On Saturday night I was doing the usual accounts and bill paying activity when I called up my checking account online. Sitting at the top was an ATM withdrawal for $502 from a Bank Of America ATM in Auburn.

Chills start to creep down my spine.

I continue looking.

There's another from Renton; another from Bothell; another from Seattle; etc… In total there were seven withdrawals, all from Bank Of America and all for $502.


I called the card issuer and had the card cancelled. Then I started my research.

Since forever I've preferred using debit cards over credit cards as I don't have a bill to forget to pay and incur credit charges. I also thought that it's more secure. Anyone can capture my credit card data and fake my signature. A PIN based transaction has to be more secure, right? It's worked fine for me up until now.

The key piece I've missed is that, of course, VISA will protect you against fraudulent use (OK, so you pay the first $50). Well, in the case of fraudulent debit/ATM activity the bank is under no obligation to refund the charges. I'm assuming that most would though, as otherwise you'd have a bunch of very pissed off customers. Handily, my bank is one of the good ones.

So, how did they get my PIN?

I'm guessing that one of the few places that I actually perform PIN based transactions has screwed me.

I use it at maybe three places. I local convenience store and local supermarkets. One of them had to have a fake PIN pad that was capturing data.

Or maybe not.

Maybe some idiotic system at some company was capturing my PIN in violation of network agreements and then had a security screwup.

I may never know.

And why Bank Of America? I'm not with that bank - hence the $502. They obviously requested $500 and incurred a $2 transaction fee. Is Bank Of America an easy mark for ATM fraud?

And why didn't the super annoying AI speak up? You know, the AI that runs on all transactions to spot inconsistent activity and stops you from purchasing that last minute gift for your wife's birthday?

I have never taken anywhere close to $500 out of an ATM, let alone once a day for almost a week!

Anyhow, what I do want is for the assholes that nicked my hard earned moolah to be caught. In my shiny rose-tinted world, as soon as I reported the fraudulent activity, the ATM network would spring into action and when the aforementioned perps tried to use it again (probably yesterday as they'd be using it once a day since last week), the ATM would fire it's camera; ask them questions slowly; call plod and have the perps arrested by the time the card got spat back out.

Somehow I doubt it though.

On Sunday morning I visited the local plod to report the crime and get a case number for my bank, who I visited this morning. The nice policeman said that the ATM fraud rate has recently skyrocketed in this area.

Handily, the bank took the details and printed me a new ATM card with a new number there on the spot and said that the charges would be refunded within two or three days. When I asked them why the super annoying AI didn't catch this obviously bogus activity I was informed that it doesn't run for PIN based transactions! It only runs for signature based transactions!


So, the key takeaway is to avoid using your PIN at all costs - go the VISA route and sign for your transaction, that way the super annoying AI will run and maybe save your ass.

Update: Props to my bank First Technology. They credited my account with the full amount of the fraud the day after I reported it.