Stolen debit card used at ATM... how?
April 5, 2015 12:54 PM   Subscribe

I lost my debit card in a crowded bar/concert venue and someone used it to withdraw cash from an ATM twice. How were they able to do this? I can't think of a scenario where they could have figured out my PIN.

A few weeks ago, I was at a concert with my fiance. He got up to go get us another drink at the bar, and in the spirit of being nice since he had bought us the last couple rounds, I handed him my debit card to go pay for our drinks with. Unfortunately, at some point between then and when we left, he lost his wallet. He didn't realize until the next morning that he hadn't made it home with the wallet, so we don't know exactly the circumstances of what happened, but it was a dark crowded venue and it could have easily been dropped.

Upon realizing the next afternoon that my debit card had been in the stolen wallet, I logged onto my bank account to check for charges. There were two charges, one for $143 and one for $83, listed as ATM withdrawals. The name of the ATM listed on the bank statement was the name of the venue where the concert was being held. Obviously, I called and canceled the card and the bank was happy to reimburse me for the charges, so thankfully I'm not out the money. But this has been bothering me a LOT: how could someone withdraw money from an ATM using my debit card without knowing my PIN number?

Some more information:
- It's a standard bank-issued MasterCard debit card linked to a regular checking account. Nothing weird or special about it to my knowledge.

- I had not used an ATM at all and I had not made any PIN transactions at the venue. In fact, I don't think I had even used the card that day at all, and most (if not all) of the charges I had made during the preceding week were at restaurants where it got ran as a credit card and no PIN was used. This seems to rule out a situation where someone watched over my shoulder as I was entering a PIN.

- The withdrawal happened very quickly after the card was stolen. I don't remember exactly what time, but it can't have been before 11pm that I handed him the card, and the withdrawals were dated that same day, so it happened within the hour. Since it happened so late at night, this also rules out the possibility that they went to the bank, convinced someone they were me, and somehow managed to change the PIN or something.

- My bank reimburses ATM fees. The next day, before the charges had been canceled, there were two $3.00 credits to my account that were automatically issued by the bank, which is what always happens if I use an ATM. This, along with the amounts of the original charges (143 and 83, both amounts you can withdraw from an ATM plus the $3 fee) make me think this WAS actually an ATM withdrawal and not some other type of charge that got miscategorized.

Any ideas? It's one of those things that's been eating away at me for awhile now since it happened. I've extensively Googled to come up with some kind of theory as to how someone could have withdrawn cash with my phyiscal card and without a PIN, but I'm coming up blank. All of the methods I've seen involve either someone spying on you and watching you enter the PIN, or a computer-related data breach, or one of those card-info-stealing swipe machines. I realize that a debit card is just as dangerous as a credit card because tons of places don't even make you use a PIN, but I thought cash withdrawals were the one thing that was pretty much safe?

Surely someone smarter than me can figure this out!
posted by pimmscup to Work & Money (48 answers total) 13 users marked this as a favorite
Simple answer: was your pin easy to guess/common?
posted by fake at 12:58 PM on April 5, 2015 [1 favorite]

No offense, but is your PIN something really stupid like your birth year? Most people choose their birth year. If you have the same birth year (or something very close) as your husband whose ID was presumably in the wallet, bingo. I've successfully guessed people's PINs before as a party trick just by me guessing at how dumb they are. Fun fact: the smart person dumb pin is 2580.

On preview, what fake said.
posted by phunniemee at 1:01 PM on April 5, 2015 [2 favorites]

Response by poster: Nope. Not my birthdate or birth year, not a common sequence of numbers, and not something anyone would be able to guess unless they knew very specific personal details about me.
posted by pimmscup at 1:07 PM on April 5, 2015

The first two things I thought of:

- your PIN is your fiance's birthday which is on his driver's license in the missing wallet
- you have at some point in the past told your fiance the PIN in case he ever needed it in emergencies and he wrote it down on a slip of paper he keeps in his wallet

I guess your fiance could have just stolen the money and pretended to lose his wallet but that seems really bizarre and farfetched.
posted by poffin boffin at 1:09 PM on April 5, 2015

Best answer: Could it have been a Cash Advance? I'd contact the company that runs the ATM (not your bank) and ask what happens if someone tries to do a credit card cash advance with a debit card.
posted by muddgirl at 1:13 PM on April 5, 2015 [1 favorite]

Last four of your SSN which your husband keeps on a post-it in his wallet in case there's an emergency?
posted by phunniemee at 1:15 PM on April 5, 2015

did your fiance know the PIN?
posted by jayder at 1:26 PM on April 5, 2015 [1 favorite]

Does your fiance know the PIN? Maybe when he bought drinks, he ran it as debit instead of credit and someone shoulder-surfed him, then picked his pocket.
posted by ctmf at 1:27 PM on April 5, 2015 [2 favorites]

If he's paying for drinks with your debit card, presumably he knows your pin. My guess is he was shoulder surfed (ie someone behind him saw him enter the pin during his purchase) and that person either found or pick-pocketed his wallet.
posted by cgg at 1:30 PM on April 5, 2015

Response by poster: He does know my PIN, or at least I've told it to him in the past. I asked him about 10 times if he had written it down anywhere and he swore up and down that he had never written it down and it certainly was not in his wallet. (His wallet was one of those small ones that's just a couple of card pockets and a money clip, it doesn't unfold or anything, so there's not room for anything other than cards.)

