Never, Never, ever share your pin with anyone.  The convenience gained
may end up resulting in financial losses.  In addition to this common
theft, the article below describes common tricks of the ATM fraud trade
to separate you from your money.

Be sure to read all the way to the end where there are tips for
preventing victimization and where to file a complaint when your bank
turns mean and nasty and refuses to compensate the victimized customer as
required by federal law.

It may be helpful to keep in mind Bank of America's ATM security record.
A couple of months ago a virus was spread through servers running Windows
SQL software.  The virus took advantage of a vulnerability that was
identified and quickly patched by Microsoft last summer.  Bank of
America, who   insists in the  article    below that the user was totally
responsible for the fraud and that neither the bank's network or card
were compromised, decided for some reason not to install the patch.  As a
result, much of the bank's ATM network went down for a whole weekend.
Despite what they say,  electronic infrastructure may not be as tight as
a drum after all.

I share this here for local groups working on ATM and banking access
projects with their members.

Kelly




Los Angeles Times
April 15, 2003


    Consumers, Banks Clash as ATM Fraud Escalates

    As claims rise, some financial institutions are taking a tougher
stance when it comes to giving customers their money back.

By E. Scott Reckard
Times Staff Writer

    Despite bank promises of "zero liability" for customers victimized
by automated teller machine fraud, getting credit for stolen funds isn't
always automatic, as Kelly Quick of Studio City learned recently.

    In January, Quick discovered that someone had tapped ATMs to siphon
$1,420 from his Bank of America checking account. He notified the bank,
and the missing funds were credited to his account while BofA looked
into the matter.

    After about three weeks, the bank took the money back, saying it had
"determined that the transactions in question were authorized."

    The withdrawals at branches in Hollywood, Canoga Park and Sherman
Oaks were indeed made using Quick's personal identification number. But
his ATM card had not been lost or stolen, and he had not disclosed his
PIN to anyone.

    Quick, a 33-year-old compliance officer for a Los Angeles investment
advisory firm, complained angrily to the bank. After a month of what
both sides describe as intense exchanges, BofA again returned the money
to his account.

    That's proof, said spokesman Ken Preston, of the bank's willingness
to work with customers who believe they have been wronged.

    But Quick's experience with BofA highlights something else: the
growing friction between banks and their customers as crooks use
increasingly innovative tactics to rob ATM machines.

    Debit cards, widely used to withdraw cash and pay for goods and
services, are popular targets for thieves. And as fraud claims rise,
some financial institutions are taking a tougher stance on refunds,
especially in cases such as Quick's where there is no hard evidence of
theft or fraud.

    That appears to be creating a backlash. Consumer complaints about
banks' handling of unauthorized ATM transactions nearly tripled from
1999 through 2002, according to the Office of the Comptroller of the
Currency, which regulates national banks.

    "In the attempt to minimize losses, some bank staff may have become
too hardened and are angering clients," said Richard Hartnack, vice
chairman of Union Bank of California and chairman of the California
Bankers Assn.

    Consumer advocates say that is definitely the case.

    "The banks are really quite reluctant to give you your money back,"
said Linda Foley, founder of the Identity Theft Resource Center in San
Diego, a victim support group. "How are you going to prove that you or
someone you know didn't max out the account?"

    Under Federal Reserve regulations, consumers are liable for no more
than $50 when they report missing debit cards within two business days.
(If they wait longer than two days, the liability rises to $500; after
60 days they must bear the entire loss.) The same rules apply when a PIN
or card data are stolen.

    In clear-cut cases of fraud, such as a stolen card, customers
usually don't have to pay a dime, because zero-liability policies have
become a marketing tool for banks.

    Recent Bank of America ads, for example, promote not only the
ubiquity of the bank's ATMs but also the elimination of cardholder
liability for unauthorized purchases, as long as customers promptly
alert the bank to lost or stolen cards.

    It can be a different story when no obvious theft is involved. Such
cases frequently involve family members, romantic partners or friends
with access to cardholders' PINs. Bank investigators often are skeptical
in cases in which a customer could have been involved in the fraud.

    And now identity thieves -- who use stolen personal and financial
information to drain bank accounts and gain unauthorized access to a
victim's credit -- are so good at their jobs that it can be days or
weeks before holders of debit cards realize anything is amiss.

    As identity theft in general and debit card fraud in particular have
grown in recent years, federal regulators have tried to make sure banks
investigate thoroughly before rejecting customers' claims of ATM fraud.

    The Comptroller of the Currency advised banks in late 2001 that it
was concerned that some were rejecting claims of ATM fraud solely
because customers could not provide evidence that their debit cards or
PINs had been "misappropriated."

    "These facts alone may be insufficient to establish that a
transaction was authorized" and that a refund should be denied, the OCC
said, because customers may have been defrauded by criminals who
obtained PINs by such techniques as watching as the numbers were entered
on the ATM keypad.

