The Cash-Machine Capers

Forcing open cash machines is risky work. Those who try with a car must smash into the hunk of steel driving at least 40kph for a shot at success—and ATMs often withstand even faster charges, says Travis Yates, head driving trainer at the Tulsa Police Department in Oklahoma. Some thieves drag dislodged machines away to open with a blowtorch, but that's hardly any more discreet than ram raids. And many new ATMs release a blast of ink when jarred, ruining the cash inside. Increasingly, the machines are placed behind heavy metal barriers or inside shops, or both, to thwart attacks. If you're an old-school ATM thief, "you're more than likely going to end up disappointed," says Yates.

Still, theft from ATMs is up—it leapt to €468 million in Europe last year, an increase of €131 million over 2006, according to a new report by the Edinburgh-based nonprofit European ATM Security Team. Thieves are using new electronic tricks to steal data from ATM cards, often with electronic spying equipment that can be store-bought for as little as $100, says Randy Vanderhoof, head of the Princeton Junction, New Jersey-based Smart Card Alliance, an industry group promoting safe electronic transactions. The cheap gizmos are also being used to capture credit- and debit-card details while consumers pay at shops and restaurants. Preventing electronic theft "is a lot more difficult" than stopping physical attacks, Vanderhoof says.

One particularly devious device, called a "skimmer,'' has a slot that reads the magnetic strip. When no one is looking, thieves fit the skimmer over the real card slot so it can copy ATM-card data, which is later used to duplicate cards. Customers sometimes notice skimmers protrude from ATM façades, so some thieves now install false façades. One former ATM thief, interviewed by NEWSWEEK in Paris, says his team built a fake aluminum ATM façade in a machinist shop and placed it over an ATM in Bonifacio, on the French island of Corsica. "A Wi-Fi camera captured the PINs,'' said the thief, who requested anonymity because he broke the law. "I was in a hotel across the street recording the video.'' (The façade's glue eventually came undone on a sweltering afternoon; he quit the gang, spooked by an ultimately unsuccessful police investigation.)

Bogus façades account for more than half of all ATM skimming operations that have been discovered in Britain. They're surprisingly realistic, says Jemma Smith, spokeswoman for the London-based Association of Payment Clearing Services, an industry group. "You should see some of the kit that the police have recovered.'' Some façades hide mechanisms that snatch bank notes; users see only a fake and forever-empty cash tray. Old ATMs are sometimes converted to record PINs and capture cards.

In shops, cashiers can swipe the cards of distracted customers through under-the-counter skimmers and record PINs with fake security cameras. Financial institutions are responding to this new threat by issuing nonswipe "contactless'' cards with microprocessor chips that communicate wirelessly with card readers. In the United States, the number of contactless cards is expected to rise from 1 million in 2005 to 50 million by the end of this year, according to Gemalto, the world's largest manufacturer of the cards. As these cards reduce fraud in Britain, says Smith, thieves are moving to targets in Continental Europe, where contactless cards are less common.

If microprocessors replace magnetic strips on ATM cards theft would likely drop, because hackers have been unable to build inexpensive devices able to copy microprocessors for later duplication. But a new development is providing thieves with another way to rob ATMs—this time remotely.

Banks that once sent ATM communications over expensive closed networks have begun to use the public Internet to cut costs, relying on encryption to protect data. A South African man who has worked with ATM hackers on unrelated projects, and who spoke on condition of anonymity to avoid legal problems, says some of the most skilled hackers are shifting attention to mastering two highly sophisticated illicit encryption-cracking software programs, called Ettercap and Kismet, in a bid to extract money from Internet-based ATM networks. John Abraham, president of Redspin, a Cupertino, California-based computer-security firm specializing in ATM networks, says some of these crooks have been successful.

The increase in electronic ATM thievery is sounding a wake-up call, Abraham says. In Europe last year there were almost 5,000 ATM attacks reported to the European ATM Security Team, the organization with the most comprehensive statistics. That works out to 14.65 attacks per 1,000 ATMs, and a single attack can last for days and reap data from many cards. "This is going to be the next way to rob the bank,'' says Fabrice Marie, a principal at Singapore-based FMA-RMS, a security firm. Electronic ATM robbery is neither easy nor safe, but many, it appears, prefer it to wielding a blowtorch or driving straight into a block of steel.