ATM Capers

An insider's automated teller machine scam allegedly netted him more than $200,000 and could land him a five-year prison sentence.

Rodney Reed Caverly, 37, of Charlotte, was a Bank of America Corp. technology employee since 2007. He is accused of using that access to load malicious software on to several ATMs to enable them to dispense cash without making a record of the transaction, reported in its "Threat Level" blog Monday. Prosecutors said the scheme went on for seven months, until October 2009, when Caverly was charged with one count of computer fraud.

Beyond these broad details, court records did not spell out how the malicious software tricked the ATMs and was able to go undetected for so long, the article said. Ultimately the scheme was discovered by an internal investigation at B of A.

Caverly has agreed to plead guilty, and the text of the plea agreement estimates the fraudulent withdrawals at $200,000 to $400,000. It has not been reported whether any of the cash was recovered, but Caverly could face up to $250,000 in fines and five years in prison, reported.

Caverly had a history of tech expertise in the banking world before joining Bank of America, the article said. He founded Sovidian LLC, a North Carolina software firm that served the financial services industry until 2004. Aside from a remaining investment in the firm, Caverly has "very little involvement" with Sovidian today, the company told 

Stealing the ATM itself is a growing trend in ATM crime.

"Just as customers skip waiting in line for a teller in favor of hitting up the ATM, bank robbers are doing the same … they're taking the entire machine," New York's Daily News reported April 8.

It's not an easy crime to commit — sometimes it even takes a forklift to remove the machines, which is why many such thefts take place near construction sites, the article said. Other thieves ram ATMs with trucks to dislodge them, or drag them away with a chain.

Four years ago, there were 120 whole-machine ATM thefts in the entire United States; two years ago there were more than 120 just in Texas, the article said (it did not provide national figures).

One reason for the cumbersome caper's popularity: the profits are big and the consequences small. In one incident last year a single stolen ATM yielded $96,000. Courts consider ATM theft a lesser crime than a bank holdup, the article said.

What's the best way to spot a skimming device on an ATM? Not, according to Australian police, by looking at the ATM itself.

"The reality is the sophistication of the devices being used in card skimming around the world these days are such that you may not know … what to look for," Detective Acting Chief Superintendent Peter Crawford told the Australian Associated Press for an April 7 article.

The better place to look is at transaction records to detect when card data has been misused. "Keep a very close eye on your bank accounts," Crawford said.

Not a Fan

Scammers are exploiting the popularity of gift cards by using them as bait to dupe Facebook users into handing out enough personal information to enable identity theft.

Nearly 40,000 users of Facebook Inc.'s social networking site were lured last week by a promise of a $1,000 Ikea gift card advertised online, according to an article Computerworld ran Friday. Victims were instructed to "become a fan" of the gift card page — Facebook lingo for agreeing to receive updates from the fan page's sponsor. By midday the page was getting 5,000 fans an hour, the article said.

The promised gift card, of course, did not exist.

The fan page instructed users to fill out a form with sensitive information such as names, addresses, and birth dates at a separate Web site. They were also instructed to sign up for various services, as part of the scammers' short-term bid for referral revenue from legitimate service providers.

Audri Lanford, a co-founder of the Web site Scambusters, said in the article that beyond the referral scheme, the gift card scammers could use the information they received to commit identity theft or take over victims' computers. Facebook said gift card scams are a small problem today. The company is also trying to combat it by developing a system to take down such fan pages.

Safer Ride

The contactless Oyster card, which is used for transit fare in London, is getting a security upgrade.

The improvement addresses a vulnerability revealed two years ago, the Web site ContactlessNews reported April 6.

The flaw is present in NXP Semiconductors' MIFARE Classic cards, which are issued by Transport for London, the agency that manages the city's public transit system. It began issuing new cards last year that use NXP's DESFire technology, which has improved encryption.

Transit riders do not need to do anything; the new cards are being distributed as people replace or add funds to their current cards, the article said.

Customer Disservice

Scammers reportedly gave a town employee a bogus customer service number to call as a stalling tactic while they stole nearly $100,000 from the municipality's bank account.

On March 11 an employee of the Village of Summit, Ill., attempted to log in to the town's account at Bridgeview Bank but was redirected to a Web page explaining technical difficulties and providing a number to call, Brian Krebs wrote in his "Krebs on Security" blog April 6.

"What she couldn't have known was that the thieves were stalling her so that they could use the credentials she'd supplied to create their own interactive session with the town's bank account," Krebs wrote.

The employee attempted to call the provided number, but found it connected to a residence instead of the bank. She called the bank directly but was told there were no Web site difficulties.

The next day the bank notified the town that someone had initiated a $30,000 wire, which the bank was able to reverse, and $70,000 in automated clearing house transactions, which have not been reversed. The bank did not provide comment for Krebs' article.

Security Watch is a weekly roundup of news and developments in data security and their impact on financial services companies.
Please e-mail us any comments, ideas, and suggestions about this column.