing as New Jersey bankers reprogrammed a stolen ATM they planted at the Buckland Hills shopping mall in Manchester, Ct., and used it to record the account numbers and PINs of customers over a two-week period. They took the information to make counterfeit cards and managed to withdraw $100,000 from real ATM machines before they were arrested.
A one-stop shop for credit card fraud
These days, the scam is the same, but the game has gotten far more sophisticated.
There are still two pieces of information needed to get into a person's account--the information stored on a bankcard's magnetic stripe, and the four-digit PIN that must be keyed in at an ATM.
To get the account information, someone looking to hack an account will use an electronic "skimmer" that reads and stores the information when a customer slides a bankcard into an ATM. Often a fake slot that fits over the actual card slot of an ATM, attached with a dab of Super Glue, the skimmer device contains a reader and memory card to record the data on the card.
The second part of the scheme involves capturing a customer's unique PIN code. To get it, a miniature camera, typically hidden inside a panel that may also be glued to the ATM, records the keystrokes when a customer enters their PIN.
With both in hand, it is not difficult for someone to encode a blank bankcard with the account information and use it at a store, a gas station or most often, another ATM.
There is a tremendous amount of cash in an automated teller machine, which fully replenished can have as much as $300,000 inside.
Indeed, Doug Johnson, who head up cybersecurity at the American Bankers Association, said there is far greater financial loss associated with ATM skimming than bank robbery. He noted the loss in the average bank robbery is $3,000 to $4,000.
"ATM skims will be ten times that," he said. "$30,000 to $40,000 in terms of potential loss to the bank."
Organized rings like the one that was operating in New Jersey can collect hundreds of account numbers and PIN codes in a few days, and then use teams who fan out to ATMs all over the country, the aim of "cashing out" the machines, withdrawing thousands of dollars before moving to another location.
To counter the skimming rings, banks and ATM designers over the years have built in an ever-increasing phalanx of defense measures to secure the money inside. But it's a cat-and-mouse game. For every step they take, it is only a matter of time before their technically adept adversaries matches them with a new wrinkle that requires yet another counter-measure.
Nicholas Billett, an expert in software design and security at Diebold, a major manufacturer of ATMs, said the same technology developed for cellular phones led to a revolution in electronics miniaturization, turning skimming equipment into cheap, disposable high-tech spy gear.
"It's not a bunch of guys in a garage with a couple of card readers," he said. "A lot of what we deal with is organized crime. We know they have our hardware. We know they have our software. We've seen upgrades and revisions to it. We exactly what they are doing."
When Diebold began employing devices to detect skimmers, they found the criminal rings turning to even smaller skimmers designed to mitigate the sensing technologies. In one case, a "skinny" skimmer was inserted directly into the motorized card reader. Diebold now uses a system that rotates the card reader, which the company said makes it impossible for current skimmers to capture a card's full data. At least, for now.
Connecting dots
Federal prosecutors say the case in New Jersey began with the arrest in Barnegat of Emil Revesz and Constantin Pendus, both Romanian nationals, in December 2012. Security camera footage played at trial showed the two men rigging the ATM at the TD Bank on Main Street, and abruptly leaving as a customer entered the bank lobby. After police were called, they arrested the men and found a Garmin GPS unit that recorded visits to the sites of several TD Banks between Dec. 10 2012 and Dec. 19 2012.
A few weeks later, Nassau County Police in Great Neck arrested two other men, Dezso Gyapias and Ioan Leusca, on charges of using counterfeit cards to withdraw more than $13,700 from TD Bank branches.
The camera panel and inside electronics that were used by the ring to capture PIN codes of customers as they banked at an ATM in Brick Township. (Trial exhibit | U.S. Attorney's Office)"As they dug into those four, there was a lot of commonality between the banks involved," recalled Agarwal, a member of the U.S. Attorney's Special Prosecutions Division. "We started connecting the dots."
Assistant U.S. Attorney David Eskew, who also handled the case, said one of the big breaks in the Barnegat investigation came when investigators obtained the devices and the Secret Service realized there were similarities in the design linking the case to other ATM skimming incidents. That would lead to the arrests of 16 individuals.
"They were unlucky," Eskew observed.
An FBI interview with one of the key participants in the scheme, Dinu Horvat of Chicago--who was convicted in March 2015 and is still awaiting sentencing on charges that could put him away for up to 30 years--revealed an operation that churned through accounts as quickly as they could be compromised.
Horvat, who went to high school in Chicago, talked to the FBI and Secret Service agents of other Romanian nationals entering the United States illegally through Mexico who would work in teams to put skimmers in place and then cash out the compromised accounts as soon as counterfeit cards could be made. He said he would receive a percentage of the proceeds, usually 20 percent.
Revesz, Pendus, Gyapias and Leusca pleaded guilty to their roles in the operation. The ringleader, Marius Vintila, also of Romania, fled the country in July 2013 as others associated with the skimming operation were being apprehended in a string of arrests. He was finally caught in Sweden two months later and extradited to the United States in 2014.
Vintila later pleaded guilty to bank fraud conspiracy and aggravated identity theft charges. He was sentenced last year to more than 10 years in prison.
Ted Sherman may be reached at tsherman@njadvancemedia.com. Follow him on Twitter @TedShermanSL. Find NJ.com on Facebook.