Almost as soon as banks introduced the automatic teller machine 20 years ago, crooks started tapping into the system.
At first, their approach was crude - peek over a bank customer's shoulder at a machine, copy down the person's PIN, and then figure out a way to steal the card.
But that's a hit-or-miss scam, like trolling for fish. These days, financial institutions and bank customers face the criminal equivalent of gill nets - computerized networks that can rake in information from thousands of unsuspecting victims per day, per ATM.
"Some of these schemes are so sophisticated that they can be hard for people in the business to detect," says Kurt Helwig, executive vice president of the Electronic Funds Transfer Asso- ciation.
The newest device for stealing information is a thin, transparent-plastic overlay on an ATM keypad that captures a user's identification code as it is entered. To the card holder, it might look like some sort of cover to protect the keys. In fact, microchips in the device record every keystroke.
Another transparent device inside the card slot captures card data. While the cardholder completes the transaction, a computer attached to the overlay records all the data necessary to clone the card.
Restaurants represent another security leak, according to special agent Jim Kollar, head of the United States Secret Service fraud team in Los Angeles. He says employees sometimes pass ATM cards through hand-held card readers as they carry them toward the cash register. Mr. Kollar says he's seen similar schemes in convenience stores.
Some ruses are right out in the open. In one especially successful scam, a hand-lettered sign directed ATM customers away from a bank machine. The sign explained that that machine was out of order, and asked customers to use another terminal - which turned out to be to a card reader set up by a fraud ring, Kollar says.
Once they have the card data, criminals use commercially available card writers - some selling for as little as $150 - to make bogus cards.
Last year, the American Bankers Association (ABA) reported fraud involving debit cards had cost banks nearly $51 million. The industry has fought back. ATM-maker Tidel Engineering, for example, has redesigned its keyboard so that it will break immediately if someone tries to insert a data-catching device, called a "wedge," between the keyboard and the computer.
The antifraud software division of Fair-Isaacs Corp. has developed a program that keeps track of ATM users' spending habits and flags unusual transactions. Other software tries to catch geographical anomalies - say, if a card is used to pay for groceries in Los Angeles, then for other purchases in Rome hours later.
In such instances, the bank generally absorbs the loss. Under Federal Reserve regulations, ATM cardholders can be held liable for no more than $50 if they report a lost or stolen card or an unauthorized transaction within two days. As financial institutions have reduced the number of their branches and tellers, they've often encouraged customers to use ATMs by offering a "zero liability" policy in cases of theft or fraud.
But in cases where there is no obvious theft, bank-fraud investigators can be skeptical.
"There are people out there who will pretend they've been defrauded," says John Hall, a spokesman for the ABA. "It used to be that it was very difficult to get the PIN, and often it turned out that the perpetrator was someone the victim knew. Now that they've come up with these skimming devices, the thefts are much more advanced."
Kelly Quick, a compliance officer at a Los Angeles investment firm, agrees. He says he still can't figure out how somebody used his ATM information in January to withdraw $1,420 from his Bank of America account. The bank credited his account for that amount, then took the money back three weeks later, claiming that "the transactions were authorized."
Mr. Quick says it took another month of arguing with bank officials to get his money back. Bank of America spokesman Harvey Radin declined to discuss Quick's case, but called the bank's investigations of any such cases "thorough."
But Jay Foley, codirector of the Identity Theft Resource Center in San Diego, says these investigations aren't thorough enough.
"Basically, right now you have X amount of days to clarify the situation with the bank, but the bank is the one that's holding all the cards," he says. "They have the ATM machine. They have the video machine on the ATM that recorded the transaction. They know the time and date of the transaction. They have the ability to look it up and see, was that you standing there or not? But they ... expect you to prove you weren't in that town and didn't use that ATM," he says.
In 1999, the federal Office of the Comptroller of the Currency, which oversees federal banks, received 251 complaints from bank customers, claiming fraud investigators had mishandled their claims. Complaints nearly tripled by 2002, the last year for which figures are available, to 715.
While that's a tiny fraction of total ATM transactions, bank officials acknowledge they're paying attention. For one thing, they say, most people don't even know about the Comptroller of the Currency. A bank customer who pursues a complaint must be pretty angry, and some banking officials are starting to urge a gentler approach with customers.
"It's an ongoing debate," Mr. Hall says. "Banks are constantly walking a tightrope between convenience and security."