Bogleheads.org

[TO]

My wife was a victim of a debit card skimming incident a few days ago. When reviewing my checking account activity online this morning, I noticed 5 consecutive $100 withdrawals from yesterday at the same ATM location in a neighboring suburb that we do not frequently visit. I immediately called Chase to report the unauthorized activity (they were cooperative and helpful, for what it's worth), and provided them with information related to our last authorized purchase.

We only use our debit card as an ATM card and for Costco purchases, since Costco only accepts Amex credit cards. When my wife went to the local Chase branch to pick up a new card, she told them again about her recent activity. They mentioned that someone in the exact same situation had stopped by the branch yesterday, and that person had made a debit card purchase at Costco on the same day as my wife. Since this seemed like too much of a coincidence, I reported the incidents to the manager at the local Costco (he, too, was polite and cooperative once he realized I wasn't seeking any sort of compensation).

The manager indicated that Costco performs an inspection of each and every POS card reader every day of the week to check for skimming devices (at least at this location). This appears to be an indication that they have encountered similar incidents in the past. It also appears that debit card skimming remains a concern even if appropriate precautions are being taken by merchants (assuming he was being honest about their security procedures). This encounter has provided me with an unfortunate reminder of the dangers of using debit cards.

A couple of side notes... The teller at Chase indicated that the perpetrator had tried to use the card for another ATM withdrawal this morning (luckily after we had already cancelled the card). Irritating. Also, I discovered the illicit activity while refreshing my accounts on Mint.com. I am aware of the potential security concerns associated with Mint, but today was an example of how monitoring your accounts with a similar tool can be beneficial. YMMV.

[scubadiver]

Thanks for sharing. These types of posts make great public service announcements.

[livesoft]

Alas, there have been several ATM withdrawals from our checking account this past week, too.


Unfortunately, they are all legit.

But thanks for sharing as well. My colleague has all transactions texted to his smart phone in real-time, so he catches anything unusual in seconds. He spies on his spouse this way, too.

[prudent]

Did Chase return the money to your account immediately?

[neurosphere]

Alas, there have been several ATM withdrawals from our checking account this past week, too.


Unfortunately, they are all legit.

So funny! I sometimes joke with my wife as I am importing data into quicken. Me: "Honey! Our credit cards numbers must have been stolen! There are [$xxx.xx] in purchases on them just this week!!!" Wife: "Uh, yeah! Call the police!".

[Watty]

Thanks for sharing. These types of posts make great public service announcements.

To avoid debit cards, this should be a wake up call to cancel it and just go with credit cards and an ATM card.

[TO]

Did Chase return the money to your account immediately?

Chase indicated that the missing funds would be posted to my account within 24 hours. They asked a series of questions before agreeing to this, but I think the fact pattern was such an obvious case of skimming that they did not seem overly skeptical.

[Frugal Al]

...avoid debit cards, this should be a wake up call to cancel it and just go with credit cards and an ATM card.

I couldn't agree more. Some banks really make it hard just to have and ATM card without a debit feature.

[sscritic]

...avoid debit cards, this should be a wake up call to cancel it and just go with credit cards and an ATM card.

I couldn't agree more. Some banks really make it hard just to have and ATM card without a debit feature.

I have an ATM/debit card but I never use it as a debit card. If I never swipe, how can I be skimmed? I guess they could install the skimmer in the ATM built into the bank's wall, but that ATM is an "eat it and spit it" out ATM; the skimmer would have to be inserted into the ATM in the slot that is only big enough for a card to fit. Plus it would have to have an independent sucking device as the skimmer would be covering the ATM's built in sucker.

On the list of things I am worried about, a skimmer inserted into the card slot of the ATM in the wall of my bank is about as far down on the list as you can get (along with about another million things, like the earth ending on 12/21).

[CABob]

We only use our debit card as an ATM card and for Costco purchases, since Costco only accepts Amex credit cards.

Are you thinking the event happened at one of the reader devices located at Costco checkout or at an ATM located at Costco?
I would think the former is unlikely and I don't recall seeing an ATM at a Costco, but, then I haven't looked for one.

[dm200]

...avoid debit cards, this should be a wake up call to cancel it and just go with credit cards and an ATM card.

I couldn't agree more. Some banks really make it hard just to have and ATM card without a debit feature.

For some reason, I believe most banks and credit unions have eliminated the ATM-only cards. They all tend to be both.

[prudent]

I have been successful in getting "ATM-only" cards from a bank and a credit union. When the card expires they send a debit card as a replacement and I have to call and ask again for the ATM-only version.

[dm200]

We only use our debit card as an ATM card and for Costco purchases, since Costco only accepts Amex credit cards.

Are you thinking the event happened at one of the reader devices located at Costco checkout or at an ATM located at Costco?
I would think the former is unlikely and I don't recall seeing an ATM at a Costco, but, then I haven't looked for one.

My guess is that a COSTCO employee, who handled your card, used a palm-held skimmer to grap the information. Many of these devices, when used by a "talented" operator, are ot at all apparent to the card holder. Most often, they are used by folks like waiters, but maybe COSTCO is employing them now.

There is probably some sort of video/camera images of the person(s) who withdrew the $100. Seems odd that they would just get $100? Why not more?

[dm200]

Alas, there have been several ATM withdrawals from our checking account this past week, too.


Unfortunately, they are all legit.

