UPDATE: Since writing this piece, I've learned my AMEX card, which wasn't used in the skimmer, was cloned and used to buy $300 of maternity clothing in Philly the next day. No good deed goes unpunished!
UPDATE2: Revised the incorrect absolutism "none of those" with "few of those" below.
It was Sunday night, on my way to a show, when I stopped at my neighborhood bank to get some money. You know the routine: take out wallet, remove ATM card, swipe it through the card-reader on the door, then enter the vestibule. Except this time, something caught my attention as I slid my card into the reader: it seemed too large and freshly painted. My Spider-sense told me, "this isn't right." I pulled my card out, the device split apart and fell to the ground. I'd found my first 'skimmer'.
'Skimming' is a form of identity theft in which the information encoded in the magnetic stripe of a bank card is surreptitiously captured for re-use by others. Skimmers are the phony card readers used to do this, and they come in a variety of shapes and sizes. Skimming is illegal, the people who do it are crooks, and law enforcement have been hard at work capturing them in the Seattle area. Years ago a very polite but firm agent from my bank called to inquire if I had meant to purchase 3 Sony televisions in Lahore, Pakistan the previous day. "Where is your credit card now, sir?" he asked. "I'm sitting on it..." I replied. Turns out I'd been skimmed at a restaurant the night before. Card cancelled, new card issued.
This time, the skimmer was paired with a phony convex security mirror concealing a small video camera. The mirror and camera were adhered with glue to the top of the frame around the ATM machine. The skimmer captures your card information, the hidden camera records you entering your PIN number. Put the two together and in a few hours thieves could collect dozens of usable details to clone onto cards or sell. Using a similar technique thieves stole $400,00 in just two months from Eastside banks.
When I inspected this device it was clear it had been stuck to the authentic card reader with tape (the gray squares in the photo). It had a green light on, a battery, and the card-reading components. I don't know enough to tell whether it was storing card data locally or transmitting it in real-time via Bluetooth. I assumed it held card details belonging to me and my neighbors and shouldn't be left sitting on the ground to be collected. Skimming and other forms of 'electronic crime' have grown so prevalent the Secret Service operates an Electronic Crimes Task Force spanning 25 cities across the US. The Seattle office of this task force might even be in my neighborhood. So my first priority was to secure the skimmer with law enforcement or the bank. It was harder than I expected to do so:
- I called 911 and was told "If you can't hang around until an officer arrives, that's ok." And leave the skimmer? No way.
- I called the Chase Bank Customer Service number posted on the bank door, but couldn't bypass the automated system without an account number
- I entered bogus account numbers into Chase's automated telephone system just to get a live person on the phone
- I asked the CHASE representative if they could respond locally after hours, but all he could do was record the call and pass it along
- I waited 30-minutes for Police, then picked up both parts using my shirt-sleeve and took them home
- I called the Seattle branch of the Secret Service's Electronic Crimes Task Force, but the number was disconnected
- I emailed the Seattle branch of the Secret Service's Electronic Crimes Task Force, but my email bounced back as undeliverable
- I called the Secret Service in Seattle directly and asked for the local special agent on the ECTF (he appears in the press a lot on this very issue)
- After getting routed to another agent instead, I left a voice-mail message, but got no reply
- I tweeted a photo of it to @SeattlePD asking that their detective on the ECTF contact me, but got no reply
I finally called 911 again on Monday morning, and asked that an officer come to my house. When he arrived, we walked across the street and met the bank manager. She indicated all she'd do is turn the device over to the officer. But before we could do that, he got another call and ran out. While humorous at the time, I have to appreciate that officers on duty are interrupt-based. Any new emergency could trump whatever they are doing in the moment. He called back later, confirmed he had the device, took my details and that was that.
While there's several good ideas online for how consumers should handle card fraud generally, few of those help in the moment. So if you find a skimmer in the wild, here's my advice. First, physically inspect every device before swiping your card. Check that the reader is secure, and not a glued-on/taped-on decoy. If it is phony, then:
- Look around you - Determine if your surroundings are safe enough for you to stay in the area a bit longer (some thieves might linger nearby)
- Call 911 immediately - ask if there's an Electronic Crime detective or officer they can send over
- Notify the bank - alert them to the device's presence, and make sure they remove it, turn off the ATMs, or otherwise block it's further use
- Tweet it - One neighbor who'd used this ATM the previous hour saw my photo of the skimmer online and cancelled his card right away
- Turn it in ASAP - If law and bank officials can't respond immediately (like on a Sunday night), secure the device yourself (use gloves or put it in a bag) and deliver it to your local precinct. Or call 911 and await their arrival in the comfort of your own home (instead of out at the bank at night).
Obviously, if you don't feel comfortable remaining in the area or taking it home with you, you should still call 911, notify the bank, and report it via social media. Banks themselves could streamline this process. Chase Bank offers an unhelpful 9 different phone numbers to call to report fraud. A phone-number to a live corporate security agent posted on the door would have been more comforting.
Stay sharp, and bank safe!