You are on page 1of 8

The Phantasm of ATM Withdrawal

Despite the stringent legislation and increased enforcement aimed at combating financial crime, fraud using
cash machines remains a public concern. The problem of ATM frauds is happening on a global scale and its
ramifications have been felt in Australia as well. This paper highlights the stratagems of this financial crime.
The abusive use of the ATMs with its intelligent methods used by perpetrators with some global reported cases
will be illustrated in the paper. In addition, protection tools and techniques for banks, financial institutions and
customers to mitigate this crime will be discussed. Most interestingly, security protection by biometrics and
their exceptions will be illustrated in this paper. This is an informative article to educate readers to be aware of
fraudulent crimes perpetrated using ATMs.

Automated Teller Machine (ATM), fraud, Lebanese Loop, skimming, counterfeit, Personal Identification
Number (PIN), biometrics


Automated Teller Machine or ATM is widely used now these days. It makes financial transaction of
cardholders’ easier. People do not need to carry a lot of money with them all the time because there are
available electronic machines to facilitate transactions whenever and wherever they want. However, the used of
ATM can bring problems towards the cardholders and financial institutions when skimmers take advantage of
unsuspected cardholders. Financial crimes, especially ATM fraud and Identity fraud are the serious issues at
this era. They are continuously on the increased. Financial crimes have big impact to the economy of the
nations. In one year the financial crime cost the economy about $60 million US, and this did not include the
identity fraud which was $625 million US annually (Cato, 2007). It is very interesting to discover why ATMs
fraud is becoming more targeted and the different attacks toward ATM cardholders.

ATM and the facilitation
“The traditional ATM was just a cash machine, and the reason why that will not survive is that cash is being
targeted for extinction, with a specific focus from contactless payments”(Kitten, 2007). Therefore, financial
institutions are trying to improve the payment method through ATM facility. Kitten (2007) wrote about the
advantage of ATM beside cash withdrawal that “That might be depositing checks, accepting payments, paying
bills, offering advertising, dispensing tickets, topping up contactless payment devices or even downloading back
statements to PDAs … but it won’t be dispensing cash.” These are the reasons why ATM is becoming more
targeted from financial skimmers.

The Strategy of ATM fraud is getting more complicated and a technical assault. Many unsuspicious customers
are victimized from skimmers without advanced warning. Basically, criminals have common ways to take the
money and obtain personal details from customers by the low/ high technological methods. The methods that
criminals usually execute in abusive action are shown below:

Lebanese Loop
This technique is well known in criminal financial fraud reported. Lebanese loop is a sort of skimming method
in which “a plastic envelope is made up that fits the hole in the machine perfectly” (Mikkelson, 2006). When
the card is inserted, the machine will not be able to read the card even the PIN numbers is keyed in correctly
many times. At this stage, the skimmer will pretend to be an innocent assistant and try to help the victim by
asking that person to put the PIN numbers again or try to help him/her taking the card back. Eventually, the
victim will give up and walk off without card along. The skimmers will wait until they are sure that that person
will not come back in a certain period, and then they start to pull the plastic envelope out and take the card away
with the memorized PIN numbers. The case below is one of such example claimed by Mikkelson (2006); which
happened to a lady in HSBC at Hanover Square on Saint George Street where the ATM machine rejected to
return her ATM card.

“A lady approached me and told me that this had happened to her the other day and what I needed to
do was key my pin number in and then press cancel twice. I did this and of course no card was returned.
I left the machine thinking that it had swallowed my card. But when I returned to HSBC the following
morning, my card wasn't there”.

Recently, the Lebanese loop was introduced with the latest accessory which is a “thin, clear, rigid plastic
'sleeve' and/or x-ray film cut to the size of the slot machine” (Cottrell, 2007) in order to block the machine not
to be read data from the magnetic strip from the back of the card. Thus, the machine will require customers to
re-pin the PIN numbers again and again. At the time, the skimmer will come along and offer the customer a
help (Mikkelson, 2006).

