Consumers, Banks Clash as ATM Fraud Escalates

Despite bank promises of “zero liability” for customers victimized by automated teller machine fraud, getting credit for stolen funds isn’t always automatic, as Kelly Quick of Studio City learned recently.

In January, Quick discovered that someone had tapped ATMs to siphon $1,420 from his Bank of America checking account. He notified the bank, and the missing funds were credited to his account while BofA looked into the matter.

After about three weeks, the bank took the money back, saying it had “determined that the transactions in question were authorized.”

The withdrawals at branches in Hollywood, Canoga Park and Sherman Oaks were indeed made using Quick’s personal identification number. But his ATM card had not been lost or stolen, and he had not disclosed his PIN to anyone.

Quick, a 33-year-old compliance officer for a Los Angeles investment advisory firm, complained angrily to the bank. After a month of what both sides describe as intense exchanges, BofA again returned the money to his account.

That’s proof, said spokesman Ken Preston, of the bank’s willingness to work with customers who believe they have been wronged.

But Quick’s experience with BofA highlights something else: the growing friction between banks and their customers as crooks use increasingly innovative tactics to rob ATM machines.

Debit cards, widely used to withdraw cash and pay for goods and services, are popular targets for thieves. And as fraud claims rise, some financial institutions are taking a tougher stance on refunds, especially in cases such as Quick’s where there is no hard evidence of theft or fraud.

That appears to be creating a backlash. Consumer complaints about banks’ handling of unauthorized ATM transactions nearly tripled from 1999 through 2002, according to the Office of the Comptroller of the Currency, which regulates national banks.

“In the attempt to minimize losses, some bank staff may have become too hardened and are angering clients,” said Richard Hartnack, vice chairman of Union Bank of California and chairman of the California Bankers Assn.

Consumer advocates say that is definitely the case.

“The banks are really quite reluctant to give you your money back,” said Linda Foley, founder of the Identity Theft Resource Center in San Diego, a victim support group. “How are you going to prove that you or someone you know didn’t max out the account?”

Under Federal Reserve regulations, consumers are liable for no more than $50 when they report missing debit cards within two business days. (If they wait longer than two days, the liability rises to $500; after 60 days they must bear the entire loss.) The same rules apply when a PIN or card data are stolen.

In clear-cut cases of fraud, such as a stolen card, customers usually don’t have to pay a dime, because zero-liability policies have become a marketing tool for banks.

Recent Bank of America ads, for example, promote not only the ubiquity of the bank’s ATMs but also the elimination of cardholder liability for unauthorized purchases, as long as customers promptly alert the bank to lost or stolen cards.

It can be a different story when no obvious theft is involved. Such cases frequently involve family members, romantic partners or friends with access to cardholders’ PINs. Bank investigators often are skeptical in cases in which a customer could have been involved in the fraud.

And now identity thieves -- who use stolen personal and financial information to drain bank accounts and gain unauthorized access to a victim’s credit -- are so good at their jobs that it can be days or weeks before holders of debit cards realize anything is amiss.

As identity theft in general and debit card fraud in particular have grown in recent years, federal regulators have tried to make sure banks investigate thoroughly before rejecting customers’ claims of ATM fraud.

The Comptroller of the Currency advised banks in late 2001 that it was concerned that some were rejecting claims of ATM fraud solely because customers could not provide evidence that their debit cards or PINs had been “misappropriated.”

“These facts alone may be insufficient to establish that a transaction was authorized” and that a refund should be denied, the OCC said, because customers may have been defrauded by criminals who obtained PINs by such techniques as watching as the numbers were entered on the ATM keypad.

In fact, “shoulder surfing” is an outdated, low-tech approach. Thieves no longer need to steal a debit card to gain access to a bank account through an ATM. They simply make the cards themselves.

Debit card information is stolen by using data-reading “wedges” like those used in card-swiping machines at retail checkout counters. The wedges, which used to measure 4 inches by 2, have become so small they can be easily hidden in the pocket or palm of a waiter or cashier, said Secret Service special agent Jim Kollar, head of the agency’s fraud squad in Los Angeles.

