You are viewing this article in the AnnArbor.com archives. For the latest breaking news and updates in Ann Arbor and the surrounding area, see MLive.com/ann-arbor
Posted on Mon, Jun 7, 2010 : 11:18 a.m.

Police say 'skimming devices' placed on ATMs in Ypsilanti Township, Ann Arbor to access bank account information

By Art Aisner

The Washtenaw County Sheriff’s Department is seeking the public’s help to identify a man who recently placed a skimming device on an Ypsilanti Township ATM to steal from customers' accounts.

Authorities said the man placed the device, which captures and records ATM card numbers from unsuspecting customers, at the drive-up ATM of the Bank of America branch at 2250 W. Michigan Ave. on May 30.

skimming_suspect.jpg

Police are attempting to identify this man.

Photo courtesy of the Washtenaw County Sheriff's Department

Bank employees discovered and removed it before any losses were reported. But police want to prevent the man from attempting it again at that or other branches.

“It’s early in an ongoing investigation, and we want to have this man identified even though our understanding was the device was caught shortly after it was put on the machine,” Sheriff's Lt. Mike Trester said.

The man is white with dark hair and appears to be in his early 20s. He was driving a dark-colored Chrysler mini-van.

Saline police said they're investigating a similar case where a skimming device placed on an Ann Arbor ATM siphoned roughly $500 from a woman's accounts last week. KeyBank officials said at least 90 customers reported irregularities on their accounts after using the machine at the West Stadium Boulevard location last week, reports said.

Investigators are waiting for bank surveillance photos to help identify a suspect. No descriptions were available, and it's unclear whether that incident is related to the Ypsilanti Township case.

Sheriff’s Detective Kevin Parviz said it’s generally difficult for ATM users to tell whether a skimmer is in place.

“The quality of work differs from one suspect to another,” he said. “I’ve seen ATM skimmers that are indistinguishable from the ATM, and I have seen the ones that are obviously not part of the ATM.”

He recommended customers do quick checks for differences in materials and colors at the card reader and be wary of excess protrusions.

Anyone with information is asked to call the sheriff’s department tip-line at 734-973-7711.

Art Aisner is a freelance writer for AnnArbor.com. Reach the news desk at news@annarbor.com or 734-623-2530.

Comments

Maggie Ladd

Mon, Jun 21, 2010 : 12:05 p.m.

My account was skimmed recently. I only ever use two ATM's one near work and one near my home. I have to say that PNC bank replaced every penny within a few days, and that the staff at the South U branch couldn't have been more helpful. My advice would be keep close tabs on your bank balance, it helps to identify problems quickly.

Warren

Wed, Jun 16, 2010 : 11:59 a.m.

If my bank sent me an e-mail notice for each withdrawal, I could catch any error within 12-24 hours. Any takers?

Anne

Tue, Jun 15, 2010 : 11:16 a.m.

Brian Krebs, formerly of The Washington Post, has written a number of stories lately about ATM skimmers, each of which includes some pretty revealing and scary pictures of real-life skimmers, both for sale in the criminal underground, and found on real ATMs. http://krebsonsecurity.com/?s=atm+skimmer&x=0&y=0

M.

Wed, Jun 9, 2010 : 5:40 p.m.

snapshot - It might not. The back of your card should have a toll free number to call for customer service. If not, call your bank. Either way you should be asking your bank about your ATM troubles *AS SOON AS POSSIBLE*.

snapshot

Tue, Jun 8, 2010 : 5:43 p.m.

I've had trouble with the ATM taking my card and never had aa unauthorized withdrawel. What does having trouble with your card have to do with a "skimmer"?

Stephen Lange Ranzini

Tue, Jun 8, 2010 : 10:17 a.m.

@dug If you contact me via email at ranzini@university-bank.com, I'll be happy to outline to you the challenges to implementing your excellent idea to implement two factor authentication at ATMs. For everyone else, yes, it is more dangerous to use your ATM/Debit card in routine transactions rather than a credit card because the VISA/MASTERCARD/AMEX/DISCOVER card association rules protect consumers from losses due to fraud on credit cards more than debit cards. Reimbursement for losses on debit card losses is only done if the bank is notified within 30 days (per Reg E) and after that, it is up to the policies of individual banks. Some do, some don't. Some do under certain circumstances. You get the idea. Philosophically, I think it's a shame we as a society have rules that encourage credit card use instead of debit card use, but I don't make the rules. The Federal Reserve (which governs Reg E for debit cards) and the card associations do (which govern credit cards).

