Nowadays, just about anyone with a bank account has an ATM card for cash withdrawals and debit transactions. Whether you are a parent or not, or still a college student, cash and card-use for most purchases, online or otherwise, makes the ATM/debit card one of the most necessary items in your wallet or purse today.
However, there’s a downside. Because of the convenience of usage of the debit facility and the burgeoning population of ATM/debit cardholders, opportunities abound for scammers and hackers to help themselves to your account.
They do this through a million ways ─ by phishing for your personal information through emails, scam calls and SMSes or by stealing it straight off your ATM/debit card.
Imagine how your family or your livelihood or lifestyle would be affected if your bank account got wiped out? How are you going to put food on the table or pay the month’s school fees and all your other financial commitments?
The thing is, banking security has become quite an issue these days what with the pandemic rise in cybercrime, identity theft, scamming and hacking. Banks don’t issue bank books anymore, they only issue ATM/debit cards, which is verification that you hold an account and which gives you right of entry to online banking. You have no choice but to do all your transactions through your ATM/debit cards which is the master key to all your money and all your other accounts in that primary bank account. In this sense, the ATM/debit card has become a very powerful yet perilous item to hold, even more so than the credit card (which gives access to the bank’s money, and not yours).
Card Cloning
And so you might have heard that your ATM/debit and credit cards can be cloned for fraudulent use. You’ve heard of gizmos and gadgets and even software implanted inside the ATM to copy all your personal data in order to clone your card, but you’re not sure if the story is true because you only heard it whispered through social media and…it hasn’t happened to you.
Well, I am here to tell you today that card cloning is for real because it happened to me.
This is a True Story
The following is a true account of what transpired.
I awoke early on Sunday morning (14th July 2019) and logged on to my account to pay some bills. To my shock and utter horror, I noticed that RM250 was missing from my account. Recorded clearly on my statement, someone had withdrawn cash from my bank account through an ATM machine on Saturday 13 July at 9.30am in Puchong when I was still sleeping at home.
How could this have happened? My card was safely with me at the time; I hadn’t lost it at anytime in the past or present; no one knows my PIN number except for me, so how could a withdrawal have taken place without the card and PIN at the ATM machine? Unless of course, someone cloned my card, copied my PIN and broke into my account.
With my heart pounding in my mouth, I immediately called the bank to block the card. They advised me to make a police report (which I did later in the day) and then went to the bank to file a dispute form and get a new card.
After we hung up, I composed myself ─ and I was shaking from fear and panic ─ I went through my statement with a fine tooth comb, checking every single transaction throughout the month and the months before. None of the card purchases were incorrect, they all had the names of the supermarkets and stores I had gone to but many of the cash withdrawals were dubious. There was not much that could be deciphered from the information on the cash withdrawals ─ only the amount, the exact time of the withdrawal and the location code of the ATM machine where the money was withdrawn from. For my ATM withdrawals, all of them bore the same location code ─ the bank branch where I always go to make cash withdrawals.
So how many of these withdrawals were fraudulent and how many were real, I could not tell because they had been sometime back and I had forgotten if I had made those transactions myself. I could only say with absolute certainty that I didn’t make the last three most recent cash withdrawals because my memory was still fresh.
Crime Mimics Your Financial Behaviour
Looking through my statement, I noticed a pattern to the crime.
- The amounts withdrawn were always small enough to go unnoticed. Each withdrawal was like RM100 or RM150 or RM250 at most.
- The withdrawals always had a time lapse of two to three weeks in between, they never occurred on an everyday basis.
- The withdrawals were always made at the ATM machine I frequented, meaning to say if my usual ATM machine was in, say Section 14, PJ, bearing a certain location code, there wouldn’t be a withdrawal coming from Klang or Kluang bearing never-seen-before location codes. Presumably, this is to ensure that no strange location codes would jump out at you to trigger an alarm. The objective is to make you dismiss all extra withdrawals as you having made them yourself at your usual ATM machine.
This is the modus operandi of the scammer ─ to mimic or clone your financial behavior and to be as low key as possible in all his fraudulent activities so that you don’t notice that anything is amiss. You won’t even notice that your money is missing and that way, he can go on milking you for a long, long time.
New Style of Scamming
At the bank, it seemed that they had never heard of this “new style of scamming” where very little is taken at two-week spans so that you wouldn’t know you’re being robbed.
“Usually, they would just wipe out your entire account,” they said to me.
They seemed rather incredulous that I had only lost a few hundred Ringgit and only a little at a time over an extended duration.