What’s more, the wedges, along with blank magnetic-strip cards and the paraphernalia needed to turn them into duplicates of real cards using stolen information, “can pretty much all be bought on the Internet,” Kollar said.

Getting a PIN is harder, but fraud artists have found ways to do so without detection -- as in using remote cameras and miniature electronic scanners, said Steve Platt, a vice president in the anti-fraud software division of Fair Isaacs Corp.

Investigators recently have seen increased use of a new high-tech device: a thin overlay slipped unnoticed over the keypad of an ATM. The overlay contains computer chips that record PINs as they are entered by unsuspecting customers. That information then can be matched against customer data provided by an accomplice working inside the bank or gas station.

“Ten or 15 years ago it was more opportunistic -- they’d steal your wallet or look over your shoulder,” Platt said. “We’re seeing less and less of that today and more elaborate frauds, with multiple players. It’s organized crime.”

Saying that debit card losses are “growing at an alarming rate,” the American Bankers Assn. made its first detailed survey of the problem last year. It reported that frauds involving PIN-based debit cards cost banks nearly $51 million in 2001.

Complaints to the OCC about how banks handle unauthorized ATM transfers have risen sharply, from 251 in 1999 to 711 last year, outpacing the growth in the number of ATM transactions.

“The actual number of problems is certainly far higher,” said OCC spokesman Bob Garsson, noting that few bank cus- tomers are aware of the agency’s Houston-based consumer complaint division.

At Bank of America, the size of its ATM network stayed steady at about 13,000 machines during the four years, while complaints to OCC about BofA’s response to unauthorized ATM transactions rose 267%.

Liam McGee, president of BofA’s Los Angeles-based National Consumer Bank, declined to comment. Spokesman Preston said the bank was “aware of the ATM fraud issues” and was “working very closely with our internal security partners, as well as with local law enforcement agencies.”

Kollar, the Secret Service fraud supervisor in Los Angeles, said that genuine victims who assert their rights will eventually get their money back, “but it’s going to take a lot longer than with a credit card.”

And that process can take its toll, said Quick, who had been a customer of Bank of America since 1996 and had never before had a debit card problem.

When he received the notice that the bank denied his claim of fraud, he said, “I was furious, and I felt basically powerless.”

Debit card fraud is more prevalent at gas stations, convenience stores and other such non-bank locations for ATMs, and Quick speculates that his card data and PIN might have been stolen at one of the minimarkets he frequents. But he figures he’ll never know for sure.

“When I finally got to speak to the investigator the day before they credited my money back, I mentioned to her about shoulder surfing. She said, ‘Do you ever recall anyone looking over your shoulder?’

“I said no. That’s why they call it shoulder surfing -- you don’t know someone’s doing it.”

*

(BEGIN TEXT OF INFOBOX)

Tips for preventing ATM fraud

Change PINs often, don’t give them out, and don’t keep lists of PINs and passwords in wallets or purses. Don’t use birth dates or other personal numbers. Memorize the numbers.

* Check for people watching as you use ATMs, cover the pad as you punch in your PIN, and be alert for devices placed over the keypad or in the card slot. Be especially wary at gas stations, minimarts or other non-bank sites.

* Never provide personal or financial card information over the phone, unless you initiate the call.

* Go over your bank statements closely and immediately report suspicious transactions.

* Don’t respond to “account verification” requests for financial information sent over the Internet.

Where to go for help:

* Identity Theft Resource Center: The nonprofit organization provides information about scams and advice for victims: (858) 693-7935; www.idtheftcenter.org.

* Comptroller of the Currency: The regulator operates a Houston-based assistance center for customers unable to resolve problems with national banks: (800) 613-6743 (Monday through Thursday, 7 a.m. to 2 p.m. PDT); www.occ.treas.gov/customer.htm.

Source: Fair Isaacs Corp., American Bankers Assn., U.S. Secret Service, Identity Theft

Resource Center, Times research

Los Angeles Times