Dave66

Tue, Jun 8, 2010 : 6:54 a.m.

It would be nice if the article had a description of a skimming device. Description, photo, link to another article somewhere. Other readers have helpfully mentioned Google (an obvious choice, of course) but it seems to me that that sort of information could reasonably be part of this article.

Gorc

Tue, Jun 8, 2010 : 6:34 a.m.

@Dug Song...yes, you must report it as soon as possible. The depositor has a 30 day time window from the time their bank statement is generated to report any unauthorized transactions (in writing and typically in the form of a Reg. E claim). And then the clock starts to tick for the bank to finalize their investigation. My point was the FDIC does not reimburse the bank for this type of loss. Loss of this nature are a business expense for the bank.

Dug Song

Tue, Jun 8, 2010 : 3:58 a.m.

@Gorc, @Freemind42 - See the Reg E limits ($50, $500, etc.) here: http://www.fdic.gov/regulations/laws/rules/6500-3100.html#fdic6500205.6 Basically, you need to report the fraud as soon as possible. @Technojunkie - the FFIEC guidelines for multifactor auth to protect online banking were issued in 2005, and the vast majority of banks are still noncompliant, while online games like World of Warcraft offer better security via $6 tokens ( http://us.blizzard.com/support/article.xml?locale=en_US&articleId=24660 ). Standard one-time password tokens are vulnerable to man-in-the-middle phishing attacks, or session-hijacking man-in-the-browser attacks that simply inject themselves into your session *after* you've authenticated. You have to go out of band to authenticate the transaction, not just the session, e.g. faxback or callback verification for wire transfers, etc. or some of the stuff we're doing as a digital analog (heh) of that...

Gorc

Mon, Jun 7, 2010 : 7:03 p.m.

@Freedmind42 - The FDIC does not cover losses of this nature. The consumer is protected under federal banking regulation called Reg. E. The bank eats this one as an expense.

Bill

Mon, Jun 7, 2010 : 4:10 p.m.

I was hit by the W. Stadium KeyBank ATM. My bank called me saying someone tried three times to guess my PIN before putting a block on my card. That's the only, (literally only,) ATM I use so I'm aware of what the reader looks like. Either, I got lazy or this skimmer looked exactly like the real reader. I can only assume my patented thumb-under-palm PIN entry technique saved me from a real mess.

Technojunkie

Mon, Jun 7, 2010 : 3:19 p.m.

Comerica limits you to taking $100 cash from a deposited check when you use an ATM. You have to use a teller if you need more. Now I understand why: using a forged ATM card and skimmed credentials a crook could "deposit" a fake check and withdraw money without the risk of overdrawing the account. I don't know how quickly a fake check would be noticed. If there's enough cash already in the account to cover the withdrawal this won't help much though. The FDIC was working on two-factor authentication using those number-generating key fobs but it apparently didn't go anywhere. I'm guessing that the additional security was undermined by people rejecting the added complexity. I'm not sure that American cell phone networks are reliable enough to use text messaging for the second factor, that and our cell phone providers charge rip-off prices for text messages if you don't have a high enough service tier. I can see where it'd be a great solution in other countries though.

Shankar

Mon, Jun 7, 2010 : 2:57 p.m.

Qfreemind.. Good to know that.. You freed my mind of some worry!

Freemind42

Mon, Jun 7, 2010 : 2:48 p.m.

@shankar, read my previous post. As a matter of fact if you use your debit card the FDIC will refund your stolen money. It's just like if someone held up a bank and emptied the vaults. All the people who have accounts there wouldn't lose their money, the federal government insures it.

Shankar

Mon, Jun 7, 2010 : 2:43 p.m.

One of my employees had his ATM skimmed in a gas station. They then charged 10 cents here and there, 5 dollars next and then went for a $500 charge when the bank caught on.. They told him not to use ATM cards for gas purchases and use credit cards. Makes sense since credit cards hold us responsible for only a small $50 if there is a fraudulent charges. There is no such thing with ATM cards, even if thye carry the Visa or MC logo.

Anonymous Due to Bigotry

Mon, Jun 7, 2010 : 2:18 p.m.