In any case, they said I was the first ever in Malaysia to report such a thing.
“Such a thing” may be new and unheard of in Malaysia, but to everyone else in the rest of the world, this style of stealing is actually old.
“Pay attention to your credit card statement,” advised the virus and malware company AVG.com in an article in May 2019. “If your card has been compromised, the fraudulent activity may not always be in damagingly huge amounts, but could be a sequence of smaller transactions.”
Long Term Cookie Jar to Steal From
It makes sense if you put on the thinking cap of the criminal; this way of siphoning is more profitable in the long run. Let’s pretend you are the scammer and you have the cloned cards of some 2000 victims. If you withdraw only RM150 from each of them every two weeks, you would stand to collect a cool RM300,000 twice a month for the long term or for at least as long as the victims don’t know or keep quiet about it.
But if you only make a one-time hit and wipe out the account of only one or two individuals, how much could you possibly make? Most Malaysians are not multimillionaires, many are ordinary wage earners and an ATM card has a daily withdrawal limit which you can set yourself. Moreover, once wiped out, that victim would immediately know that his account has been emptied. He would definitely scream bloody murder and call the calvary, starting an immediate alert to the crime and ending the thief’s chances of stealing more.
Why kill the goose that lays the golden egg?
The Clued-In Criminal Mind
From what can be seen, scammers and hackers have a very good grasp of human psychology. They know exactly how victims will react to small losses if they find out.
RM150 missing want to report? Leceh la. Yes, the amount is just too small to be worth the trouble of going to the police and having to follow up with the bank all the time. One cannot be taking leave from work every few days just to see if anyone is working on the case.
Or,
RM150 missing, want to make noise? Pai Seh ler! Yes, it is embarrassing to admit to being cheated and worse, to be robbed of such a small amount and then kicking up a big fuss about it. Most people will keep the incident hush-hush to “save face”. It works wonderfully for the criminal’s benefit as no one will ever know a crime has been committed.
So, by applying psychology on human behavior, criminals can get away scot free.
Suspicious Activity Not Just at ATM Machines
The bank had a questionnaire that I had to answer when I made my report. These questions are to shed light for the investigation. One particular question stood out. They asked if I had noticed any suspicious gadgets or activity on the ATMs I had used over the past month.
Some of our banks are aware of Skimming and Shimming (the methods where devices are installed on or inserted into the ATMs to copy data, your CVV and PINs from cards while the cardholders are conducting their transactions at the machines).
Chip cards were implemented recently to stop skimming that copies off the cards’ magnetic strips. But then, fraudsters are always 10 steps ahead. They created shimming to specifically tap data from the EMV chip on your card. So there you go.
Ghost in the Machine
ATMs that have been tampered with can behave strangely, such as make a strange sound when the machine is running, look fitted with additional objects or pieces, retain the cash you withdrew but showing a deduction in your account even though you got none of the money, or reject, decline or swallow the ATM card after the PIN has been keyed in.
When I looked at the questionnaire, I remembered an incident where there was indeed a strange occurrence. However it did not happen over the past month and it wasn’t at an ATM machine.
It was at a petrol kiosk, one I don’t often use but for some reason decided to swing in that day, and it didn’t occur one month ago but at least three to four months ago.
I, like many people, use my ATM/debit card to fill petrol. I slotted my card in at the pump and after keying in my PIN, my card was declined. But when I tried to pull the card out, it got stuck! So I pushed and pulled and struggled for a long time but it just wouldn’t come out. I called for help and one of the petrol pump attendees came to help pull the card out. He too couldn’t get it out. We tried everything, we even pressed Cancel many times, lifted and put back the pump handle to make sure the machine “read” the action, but still, my card remained stuck fast.
The petrol pump attendee then decided to open the machine. Maybe that would help release the card he thought. So he went and got the key to open the machine. However, the inside was covered in a metal bracket and the card could not be pushed out from the back. All this took a long time, like 20 minutes to half an hour. By this time, we had called half the petrol station to help get the card out. And just when everybody got hot under the collar pushing and pulling, the card miraculously slid out at the last pull, like nothing happened.
The card worked fine elsewhere after that and since there was no further incident, I forgot about it. Until now.
Your Card can be Compromised Anywhere you Insert It
I do not know if this was how my card got cloned. If it was, then this story takes a more insidious turn in that your ATM/debit card can be compromised anywhere you insert it, (at petrol kiosks, restaurants, bookshops, pharmacies, supermarkets, airport or train terminals) and not just at ATM machines. It also means fraudulent activity began on my card three or four months ago and not recently. It’s just that I didn’t know because the amounts drawn out were small.