Another material of Lebanese loop, the obstructed material can be made from a length of tape which is inserted
into the card slot so that the card can be trapped and refuse to return to the customers (North East Fraud Forum,
n.d.). In the end, the criminals will continue their duty as a kind assistant as described at above. To protect
customer from Lebanese loop attack; therefore, checking the ATM machine before the card is inserted is an
appropriate way to execute. According to the (Mikkelson, 2006) suggested this technique that “The way to
avoid this is to run your finger along the card slot before you put your card in. The sleeve has a couple of tiny
prongs that the thieves need to get the sleeve out of the slot, and you'll be able to feel them”.

← Card insert panel
↑ Magnetic Trapped tape

Figure1. An inserted tape inside the card slot

A counterfeit slot machine

This method is described an act of crime in which the original card slot is covered with the forged and similar
one. The spurious card slot will skim the ATM card number and card details from the magnetic strips on the
back of the card ("ATM Camera", n.d.) and the skimmer who usually sits inside the car in the nearby car park
will receive the data from the equipment they installed on the front of the ATM machine ("ATM Scam", 2006).
Mckinnon (2007) claimed from Patton’s concept in the Knight Ridder Tribune Business News that “Thieves
then sell the information they gather, which can either be temporarily stored on the scanner or sent by signal to
a device nearby, or they encode duplicate cards.” The new duplicated card can be a plain white cards, plastic
cards or telephone cards which are able to encode a data on them (North East Fraud Forum, n.d.). Also, the
issue about ATM Advice - How to protect your card details (n.d.) in North East Fraud Forum website described
how the forged ATM card works after the data is captured.

“Numbering each one they then have a book, which lists the numbers and the correct pin number for
that card. These will then be taken either within the next hour or in the early hours of the next morning
to a cash point and each one fed in with the relevant pin number and the maximum amount of cash is
taken out. They could possibly have up to 40 cards in their possession with a possible £300.00 for
each card £12,000.00 - not bad for a few hours work”.
The counterfeit slot machine is hard to notice due to the colour, shape, and material is designed to imitate the
genuine one. However, if any part of the machine is convex and look unusual, it can assume that the machine is
being counterfeited.

Leaflet holder captured
This technique is committed by embedding a minute wireless camera inside the leaflet box close to the keypad
and screen. The hidden camera will capture and monitor when customers key their PIN. The effective camera
can transfer the films and photos to the nearby receiver up to 200 meters ("ATM Camera", n.d.). This technique
is real performed in Bradesco, a Brazilian bank in South America where the criminal wanted to steal
information and money from the bank customers ("ATM Camera", n.d.).

Figure2. The angled view of the wireless camera in the leaflet box

Hidden Camera in the Fake Top Panel

This method is very similar to leaflet holder capture, but the position is different. The minute and thin camera
which is around 7cm high ("ATM Camera", n.d.) will be hidden inside the fake panel embedded at the top of
the ATM casing, and it is hard to be seen from people as the color and texture are very similar to the real one.
The camera is used to film the PIN entry on the keypad ("ATM Camera", n.d.). “There is a transmitter inside
this device possibly the same type as found in the plug in door bell chimes this will transmit the images of the
customer entering their pin number to someone sitting in a car up to 150 yards away monitoring a laptop
computer” (North East Fraud Forum, n.d.). This technique has been found in Hong Kong (January 2004) where
the camera was hidden inside the ATM machine of the Hang Send Bank branch in Tsuen Wan, for example
("ATM Camera", n.d.).

Shoulder surfing
Obviously, card-skimming is accomplished through a low-tech method as shoulder surfing; a simple technique
which skimmers usually stand behind the victim and try to look over the victim’s shoulder to view the PIN or
they might listen to the sound of keystroke PIN pad and memorize it in order to commit the card fraud or card
theft (Bidwell, 2002). Obviously, there is easy way to notice the skimmers that there is only the suspicious
person will stand too close or stand in the angle position on besides of the person who is taking the money out
of the machine.

Captured plastic skimmer
Another obvious card skimming device called keystroke captured skimmer. It is a thin and transparent plastic
with the microchips recorded device underneath; which is overlay on the top of the ATM keypad and looks like
a normal plastic covered. The texture of the keypad will be smooth and greasy. In fact, it is used to capture the
keystroke when customers press the PIN numbers (Richard, n.d.). This plastic misleads customers that it is a
new used keypad or it is used to cover the dust or cover the printed number keypad not to fade too early. In
addition, some ATM machines are covered with the fake keypad covered which is similar to the real one;
however, this makes the keypad a bit higher than usual.

