Joan Moore and her husband, Jim, don't use cash very often. So it's probably an understatement to say they were surprised by their December statement from Bank of New York Mellon.
"I say to my husband, 'What are all these weird withdrawals?' " Moore recalls.
"Weird," as in $400 here, $580 there -- 23 in all, over a weeklong period. All told, a thief looted about $11,000 from their account, cutting a swath across Montgomery County from Royersford to Limerick, Wayne and King of Prussia, Pa.
The Moores, retirees who live in Worcester Township, suffered more hassle than harm. Joan Moore opened her bank statement ON the day it arrived and reported the unauthorized withdrawals immediately to her bank -- steps that can be crucial to limiting your liability if your ATM or debit card is lost or stolen, or even if your account is looted by other means.
Other means were plainly at issue here. Neither Joan nor Jim Moore lost possession of a bank card. Instead, they were apparently victims of a high-tech crime known as "skimming," in which thieves use sophisticated devices to steal the data encoded in a payment card's magnetic strip as it is read by a machine.
In one form or another, skimming has existed for nearly as long as credit cards have come with magnetic strips, says Robert Novy, a spokesman for the U.S. Secret Service, which investigates payment-system fraud.
ATM card skimming is more complicated, because the cards require a secret personal identification number, or PIN, to gain access to your funds. But the tools to simultaneously steal both a card's data and its owner's secret code are increasingly available -- sometimes even sold via contacts made in Internet chat rooms.
For her part, Moore raises reasonable questions about the risks she encountered, apparently just by making an ordinary withdrawal outside a suburban bank branch.
"It's their security issue, not mine," she says. "If they can't make these machines secure, why should we use them?"
Is there much you can do to avoid skimmers? Perhaps not. Still, a little knowledge about the crime can't hurt.
Moore uses a credit card for most purchases, so she was fairly confident she knew where the skimming took place. She zeroed in on her last actual withdrawal: Dec. 4 at a Citizens Bank in Audubon, three days before the looting began.
Moore's suspicions were confirmed by a Citizens Bank spokeswoman, who acknowledged that a security breach occurred at the bank but wouldn't confirm whether a skimming device was found.
"There were a handful of customers affected, and they'd all been contacted and had their funds returned," says Citizens Bank spokeswoman Sylvia Bronner. "For security reasons, we just don't want to talk about specifics."
Skimming experts say the theory of the crime is simple. The keys are designing devices that fit over the face of a cash machine without raising suspicions, and that capture both the magnetic strip data and the customer's PIN in a way that can be stored or transmitted for criminal use.
What's simple in theory is challenging in practice. Since crude skimmers at automated teller machines were first reported more than a decade ago in places such as Brazil, they have become increasingly sophisticated, according to experts such as Brian Krebs, an investigative journalist who runs the website KrebsOnSecurity.com and has communicated online with people who claim to sell skimming devices.
"The price goes up as the complexity increases," Krebs says. Some skimmers store data until an installer returns, but "with the state-of-the-art stuff, you get the stolen data by text message."
Some skimmers include overlay membranes that capture PINs as you punch them. Others rely on pinhole cameras that record your finger strokes. Either way, time stamps link the PIN to the magnetic strip data.
So how can consumers limit their exposure? Look closely for signs of tampering when using an ATM -- and watch your balance.