What Can You Do to Protect Yourself?
I have a new card now but what is there to protect this new card from also being cloned? It looks like nowhere is safe. But until better security measure can be put in place, here are some things you can do:
1. Scrutinize Your Statements Regularly
Check your statements regularly. However, for busy working parents wearing different hats and running about the day juggling timetables, who has the time to keep a constant eye on their bank accounts? Moreover, by the time you discover something wrong, the money would have flown and there is no guarantee you can get it back.
2. Report the Crime Immediately
Should you see suspicious activity on your statement, call your bank to block the card immediately. Make a police report, then give it to the bank to conduct investigations and get a new card. You will, however, have to pay around RM10.00 for the issuance of a new card. (Note: There is no guarantee you will get your money back though but at least you would have stopped further stealing from your account).
3. Limit the Power of Your ATM/Debit Card
Do not link too many accounts and capabilities onto your ATM/debit card. This is to limit the number of doors a scammer can go through to access all of your monies should he break in. Do not set your online transfer or withdrawal amounts to be too high either, only give yourself enough to carry out your necessary transactions and not more. In other words, limit the power of your ATM/debit card. It may be inconvenient but you can always go back to change your options when you need to.
4. Don’t Lose or Drop Your payWave-Enabled Card
Be very careful about keeping your card safe. Your ATM/debit card has a contactless ability (called payWave). Should you drop your card, did you know anyone who picks it up can go for a shopping spree on your account? He only needs to wave your card without using a PIN.
And did you know that your payWave-enabled ATM/debit card can be copied? A contactless or pay-Wave card emits a radio signal called Radio-Frequency IDentification (RFID). That is how you can make payments without inserting the card and typing your PIN. All you need to do is to wave or tap your card on the terminal.
To copy your data from your RFID-emitting card, all a criminal has to do is to walk past you, place his radio frequency card reader near your handbag or back pocket to scan and copy all your data from your cards. He then uses this data to duplicate your card. RFID skimming is the new form of digital theft, also called electronic pickpocketing. The thief does not even have to touch you. It seems wrapping your cards in foil or keeping them in an RFID blocking wallet (or sleeve or pouch) is one way you can stop your card from being copied.
5. Don’t Use Your Debit Card for Online Purchases
Consider not using your debit card when purchasing items online. Credit cards are “safer” in a sense since a credit card transaction will take 10 to 14 days for your bank to process. If the transaction is fraudulent, it can become an item of dispute rather than an instant removal of cash from your savings account. A note about using credit cards however: do remember to pay 100% of the credit card expenditure or you will be accumulating 16% compounding interest on your balance. Never pay only 5%!
6. Activate your SMS Alerts for All Transactions
SMS alerts and notifications are life-saving. Any time you make a transaction ─ whether paying a bill or transferring funds online through your computer or smartphone or using your debit facility with your ATM/debit card to purchase something from a retailer ─ you get a Transaction Authorisation Code (TAC) and you also get an SMS alert that money has been transferred.
If your bank has this feature, activate your SMS Alerts for cash withdrawals as well. Cash withdrawals from ATMs are the only transactions that do not receive receive automatic phone notifications, and this is where the loophole lies for criminals. Someone could be withdrawing your money using a cloned card through an ATM machine right now and you wouldn’t know it because there’s no SMS alert.
You need to go to any branch of your bank and speak to the bank manager to subscribe to SMS Alerts for cash withdrawals. You will, however, be charged for the SMS Alert but in view of how widespread fraud and electronic crime are these days, it could be worth it for peace of mind.
Other Methods
- Cover your hand when typing in your PIN because there may be hidden cameras recording your PIN as you type it in.
- Change your PIN often and keep it secret.
- Better to use ATMs that are connected to the bank with security guards watching the place and not standalone machines in open, unguarded areas such as those in a shopping complex, petrol stations, airport and train terminals.
- If you can, minimise your use of the debit facility on your ATM card, even though it offers you great convenience to pay for purchases anytime, anywhere without cash.
- In particular, try not to use your ATM/debit card at petrol kiosks. These places are ungated and unguarded 24/7. Fraudsters can walk in anytime of the day or night to insert a shimming device into the card reading slots at the pumps. To be safe, use cash instead.
For more finance and wallet-care stories like this, visit Motherhood.com.my.