I don't think there's any way he could have stolen the money -- he was only gone for a few minutes getting our drinks. Plus, you know, I trust him. (Besides, if he was going to steal money from me, I feel like he could have found a way that didn't involve having to replace his entire wallet...)

@muddgirl -- I didn't know about the Cash Advance thing. I wonder if that would work on a debit card? If so, that may be the answer! Maybe I'll send someone to try it out at that particular ATM with their debit card and see what happens. (It's in a city where I don't currently live, I was just visiting for the week.)
posted by pimmscup at 1:33 PM on April 5, 2015

Response by poster: @cgg and @ctmf -- the bar was running all cards as credit, they just handed you a receipt to sign. They didn't have a PIN keypad.
posted by pimmscup at 1:35 PM on April 5, 2015

You can definitely do a cash advance with a debit card or a credit card at most/all ATMs, I just don't know if it requires a PIN when done with a debit card.
posted by muddgirl at 1:36 PM on April 5, 2015

I don't know, I've tried to get cash out of a credit card at an ATM and it still requires a pin. If it were me I would pursue it with the bank. You have to call them anyway to report the fraud and they will want to know the answer too.
posted by bleep at 1:49 PM on April 5, 2015 [2 favorites]

Best answer: Any transaction at an ATM requires a PIN number- you can't just slide in a friend's credit card and get money! Also, I don't think the concept of a "cash advance" on a debit card even make sense- a cash advance is cash against a line of credit- a debit card withdrawals actual money you put in the bank- it's not a cash "advance," it's just your cash.

And the idea of guessing a PIN or spying it over someone's shoulder and then pickpocketing them is pretty far-fetched too. Pickpocketing isn't a very easy thing in real life, and is a very risky practice. It's usually practiced in extremely crowded tourist areas by professionals working in teams or which some other specific scheme- not in a bar where you use your eagle eyes to see someone's pin (which he never used anyway; you say he used the card as credit) and then somehow take their wallet without him knowing, and then go make small ATM withdrawals. This is seriously the worst idea for a crime ever.

This is hard to figure out, but if I had to guess, some sort of hack or cloning machine was used to make the transactions without a PIN number.
posted by drjimmy11 at 3:23 PM on April 5, 2015 [6 favorites]

There should be video on the atm. Anything of your fiance's used fraudulently?
posted by Feisty at 3:26 PM on April 5, 2015 [2 favorites]

Is there a chip in the card? There are RFID scanners that can get the info from a card.
posted by SillyShepherd at 3:30 PM on April 5, 2015 [2 favorites]

Could be they made a clone of your card with a PIN they knew or got a hold of a re-pinning machine and repinned your card. Nefarious types have no limit to what they can do it seems nowdays.
posted by fiercekitten at 4:49 PM on April 5, 2015 [1 favorite]

Response by poster: @feisty -- Yes, he had fraudulent transactions on a couple of his cards too, but they were credit cards. One might have been debit, but they were credit charges that wouldn't have required a pin. They weren't ATM withdrawals.

@sillyshepherd -- i think it does have RFID. I just looked at my new card, which is identical to the old one, and it says PayPass, which apparently is a chip now that I look that up. Hmm, who knew.
posted by pimmscup at 5:01 PM on April 5, 2015

This is puzzling to me too. Have you called and asked your bank what they think happened?
posted by radioamy at 6:43 PM on April 5, 2015 [2 favorites]

I wonder if the bar at the venue shows up as an ATM on the statements? If so, it could have been an employee accidentally running someone else's tab onto your card, or using it more nefariously to steal. Because if not, any transaction at an actual Automatic Teller Machine requires a PIN, and I'm racking my brain, and I'm sorry, the simplest explanation aside from thieves with advanced technology is your boyfriend used it/let someone else use it. (Though I do take you at your word that he is trustworthy and it seems like a lot of trouble to go through for a couple hundred bucks; I'm just saying he's the shortest path from A to B.)
posted by kapers at 6:57 PM on April 5, 2015 [1 favorite]

Even if your pin isn't easily guessable, I suppose someone could've gotten lucky. Sure, maybe the person who found your boyfriend's wallet didn't guess your pin on the first try, but what about the 20th? If they found a wallet with a debit card in it and wanted to steal money off the debit card, it would be worth their while to try a bunch of pin numbers before giving up.
posted by sunflower16 at 8:32 PM on April 5, 2015

