$350,000 ATM Theft Exposes the Weak Link in Bank’s Security

The theft of nearly $350,000 from Security Pacific’s automated teller machines appears to represent a serious and embarrassing breakdown in the bank’s internal ATM security system, according to experts in the field.

A banking industry official confirmed Wednesday that a special card available to bank employees was used to gain access to about 300 customer accounts at Security Pacific ATMs and to withdraw $1,100 to $1,200 from each account.

The card enabled the person to change the secret access code to customer accounts and withdraw cash in excess of the daily limit, said the official, who spoke on the condition that his name be withheld.

An executive in the security department of another California bank said he was surprised that the scheme had netted only $350,000 since a single ATM often contains as much as $250,000 in cash on a holiday weekend.

“The only limit was apparently time, or they didn’t feel like they needed more,” said the executive, who also requested anonymity.

A spokeswoman at Security Pacific’s headquarters in Los Angeles has confirmed that $350,000 was illegally withdrawn from about 300 customer accounts at bank ATMs in the Los Angeles area over the three-day Veterans Day weekend.

The bank declined to comment on the methods used because of a continuing federal investigation into the case and its own internal inquiry, although the spokeswoman indicated that one avenue of investigation involves the possibility that one or more bank employees were involved.

Steev J. Pears, whose account was bilked of $1,200 Nov. 11, said Tuesday that he was told by the manager of his Security Pacific branch in Malibu that the bank believed the crime was an “inside job” involving the use of the special card.

The cards are used to open ATM accounts for new customers, and there are apparently hundreds of them within Security Pacific, the state’s second-largest bank.

The numerical codes that provide customers with access to their ATM accounts are the most carefully guarded link in the ATM security system.

The fact that Security Pacific maintains a card that allows a bank employee to alter customer access codes appears to violate a cardinal rule of ATM security and represents a substantial breach of procedure, several experts said.

“Why they would have such a card I do not know,” said Ronald K. Hale, who just completed a study on nationwide ATM fraud at the Bank Administration Institute, an industry-financed research organization outside Chicago. “Now they’ve become a good example to everyone else on what not to do.”

The security executive at the rival bank said, “It flies in the face of logic and all security measures to have a card like that.”

Security Pacific’s ATM system also lagged behind those at some other banks because it has internal cameras in only a few of its more-than-700 automated teller machines, said the banking industry official, who is familiar with the bank’s internal investigation.

As a result, the bank is not believed to have photographs of the suspect, said the official.

Hale and others said the loss of nearly $350,000 in the scheme makes it the largest reported ATM theft in the country.

The amount could have been much higher because the average ATM contains $50,000 to $100,000 in cash. On weekends that figure can soar to $250,000 or more for machines in popular locations.

“Given the sophistication of this crime, $350,000 is not a lot of money compared to what could have been taken,” the unidentified executive said. “This is a drop in the bucket.”

One factor limiting the amount may have been time. Security experts said someone would probably not want to attract attention by monopolizing a machine for a long period of time.

The bank has acknowledged that ATMs at several branches were used, and customers have reported in interviews that money was withdrawn from accounts as far apart as Central Los Angeles and Seal Beach in Orange County.

In addition, most ATMs are equipped with a warning alarm that signals a central processing center when cash in the machine dips below a preset level. The system is intended to allow the bank to send someone to add more cash to the machine.

However, if alarms had been triggered at a number of machines, it might have caused the bank to begin investigating the transactions, one ATM expert said.

Employee Opens Machine

Deborah K. Lewis, a spokeswoman for Security Pacific, said routine auditing procedures uncovered the scheme and that customers have been reimbursed. She also said new security steps have been instituted to protect against a repetition.

A central element in encouraging customers to use ATMs involves the secrecy that insures their sole access to their funds. This secrecy hinges on the customer’s ATM card and the numerical code required to gain access.

The codes are called personal identification numbers, or PINs. They are either generated randomly by computer and assigned to a customer or selected by the customer. In the case of Security Pacific, a new customer is taken to an ATM and allowed to secretly type in his or her own secret code. A bank employee first uses the special card to open the machine.

“Systems are built to protect the PINs with very intense security at every level,” said Rita Champ-Jones, vice president of San Diego-based Star System, the largest ATM network in the West.

Banks do not normally maintain a printed list of PIN codes. Rather, they keep the numbers encoded in their central computer systems with very restricted access.

Star, which links the ATM networks of 356 financial institutions in six states, has nothing similar to the special card that was apparently the weak link in the Security Pacific system.

$37 Million Lost Nationally

“This is a very bizarre case,” she said. “This is a fluke.”

Champ-Jones said the typical ATM fraud involves a small amount of money taken after a customer loses a card and has the secret PIN written somewhere on the card or in a wallet, something that banks warn customers against doing.

The study by the Bank Administration Institute found that 96% of the $37 million lost nationally in ATM fraud in 1986 involved unauthorized use of customer cards or fraud by customers themselves.

The only case of ATM theft that approaches the Security Pacific case in dollar terms involved a Houston man who stole $339,000 from 12 ATMs in 1986 and 1987 by drilling into the machines or manipulating the locks.

However, it took him three to eight hours to get into a machine, while the card that proved to be the weak spot at Security Pacific requires only seconds.