Tuesday, July 21, 2009

Phished! Beware of your ATM

[Update: A slideshow with pictures on how this could have been done is added to the bottom of this post now.]

[for those of you who are impatient, you can jump to the what should I do section]

The Incident

Last Friday evening, I was visiting the town of Antony, to see an apartment which I will be moving in come September, and M and I were passing close to a branch of my bank, Credit Agricole. So I thought "might as well withdraw some cash". So I went up the ATM attached to the bank wall, and put in my card.

Nothing happened.

The machine didn't even ask me for my PIN. It just ate my card.

So I pressed "cancel" a couple of times. Still nothing. Then I noticed a small notice with the bank's logo on it saying "sorry, this ATM is broken. The screen also won't show that. If your card is in there, please type your pin and press OK. Then type it twice and press cancel to get your card back. If it still does not work, come back tomorrow morning with your ID and check at the bank."

So I did that, and sadly, no dice. I guessed it was because I had pressed other keys. Ah well.

The next afternoon, I went to the bank, and asked for my ATM card. To my shock, the lady at the bank said that they cannot find my card! They asked me to call the bank's lost ATM line, and get a confirmation number, which I should then give to my _own_ branch (close to work) when it is open.

So (with M's help) I was able to lodge a complaint, and got a confirmation number.

The Surprize!

Today afternoon, I finally went to my bank (it is closed on Monday), and while the nice lady there was talking to me about opening an FD/savings account, I noticed that my bank balance had come down by around 1.5K Euros in the past 2 days!!

Turns out there was a contraption attached to the ATM machine that not only stole my card, but also my PIN number. The thieves had pulled out EUR 250 that same evening from the ATM (hitting the daily limit), and bought a bunch of stuff the next day. The total damage: EUR 1,278.

Following this revelation, I went to the police station with a copy of the bank records, gave my statement, came back to the bank and filed a claim for the missing money. I am told that I should get a new card in 10 days, and hopefully my money will be back in 15.

It is worth noting that the bank staff and the police people were very very helpful and comforting, especially given that my French is not that good :).

What YOU should do

Of course, this post will be useless without a set of action-items. So here they are:

  1. Do NOT use random, unknown ATMs. Prefer to use only the ones that are your bank's, or some other well-known bank's.

  2. Do NOT use ATMs attached to the wall and open to the road, even if they are outside your own bank (as I did). Always use the ones inside the bank. At least here in France, such ATMs are open 24x7, and since they have a ton of cameras pointing at them, hopefully the scamsters will avoid them.

  3. If your ATM eats your card, and the screen does not change, DO NOT MOVE. Call the cops, and tell them this happened. If the machine is broken, it will say so. If the monitor is faulty, the bank will NOT put a sticker below the machine, they will block the slot itself. Contrary to what I thought that evening, the banks are NOT that stupid.

  4. Re-read step 3. If this happens to you, CALL THE COPS.

Ah well, this is it. Feel free to forward this post as email to your friends (there should be an icon below this post). This, for one, is a true story. It happened to me!

More references:
1. http://www.snopes.com/fraud/atm/atmcamera.asp [China and USA]
2. http://www.theage.com.au/national/five-charged-over-500000-atm-scam-20090325-9aio.html [Australia]

Update: A sent me a presentation on how the machine could have eaten my card. Still not sure how they got my PIN.


  1. oh man what a scam. I'm glad you are on your way to getting your card/money back!

  2. @Tania. Yeah. Craziness. Be careful.

  3. Yeah..glad at least you are getting your money back :)

    Apart from this, users must be careful while using credit cards for online shopping. It is better to open one separate online account and transfer money in that account for shopping. In this way one never risks a huge amount of money.

  4. Daniel11:17 PM

    I heard about than sort of scam 15 years ago. I almost told you about when you said the bank didn't found your card.

  5. I'm not sure if you are aware of the 7/11 scam in the US too. The thieves installed sniffers on the network. I'd be worried about bigger and more widespread compromises.

  6. Really shocking - hope you get your money back

    I'd seen a news video on how while shopping the checkout guy used to swipe the cards twice - once into his device that captured all card info - using which they created duplicate credit cards and shopped ! So, even while the owner had his original card, there was another person shopping on his name ! also worked, as unfortunately signatures are not checked so thoroughly for credit card usage.

  7. @all: The post is now updated with pics on how cards can be stolen.

    @Sid: Yes, but with credit cards, there is a delay before the amount hurts your bank account, and you can choose simply not to pay that part of the bill. With ATM cards, the money goes out instantly!

  8. Boy...this is weird. Instantly, i started comparing it with our ATMs which 'eat' cards without much guilt...but thankfully without much damages too.

    Though giving your card to swipe in restaurants etc is still not safe and id do it only in rare cases, that too at establishments with good name or repute.

    Thanks for your list of 'caution' items.

  9. Varun: When a desi ATM eats your card, does the screen show an error message?

  10. Incredible. Glad it turned out with a happy, albeit frustrating, ending for you. Thanks so much for alerting people to this! I had no idea such a thing could be done.

  11. @Animesh

    Yes, most of the times it does. Though i remember once it was absolutely unresponsive, but i guess, the fear of fraud is in-built here and most of the people i know 'report' the 'eating' straight-away, getting the card blocked within minutes.

  12. Anonymous11:03 PM


    Maybe they have installed camera focussed on the keypad of ATM. That's why they asked to enter the PIN twice so they may guess the actual PIN using hand movement recorded over the camera.
    I have heard of this type of scam over web but never got the actual case (I guess I won't be able to say that anymore :P). Glad you got your money back. :)

  13. One day I got a call from my bank and I was offered a personal loan. The caller who was fluent in English and very polite asked for 3 digit number printed on the back of the card in order to process the request. I refused. Later on I was told that the bank does not ask for that number, if I had given that number to an unknown caller, he would have certainly ripped me off!!