    In fact, "shoulder surfing" is an outdated, low-tech approach.
Thieves no longer need to steal a debit card to gain access to a bank
account through an ATM. They simply make the cards themselves.

    Debit card information is stolen by using data-reading "wedges" like
those used in card-swiping machines at retail checkout counters. The
wedges, which used to measure 4 inches by 2, have become so small they
can be easily hidden in the pocket or palm of a waiter or cashier, said
Secret Service special agent Jim Kollar, head of the agency's fraud
squad in Los Angeles.

    What's more, the wedges, along with blank magnetic-strip cards and
the paraphernalia needed to turn them into duplicates of real cards
using stolen information, "can pretty much all be bought on the
Internet," Kollar said.

    Getting a PIN is harder, but fraud artists have found ways to do so
without detection -- as in using remote cameras and miniature electronic
scanners, said Steve Platt, a vice president in the anti-fraud software
division of Fair Isaacs Corp.

    Investigators recently have seen increased use of a new high-tech
device: a thin overlay slipped unnoticed over the keypad of an ATM. The
overlay contains computer chips that record PINs as they are entered by
unsuspecting customers. That information then can be matched against
customer data provided by an accomplice working inside the bank or gas
station.

    "Ten or 15 years ago it was more opportunistic -- they'd steal your
wallet or look over your shoulder," Platt said. "We're seeing less and
less of that today and more elaborate frauds, with multiple players.
It's organized crime."

    Saying that debit card losses are "growing at an alarming rate," the
American Bankers Assn. made its first detailed survey of the problem
last year. It reported that frauds involving PIN-based debit cards cost
banks nearly $51 million in 2001.

    Complaints to the OCC about how banks handle unauthorized ATM
transfers have risen sharply, from 251 in 1999 to 711 last year,
outpacing the growth in the number of ATM transactions.

    "The actual number of problems is certainly far higher," said OCC
spokesman Bob Garsson, noting that few bank cus- tomers are aware of the
agency's Houston-based consumer complaint division.

    At Bank of America, the size of its ATM network stayed steady at
about 13,000 machines during the four years, while complaints to OCC
about BofA's response to unauthorized ATM transactions rose 267%.

    Liam McGee, president of BofA's Los Angeles-based National Consumer
Bank, declined to comment. Spokesman Preston said the bank was "aware of
the ATM fraud issues" and was "working very closely with our internal
security partners, as well as with local law enforcement agencies."

    Kollar, the Secret Service fraud supervisor in Los Angeles, said
that genuine victims who assert their rights will eventually get their
money back, "but it's going to take a lot longer than with a credit
card."

    And that process can take its toll, said Quick, who had been a
customer of Bank of America since 1996 and had never before had a debit
card problem.

    When he received the notice that the bank denied his claim of fraud,
he said, "I was furious, and I felt basically powerless."

    Debit card fraud is more prevalent at gas stations, convenience
stores and other such non-bank locations for ATMs, and Quick speculates
that his card data and PIN might have been stolen at one of the
minimarkets he frequents. But he figures he'll never know for sure.

    "When I finally got to speak to the investigator the day before they
credited my money back, I mentioned to her about shoulder surfing. She
said, 'Do you ever recall anyone looking over your shoulder?'

    "I said no. That's why they call it shoulder surfing -- you don't
know someone's doing it."

    *

    (BEGIN TEXT OF INFOBOX)

    Tips for preventing ATM fraud

    Change PINs often, don't give them out, and don't keep lists of PINs
and passwords in wallets or purses. Don't use birth dates or other
personal numbers. Memorize the numbers.

    * Check for people watching as you use ATMs, cover the pad as you
punch in your PIN, and be alert for devices placed over the keypad or in
the card slot. Be especially wary at gas stations, minimarts or other
non-bank sites.

    * Never provide personal or financial card information over the
phone, unless you initiate the call.

    * Go over your bank statements closely and immediately report
suspicious transactions.

    * Don't respond to "account verification" requests for financial
information sent over the Internet.

    Where to go for help:

    * Identity Theft Resource Center: The nonprofit organization
provides information about scams and advice for victims: (858) 693-7935;
www.idtheftcenter.org.

    * Comptroller of the Currency: The regulator operates a
Houston-based assistance center for customers unable to resolve problems
with national banks: (800) 613-6743 (Monday through Thursday, 7 a.m. to
2 p.m. PDT);
www.occ.treas.gov/customer.htm.

    Source: Fair Isaacs Corp., American Bankers Assn., U.S. Secret
Service, Identity Theft

    Resource Center, Times research


VICUG-L is the Visually Impaired Computer User Group List.
To join or leave the list, send a message to
[log in to unmask]  In the body of the message, simply type
"subscribe vicug-l" or "unsubscribe vicug-l" without the quotations.
 VICUG-L is archived on the World Wide Web at
http://maelstrom.stjohns.edu/archives/vicug-l.html