Figure3. A Captured plastic Cover is designed to mislead customers

Other skimmers

It might be wrong when people think that ATM fraud can happen with the withdrawal machine only. In fact,
there is a risk of ATM fraud happen inside the shops such as restaurants, kiosks, and convenient stores. These
point-of-sale outlets may be operated or compromised with the card skimmers or fraudulent employees by
installing the counterfeit hand-held card reader to capture the PIN when customers press their identification
code on the machine it will capture the data and transmit to another receiver machine nearby (Richard, n.d.).
This is hardly notice because most customers seem to trust the point-of-sale system.

What will happen with the skimmed data? According to the The Model Criminal Code Officers' Committee,
February (2006) explained the about the data skimming that

The ‘skimmed’ data is generally stored in the skimmer and then transmitted to a computer. The data
can then be downloaded onto another magnetic strip, in most cases a counterfeit credit card which
becomes an exact copy of the original. However the skimmed credit card data can be downloaded onto
any form of media that has a magnetic strip, including a library card, a security card or even a parking
ticket. (p.4)

It does not take too long for criminal to get the money out of the bank as long as their can get either or both of
ATM card and PIN numbers. Usually, data on the counterfeit card is likely to be withdrawal the cash from the
ATMs rather than purchase products at point-of-sales counter due to the fact that it is too obvious and easy to
get caught when skimmers buy something with the forged card the (The Model Criminal Code Officers'
Committee, February 2006). Thus, the skimmers use their assist equipment helping them to copy the card and
use PIN numbers to withdraw all the money from the ATM before it will be deactivated from the real
cardholder ("ATM Camera", n.d.). At the same time, these criminals always use the fake card and take the
money out in other cities where it is harder to detect from the police (Cato, 2007).

After the authorized customers found that their money had been stolen, of course they must deactivate their card
and freeze their money from whoever wants to take the money from them. Nevertheless, by the time they
realized that there might be something wrong with their card; they probably lost all money in the card. Most
interestingly, there has been found that card skimming is processing in a serious commerce in Australia in
which the skimmed details are transmitted to the other countries to keep the data onto the forged card and sold
them to tourists to spend that money on the card (The Model Criminal Code Officers' Committee, February

Banks and financial institutions are trying to develop intensive ATM fraud countermeasures in order to protect
their assets, finance, and customers’ lives and assets. The countermeasure has been divided into two parts of
security protection measures:
• Banks and financial institutions’ assets protections
• Banks and financial institutions’ customers and assets protections

Banks and financial institutions’ assets protections
The purpose of this part is protecting banks and financial institutions’ properties not to be modified,
manipulated and destroyed to make the banks loose their reputation and creditability towards users. These are
the methods that being used to protect the properties:

1. Installing a jitter mechanism; the detective sensor to deter skimming with a vibration technology which
protects the data on the card not to be read accurately by the fake card reader ("Diebold Launches First-of-Its-
Kind, Consumer ATM Security Web Site", 2005)

2. Installing vigilant detective systems ("Diebold Launches First-of-Its-Kind, Consumer ATM Security Web
Site", 2005).These systems allow all suspicious activities and including suspicious object skimming devices are
detected and transferred the signals to alert the authority to stop processing transaction and/or mechanical

3. Installing the camera surveillance to record all activities within inbounds.

4. Installing deep and recess screen and keypad to shield customers from shoulder surfing ("Diebold Launches
First-of-Its-Kind, Consumer ATM Security Web Site", 2005).

Banks and financial institutions’ customers and assets protections

The objective of this protection is to guard customers from being attacked when they are doing their
transactions via ATM in inbound and outbound where the ATM is not located inside the bank office. These are
some of the good techniques that being used:

1. Installing consumer awareness mirrors to allow customer to watch out their backs and surrounding
2. Installing various lighting and spotlight options in certain places such as the cash machine and nearby
car park where the suspicious person can be hidden (Diebold, n.d.).
3. Installing video surveillance around the premises ("Diebold Launches First-of-Its-Kind, Consumer
ATM Security Web Site", 2005).
4. Poster or secured warning sign should be posted around the ATM machine to warn people from all the
5. Designing a rounded fascia around the slot machine to obstruct skimmer not to affix the card skimming
equipment easily (Diebold, n.d.).

