Scheme Sparks Fears of ATM Vulnerability

Sitting on a desk in a government office, it hardly looked like the paraphernalia for stealing $14 million from automated teller machines across the country.

U.S. Secret Service agents say, however, that the IBM personal computer, encoding machine, poster board, paper cutter, glue and roll of magnetic tape could have been used to pull off the biggest ATM heist ever.

“This one could have worked real well,” said Richard J. Griffin, head of the Secret Service office in Los Angeles.

Apartment Raided

It did not work because Secret Service agents raided a Los Angeles apartment 12 days ago and broke up what the government says was a ring created by a 28-year-old computer programmer with the aim of obtaining millions of dollars in cash from 7,400 Bank of America accounts.

But the scheme has sparked concern among executives of the nation’s vast network of ATMs, and details obtained in court records and interviews show the vulnerability of the system to criminals, particularly when an insider is involved.

“There has never been an attempt like this in the history of shared ATMs,” said Dale D. Browning, president of Plus Systems Inc., the nation’s largest ATM network and one target of the aborted scheme. “We can certainly learn a lot from it.”

Shirley Norton, a B of A spokeswoman, said, “I think the potential there should be very scary for the networks.”

ATMs have grown dramatically in the last decade as a means of providing banking customers with 24-hour access to their accounts. There are more than 72,000 ATMs nationwide, and Denver-based Plus Systems alone links 25,000 of the machines.

ATM systems, such as Plus, have played a big role in the growth. They allow customers of banks and thrifts to obtain cash wherever the network has a machine, not just at the customer’s own institution.

ATM crimes have been relatively minor, usually involving robberies of customers who have just withdrawn cash or small thefts by employees. But a study last year by the Bank Administration Institute, an industry research organization, found that losses nationwide were $40 million in 1986.

And as the machines have multiplied, so has the sophistication of the crooks.

Security Pacific National Bank in Los Angeles lost nearly $350,000 when a special card was used to steal cash from 300 customer accounts over the Veteran’s Day weekend last October. The theft, which federal authorities expect to solve soon, is the largest reported ATM crime.

The figure is dwarfed by the $7 million to $14 million that Assistant U.S. Atty. Carolyn J. Kubota in Los Angeles estimated could have been stolen in the latest scheme, which reflects a previously unseen level of ambition.

The Secret Service, an arm of the Treasury Department, has had responsibility for financial crimes involving counterfeit cards or access codes since 1984. Griffin said almost every case presents a new wrinkle or a higher level of sophistication.

Indeed, the uses for computers in the financial world have grown so rapidly that companies are having trouble developing security procedures to keep up. And even when they do, a determined thief is likely to find a hole.

Good Odds

“It’s like a terrorist assassin,” said Don Doll, a computer security expert in Washington for Kroll Associates, the nation’s leading corporate security firm. “If somebody really wants to get into the system and they are willing to spend the time and the money and they are intellectually capable, the odds are they are going to find a way.”

The odds improve if the person works for a bank or a business involved in processing electronic transfers of funds and if security procedures are ignored routinely, Doll said.

An insider played the key role in the alleged scheme broken up last week by the Secret Service.

Mark Allan Koenig is accused of devising the plan to make 7,400 counterfeit ATM cards and use them to obtain millions of dollars from Bank of America accounts. In cases of ATM fraud, banks customarily absorb the losses and reimburse customers.

Arrested with him were his wife, Jackie; her sister, Bobbi Jo Bobby; and Robert Hussey, identified as a friend and alleged accomplice. Koenig’s brother, Scott, was arrested the following day at his home in Lincoln, Neb.

Since 1985, Mark Koenig had been a computer programmer with Applied Communications Inc. of Omaha, Neb. He was working under a temporary contract in Los Angeles at GTE Information Services, a subsidiary of GTE Corp., the telecommunications giant.

The subsidiary handles electronic fund transfers for financial institutions and ATM networks, including Plus Systems and GTE’s own 286 ATMs in California.

According to court documents, Koenig had access at work to the account numbers and secret codes for ATM accounts at dozens of banks. He transferred the information for 7,400 B of A accounts to a computer disk and took it home. The documents said he used only B of A accounts so it would appear to be an inside job involving a bank employee once the thefts were discovered.

Griffin and Donald Chacos, supervisor of the fraud squad at the Secret Service, said Koenig smuggled an encoding machine out of his office to transfer the account information from his IBM computer to the magnetic tape, which is similar to that used on ATM cards.

Poster Board Used

The tape was glued to pieces of poster board cut in the shape of ATM cards and the cards were to be run through the encoder to receive the account information.

According to court documents, the group planned to fan out across the country over the President’s Day weekend and use the fake cards at hundreds of Plus System machines. The three-day weekend and the far-flung thefts were supposed to provide more time before the scheme was discovered.

ATM executives said they are uncertain that the poster board cards would have worked. Rita Champ-Jones, vice president of another ATM network, San Diego-based Star System, said she did not believe that ATMs would accept the cards, particularly for repeated transactions.

Plus Systems’ Browning said, “What we are trying to determine now is whether these cards would have worked.”

Court documents said the group used test cards to obtain small amounts of cash three times, and Griffin and Chacos are certain the cards would have worked.

How successful the scheme could have been will remain a mystery, however, because a sixth person who was supposed to be involved told the Secret Service about it and cooperated in an undercover investigation that led to the raid.

Despite the foiling of the alleged operation, Browning said the concerns it raised are serious enough that Plus Systems plans new steps to ensure that contractors comply with procedures to protect secret account information.

“If the security standards are implemented and enforced, there should not be any security breach,” he said. “We are now evaluating ways in which we can verify the enforcement of our regulations.”

John G. Clemons, director of public affairs for the GTE subsidiary in Tampa, Fla., said the company is conducting its own investigation into what happened.

“It may mean an audit of our security, but we think that our system . . . works well,” Clemons said. “But of course when something like this happens, you have to reconsider all security measures.”