So funny! I sometimes joke with my wife as I am importing data into quicken. Me: "Honey! Our credit cards numbers must have been stolen! There are [$xxx.xx] in purchases on them just this week!!!" Wife: "Uh, yeah! Call the police!".

My wife was a victim of identity theft on a credit card. Actually, it turned out just fine - the thief spent less than she does.

[sscritic]

I have been successful in getting "ATM-only" cards from a bank and a credit union. When the card expires they send a debit card as a replacement and I have to call and ask again for the ATM-only version.

I don't understand the advantage of the debit-less card if you never use the ATM/debit card as a debit card. If I should be afraid of having an ATM/debit card in my pocket or in my desk drawer (where most of them are), I would like to know.

[dm200]

I have been successful in getting "ATM-only" cards from a bank and a credit union. When the card expires they send a debit card as a replacement and I have to call and ask again for the ATM-only version.

I don't understand the advantage of the debit-less card if you never use the ATM/debit card as a debit card. If I should be afraid of having an ATM/debit card in my pocket or in my desk drawer (where most of them are), I would like to know.

If you only use the card for ATM transactions, but it has the debit capability -- and you lose it, the person who picks it up can, generally quite easily, use it (even without the PIN) to buy things. "Credit" transactions with a "debit" card do not require the PIN. Recently, many machines want the ZIP code, but otherwise , security is minimal. The PIN would be needed for ATM withdrawals.

[Mudpuppy]

We only use our debit card as an ATM card and for Costco purchases, since Costco only accepts Amex credit cards.

Are you thinking the event happened at one of the reader devices located at Costco checkout or at an ATM located at Costco?
I would think the former is unlikely and I don't recall seeing an ATM at a Costco, but, then I haven't looked for one.

There have been documented cases of skimmers located at other retailers' checkout lines. Barnes and Noble released a press release about such an incident a couple of months ago (http://www.barnesandnobleinc.com/press_releases/10_23_12_Important_Customer_Notice.html). Over 60 of the PIN devices at their registers had been compromised at stores nationwide. There are professional thieves who specialize in making and selling skimmers to replace the PIN pad devices at point-of-sale locations (http://krebsonsecurity.com/all-about-skimmers/ details several of such attacks, along with traditional ATM skimmer attacks). So what makes one think that Costco is immune to such an attack?

[fareastwarriors]

Thanks for sharing. Never had an incident yet. But it is good to be aware of these kind of situations.
The only withdrawals are from me. =(

[mhalley]

My bank wanted to give me the "fake visa" debit card, but after specifically requesting an ATM card only, they gave that to me. So, if you really want only an atm card, ask your bank if they have that option.
Mike

[pascalwager]

Earlier this year skimmers were installed in the Lucky Supermarket self-checkout machines in many stores around the SF Bay area. Some people lost a few hundred to a thousand dollars.

[Default User BR]

I have been successful in getting "ATM-only" cards from a bank and a credit union. When the card expires they send a debit card as a replacement and I have to call and ask again for the ATM-only version.

In the past, USBank would also restrict the existing card to ATM-only until the replacement arrived.


Brian

[tfb]

My wife was a victim of a debit card skimming incident a few days ago. When reviewing my checking account activity online this morning, I noticed 5 consecutive $100 withdrawals from yesterday at the same ATM location in a neighboring suburb that we do not frequently visit.

I wouldn't be so fast to blame Costco for this incidence. Fraudulent ATM withdrawals require stealing your PIN as well. It's a lot harder to steal your PIN at Costco versus an unattended ATM machine. Stealing the pin usually requires a camera that records your entries. It's not easy to mount the camera at Costco.

[Mudpuppy]

My wife was a victim of a debit card skimming incident a few days ago. When reviewing my checking account activity online this morning, I noticed 5 consecutive $100 withdrawals from yesterday at the same ATM location in a neighboring suburb that we do not frequently visit.

I wouldn't be so fast to blame Costco for this incidence. Fraudulent ATM withdrawals require stealing your PIN as well. It's a lot harder to steal your PIN at Costco versus an unattended ATM machine. Stealing the pin usually requires a camera that records your entries. It's not easy to mount the camera at Costco.

Skimming has long since evolved beyond putting a skimmer and camera on an ATM like it was originally. If they replace the entire card swipe and PIN entry pad device with a counterfeit device, no camera would be needed to record the PIN. This is a very common attack now, even at manned and video-recorded registers. They can swap PIN pads for counterfeit devices at manned registers by employing the classic technique of distraction and rarely is someone watching the video feed in real time to catch them red-handed. Such counterfeit devices have existed in-the-wild (e.g. actively being used for swiping incidents) for at least half a decade. The Barnes and Nobles incident this year was only the latest in a long string of such attacks.

That the Costco manager in question inspects his machines daily means they are on the alert for such attacks, but visual inspection alone is not good enough for some of the counterfeit devices. There is a very sophisticated black market in these devices, particularly to make devices that are visually identical to the legitimate devices. It's a difficult problem for merchants to guard against, because, short of gluing all their PIN pad devices to the checkout lane furniture (and then what if someone in a wheelchair can't reach it?), it's nearly impossible to prevent and hard to detect.

Edit: I suppose they could mount the PIN pad to one of the alarm units that sends an auditory alert when the pad is moved too far away from the base (normally used to secure demo units in the electronics section). But then the clerks would need a way to temporarily disable the auditory alarm for the customers who need the PIN pad moved for normal transactions or it would get annoying very quickly.