The concept of Lobby or Vestibule Banking (Slater, 1991) seems to be the best way for crime deterrence.
Many places where ATMs have been located within banks doorway or close to kiosks protecting ATMs
machine and customers’ lives while withdrawals are being processed by installing a protective glass around the
existing dispenser can reduce the cash and card robbery (Slater, 1991).Intensively, controlling the access area
with the customer’s ATM card and PIN can increase customer confidence.

Biometrics protection

The issue of biometric protections has been discussed continuously. It is one of the effective security methods
which have been used in worldwide. (Shah, 2001) mentioned about the idea of biometrics that:

“Imagine walking into an ATM without having to worry about remembering passwords and other
verification processes. A situation where you are your own password and mode of access where your
fingerprints, skin texture, retina pattern or face give you access to your account and let you withdraw
money. This is the power of biometrics in financial transactions.”
The concept of biometrics countermeasure is about body identification in which it is becoming very common in
security measures. However, ATM security system is not obvious to be seen as such as India (Shah, 2001)
where biometric has been applied in used. In addition, biometric security methods are becoming useful to
present authorization acts of users. It represents a real identity check from a person by using a part of the
physical or behavioral to verify a person for accessibility. Biometric can be divided into physiometric and
behavioral techniques (Hendry, 2001) as it is shown in the table below:

Biometrical Types Biometrical Acts Identical Acts Analytical Awareness

Behavioral Signature The relative speed and It depends on the writing surface, the
verification the pressured used are environment, mood of the users and
drawn. writing tools.

Behavioral Keystroke dynamics Skill typists The diversity of keyboard and software
used might lead an error.

Behavioral Voice Recognition Multilevel voice False rejection can happen with the
checking such as tone, unusual background, cold, and mood of
pitch, and cadence the users.

Physiometric Hand Geometry It captures the pattern Injury, Aging, out of date device can
of palm lines on the affect the measurement.

Physiometric Iris Scan It measures the flecks in The used of Iris scan should be
the iris of the eye. concerned for those in wheelchair and
short body.

Physiometric Retina Scan It estimates the Eye disease can destroy the gene or
characteristic blood tissues which is impact to the accuracy
vessel patterns on the of the retina scan measurement.
retina with a lower-
power infrared laser
and camera.

Physiometric Finger/Thumbprint It captures the minutiae The difficult analysis can be found in
of the fingerprint. those who have heavy smoking
addictive, and work in some trade
related to the heavy hand used.

Furthermore, the modern technology can create new security measurements to detect and monitor card users’
activities such as anti-fraud software to monitor all spending card and money activities and track the unusual
transaction even though the card has been using from one region the another distant country (Richard, n.d.).

Customer Defensive Acts
Customer defensive acts are low-tech methods to secure person from being fraud by ATM machine. There are
many certain and simple ways to apply:

1. Cautions and vigilance should be taken when using the cards. If there are suspicious things with the machine,
customer must contact the bank and report the issue or ask why the changes with the machine were made
(Richard, n.d.).
2. PIN entry should be shielded from prying eyes. Customers should be aware when they key the PIN numbers
by standing close to the ATM. Covering PIN keypad and ensuring that the keypad is been blocked from surfing
shoulder behind (North East Fraud Forum, n.d.).
3. The environment around should be cleared. Try to avoid using ATM when people stay close to the machine.
Ask them to move aside politely if it is possible or find another ATM somewhere else (Mikkelson, 2006).
4. Using ATMs in secluded areas should be prohibited. It is safer for customers to have friends beside if it is
5. Helpful stranger should beware. Do not trust anyone offering a help especially when the card is stuck inside.
Report to the bank and deactivate the card as soon as possible (Mikkelson, 2006).
6. Distantly safety and reported phone call should behave while the card is stuck and the card should not be
removed as it can use as an evidence (An Garda Síochána - Ireland's National Police Service, n.d.)
7. Expensive jewelry and valuable things should not be carried ("Diebold Launches First-of-Its-Kind, Consumer
ATM Security Web Site", 2005).
8. Counting the money should perform when it is safe to do so ("Diebold Launches First-of-Its-Kind, Consumer
ATM Security Web Site", 2005).
9. Writing the PIN on the card or in the wallet should be prohibited. It would be better if the PIN has been
memorized as soon as possible (Pentagon Federal Credit Union, 2007).
10. Creating the PIN should be considered thoroughly. Date of birth, social security number, telephone number,
account number, street address are all unsafe to use as a PIN (Pentagon Federal Credit Union, 2007).
11. The ATM receipts should not be left at the machine and in the nearby rubbish. Attackers might use the
receipt for their own benefit.
12. Reviewing the statement balance should be performed regularly to ensure that everything is accurate
(Pentagon Federal Credit Union, 2007).
13. Deactivated the card as soon as it is stolen should be executed as well as destroyed the old card when the
new card is available.