The other thing you can do is try to use ATMs at actual bank branches whenever possible. Bank employees tend to check these more frequently than isolated ATMs so any installed skimmer is more likely to get removed quickly. My previous bank (National City) used to have an email alerting service as part of online banking that would send you an email any time a withdrawal was made over some amount. I think they'd also send text messages. This was great for spotting unauthorized withdrawals right away, but my current bank (TCF) doesn't offer this alerting service :( Hopefully more banks will start offering that and also promote it's use. (Most people probably don't notice whether or not their bank offers that alerting type.) Anyone who has looked at some of the photos of skimmers can tell that some of them are ultra-thin and very hard to spot unless you're looking carefully and know what to look for.

Freemind42

Mon, Jun 7, 2010 : 1:47 p.m.

I was hit by one of these last year. The person took out $300 twice from my account from some ATM in Louisiana. Then they filled up the gas tank for over $60 twice as well. Thankfully my bank called me because of the suspicious withdrawals and temporarily froze the card. They gave me back all of my missing money as well. Thank you FDIC.

LaMusica

Mon, Jun 7, 2010 : 1:46 p.m.

Thank you for posting this! Skimming is quickly growing and can do huge damage to your bank account, which often takes a LONG time to clear up/get your money returned (if it ever is). If you ever have trouble getting your card in the slot be careful! If it feels like the card gets "stuck" don't use the ATM...better safe than sorry (and if you DO think it's been tampered with, PLEASE alert the bank)!

bedrog

Mon, Jun 7, 2010 : 1:12 p.m.

a useful thread...with everyone on point( or at least non-snarky). thanks for all the assorted info and images.

Macabre Sunset

Mon, Jun 7, 2010 : 1:01 p.m.

Or, for that matter, those of us who don't use a cell phone.

Dug Song

Mon, Jun 7, 2010 : 12:41 p.m.

Pre-authorized amounts. Like a traveller's check, with marginally less hassle.;-)

Rex Roof

Mon, Jun 7, 2010 : 12:23 p.m.

Dug, mobile phone verification sounds interesting, but what do you do in the case where your fancy smartphone's battery is dead because you've been traveling?

Dug Song

Mon, Jun 7, 2010 : 11:32 a.m.

These devices are difficult to detect - more examples here: http://krebsonsecurity.com/2010/02/atm-skimmers-part-ii/ It's best to use a single ATM you'll notice any changes to, and to always cover your PIN entry with your other hand to prevent illicit recording (although this doesn't thwart keypad overlays). My company, Scio Security, has a solution to this that involves transaction verification using your mobile phone - we'd love to work with a local bank to implement a trial here (most of our customers are out of state). Withdrawal limits typically limit the damage to any given account, but in aggregate, such attacks can be really hard on small issuing banks (we've talked to some that have had to debit-block entire cities). As the economy gets worse, we're going to see a lot more of these skimming and ATM reprogramming attacks. They're not nearly as damaging, however, as what's happening with crimeware-based ACH and wire fraud targeting online commercial accounts. Business accounts should only be accessed using a PC dedicated only to online banking (no e-mail, no other web), as the ABA and FBI have warned: http://www.upi.com/Top_News/US/2010/01/01/Businesses-warned-about-online-banking/UPI-81761262329630/ If you see job postings for work-from-home "financial agents" or "financial managers" that sound too good to be true, that's because they are. Don't fall for a money mule scam! http://www.fdic.gov/news/news/specialalert/2009/sa09185.html Stay safe, everybody.

djm12652

Mon, Jun 7, 2010 : 11:28 a.m.

Are all parties involved, 100% positive the photo above is of the "suspect" perp? It amazes me that annarbor.com rarely shows mug shots of arrested and charged alleged perps, but showed this photo of a "suspected" perp.

a2friend

Mon, Jun 7, 2010 : 10:58 a.m.

Scary stuff- if only these criminals used their efforts for something good they might actually make something out of their lives!

EngineeringMom

Mon, Jun 7, 2010 : 10:43 a.m.

Can you tell us what KeyBank ATM was involved?

glimmertwin

Mon, Jun 7, 2010 : 10:36 a.m.

Google skimmer device under the images section and you can see a variety of configurations.

joemoe

Mon, Jun 7, 2010 : 10:27 a.m.

Could you possibly show a picture of a 'skimming device' so we can protect ourselves when using an ATM?

Registration on or use of this site constitutes acceptance of our User Agreement and Privacy Policy

© 2013 MLive Media Group All rights reserved (About Us). The material on this site may not be reproduced, distributed, transmitted, cached or otherwise used, except with the prior written permission of MLive Media Group