‘Fraudbusters’ Go After Illegal Use of ATMs

Automated teller machines certainly save banks time and therefore money, and are believed to attract customers, but they do have some drawbacks. They also invite some fraudulent usage, to a great extent caused--directly or indirectly--by the customers themselves.

The size of the problem--as with many bank problems--is uncertain. Most bankers, averse as always to giving individual loss figures, quote a 1983 Justice Department report loosely estimating that the industry was losing $70 million to $100 million a year from ATM fraud.

Actually, if Lorna Jan Siepser has anything to do with it, they won’t be talking fraud losses at all, but gains made in fraud prevention. Siepser, Bank of America’s vice president for ATM risk management and a recognized expert in this relatively new field, prefers to note that banks without ATM card fraud prevention programs lose $1 per cardholder per year, compared to 50 cents or less at banks with programs.

The fraud itself is not always done by professional thieves, although almost half of the frauds on Lorna Siepser’s hit list involve people unknown to the cardholder. About 33% of ATM fraud is committed by thieves using cards lost or stolen from wallets. Another 15% involves cards intercepted in the mail even though the thief must intercept two pieces of mail--one containing the card and one sent separately with the owner’s personal identification number (PIN).

Fraud Closer to Home

The other half of ATM fraud starts closer to home: A surprising number of otherwise law-abiding people, Siepser says, believe that “it’s OK to rip off certain businesses--the phone company, Safeway, the B of A.” About a third involves household members--”anyone in or near the home,” says Siepser, “and having constant access to the consumer and the consumer’s possessions.” The category includes gardeners, nurses, relatives and particularly teen-agers, separated spouses or former partners, Siepser says. “Often there was authority to use the card at one time,” she adds.

Unlike lost or stolen cards, which are usually reported immediately, fraudulent card use by a household member takes longer to surface, Siepser says, “because 90% of the misdoers put the card back,” quietly and in the same place. The withdrawals aren’t discovered until they appear on a monthly statement, at which point the consumer tells his bank the transactions weren’t his.

Customers Themselves

A tenth of ATM fraud involves people knowingly given the card (and PIN code) by the customer, who authorizes them to withdraw money, if not so much. Another tenth involves customers themselves, who “did do the transactions, and deny it, or, in some cases, have a friend go to the ATM for them and deny authorizing it.”

A bank’s best solution to all these frauds is thorough investigation of each customer claim that something was an “unauthorized transaction” (the bank’s loss, if it was indeed unauthorized and the bank was notified within prescribed times). Given an ATM system’s internal data security, Siepser says, “there’s no way somebody can get into a customer’s account without using the customer card and its matching code. So the bank’s policy is that if your card and your PIN are in your possession, it has to be that you or someone close to you has used it.”

Siepser and her “fraudbusters” at B of A confer with the customer, establish the fact that both card and PIN were used and that the customer still has both, point out that the transaction was made (usually) near the customer’s home or workplace and ask the customer to think of anyone at home who could have done it. In many cases, the bank already has hidden cameras that videotaped the actual withdrawal (“I can tell you what they’re wearing,” Siepser says. “Once I could even read the badge of a postal employee who’d intercepted mail”).

If the card user turns out to be a child or someone else close, the customer usually withdraws the claim (“One out of 10 still say send ‘em up the river,” Siepser says). If it’s the customer or an accomplice, the bank may have already recognized and can cite a suspicious customer profile or pattern of activity, and although the burden of proof is on the bank, it helps in the resolution: “Two-thirds will withdraw their claim,” Siepser says.

It’s the unknown thief who is least easily caught but, ironically, most easily foiled: “In all cases,” Siepser says, “the PIN was written down somewhere near the card.” Increasingly, banks don’t mail out assigned customer PINs, which must be written down somewhere, but let customers choose their own, transmitting it to the bank’s computer in some way that immediately scrambles it. It should be “hard to guess but easy to remember-- a wife’s favorite flower, a man’s favorite sport,” says Siepser, adding that consumers should avoid birth dates, Social Security numbers, telephone numbers, height--in short, “anything found in your wallet. Thieves aren’t dumb.”

It is Siepser’s view that 85% of ATM fraud is preventable, because it involves consumer negligence with their cards and PIN codes. Even some of the mail interceptions depend on cardholder complicity: “Can you believe,” asks Siepser, “that customers will apply for a card knowing they’re about to move or go on a long vacation? That’s like just handing it over.”