The used of ATM is very widely and convenient to users. People use ATM to varieties purposes, but mainly in
withdrawal. On the other hand, ATM can bring the serious problems back to the users. When ATM card is
becoming popular used, it could be the most targeted attack from the criminals. Skimmers use the advantage of
ATM device to gain their own benefit in abusive ways. The techniques are more sophisticated and more
intensive as the growth of technology supports those to attack the targets with the smart skimming devices.
However, the simple method is still being used to rip off the victims. Therefore, banks and financial institutions
are developing the software and security methods to detect, deter, and delay skimmers as well as protecting
their properties, reputation and customers. At the same time, customers should beware and protecting
themselves from the risks before it will be too late to perform.


An Garda Síochána - Ireland's National Police Service. (n.d.). Crime Prevention Advice -
ATM (Cash Machine) Fraud. Retrieved September 29, 2007, from

ATM Camera. (n.d.). Retrieved October 4, 2007, from

ATM Scam. (2006). Bank ATMs converted to steal bank customer IDs Retrieved September
28, 2007, from

Bidwell, T. (2002). Hack Proofing Your Identity In the Information Age. Rockland, MA:
Syngress Publishing, Inc.

Cato, J. (2007). 2 illegals indicted in ATM fraud in Western Pa. Knight Ridder Tribune
Business News, 1.
Cottrell, K. (2007). Legislators move to protect ATM users // Bill will criminalize possession
of velcro 'traps' used in ID theft scheme. The Business Press, 7.

Diebold. (n.d.). White Paper: ATM Fraud and Security. Retrieved October 6, 2007, from

Diebold Launches First-of-Its-Kind, Consumer ATM Security Web Site. (2005). PR
Newswire, 1.

Hendry, M. (2001). Smart Card Security and Applications Second Edition. Norwood, MA:
ArtechHouse, Inc.

Kitten, T. (2007). Contactless and the ATM?. Retrieved September 29, 2007, from

Mckinnon, J. M. (2007). Bank card data stolen in Sylvania Township: 'Skimmers' at 2 ATMs
used digital devices to glean info. Knight Ridder Tribune Business News, 1.

Mikkelson, B. (2006). Lebanese Loop. Retrieved October 3, 2007, from

North East Fraud Forum. (n.d.). ATM Advice - How to protect your card details. Retrieved
October 4, 2007, from

Pentagon Federal Credit Union. (2007). Preventing Fraud: Automated Teller Machine (ATM)
Fraud Protection Retrieved October 7, 2007, from

Richard, C. (n.d.). Guard Your Card: ATM Grows More Sophisticated. Retrieved October 4,
2007, from

Shah, K. (2001). ATM banking without a PIN. Retrieved September 30, 2007, from

Slater, K. (1991). Information Security In Financial Services. New York: Stockton Press.
The Model Criminal Code Officers' Committee. (February 2006). Final Report:
Model Criminal Code Chapter3 Credit Card Skimming Offences: Commonwealth of

Nattakant Utakrit ©2007. The author/s assign Edith Cowan University a non-exclusive license to use this
document for personal use provided that the article is used in full and this copyright statement is reproduced.
Such documents may be published on the World Wide Web, CD-ROM, in printed form, and on mirror sites on
the World Wide Web. The authors also grant a non-exclusive license to ECU to publish this document in full in
the Conference Proceedings. Any other usage is prohibited without the express permission of the authors.