Looking at the fiance, my question would be whether he's had any behavior in recent history that would suggest a drug or gambling problem. Or possibly a business venture or investment that's in trouble. People don't generally steal from their partners just for a lark. I can just vaguely see some potential story here of an addict who didn't have cash (even if they did have a credit card on hand, say) but did have access to their SO's debit card and decided to fake a stolen wallet so as to be able to score that night. I've had friends with addiction problems do some pretty gross stuff. I'm not saying this is 100% the case or anything! Just: it's no more far-fetched than the idea that someone just happened to be in this bar who had not-yet-widely-known ways of making ATM charges without a PIN and just happened to steal your card. So, it's worth at least thinking about.
posted by Sequence at 8:34 PM on April 5, 2015 [2 favorites]

If the old card also had PayPass, that's probably your answer. The whole point of PayPass is that you just hold the card up, it takes the money off, no PIN, no signature. It drives me nuts because I have my savings linked to my credit card and only use the one. Even though I ask to pay by savings, sometimes a "helpful" register person puts it on PayPass instead. My phone isn't allowing me to copy the link, but look up MasterCard on Wikipedia (or your financial institution) and it has the info. There are limits on how much can be paid like this which vary from country to country. Not sure whether your $ are AU, US or CA.
posted by Athanassiel at 8:52 PM on April 5, 2015

I have never seen or heard of an ATM that supports contactless payments (like PayPass). That's for payment terminals, where you'd be making a purchase from a merchant. Also I believe the limit for PayPass is $50 which rules out both of the transactions listed.
posted by primethyme at 9:02 PM on April 5, 2015 [2 favorites]

ATM skimming is actually really common. But the weird part is that they wouldn't bother to steal your card if they did this, they'd print their own and use them in, say, Europe, not at the ATM at the same venue.

I'm kinda baffled here. Your boyfriend using it and/or somebody watching him input the PIN seems to be the most likely option, but you know better than us about that. Did he hit use the PIN at all that evening?
posted by zug at 9:04 PM on April 5, 2015

There were two charges, one for $143 and one for $83, listed as ATM withdrawals. The name of the ATM listed on the bank statement was the name of the venue where the concert was being held.

the bar was running all cards as credit, they just handed you a receipt to sign. They didn't have a PIN keypad.
Someone found the wallet, and decided to settle their bar bill with your card. It just got listed as ATM withdrawal on your statement.
posted by monospace at 9:08 PM on April 5, 2015 [5 favorites]

Limit is $100 in some dollars, which are not all US. I agree that still leaves one over the PayPass limit, but could be a possibility.
posted by Athanassiel at 9:20 PM on April 5, 2015

@sunflower16 , I thought the same thing but then I've never heard of a bank allowing more than 3 incorrect attempts before freezing the account until the account holder calls in with their security verification info.

OP, how did the charges for the drinks show up on your statement--as sales or ATM withdrawals? Because that would probably rule out the bar if they showed up as sales. Were there any other vendors within the venue (t-shirt sales or something) that may have rung up incorrectly? I'd call your bank, even the venue/bar and and get as much info as possible.

But I'm inclined to think they were ATM withdrawals as stated because they were in multiples of $20 + the $3 fee you were refunded. I don't believe PayPass works at ATMs, or would ring up as such, but you can call your issuer and find out.

Have you thought about reporting it to the police? I don't know how much trouble they'd go to but they can certainly requisition security footage if they were feeling helpful.

This is driving me nuts so I'm sure you must be desperate for answers. I hate to say it but I'd be pulling a "good cop" routine on the BF right now.
posted by kapers at 9:27 PM on April 5, 2015 [2 favorites]

I guess your fiance could have just stolen the money and pretended to lose his wallet but that seems really bizarre and farfetched

I hate to say it, but that is the LEAST bizarre and far fetched scenario that has been presented here. Teams of pickpockets? $143 bar bills? ATM card cloning and hacking within an hour at a single location? Even PIN guessing is incredibly unlikely unless the PIN was 1111 or 1234.

All Fiancé would have to do is come back with the drinks, then slip away some time in the next hour (bathroom break) and hit the ATM. Withdraw $140 (perhaps the limit per transaction at this ATM) then try again, balance too low. Let's try $80. Then panic and decide to "lose the wallet" to explain it.

Unless someone else was hanging around there who knew your PIN and had a chance to grab his wallet, I'd be talking to the Fiancé...
posted by mmoncur at 11:45 PM on April 5, 2015 [8 favorites]

Not sure if it's a thing you do in the US but it's not unusual for me to buy drinks and get some cash as well. "A couple of pints of draught and cash up to $140" and they run a $140 drinks transaction, giving me a couple of pints and $124 change, which then gets spent in the same venue instead of running the card every time.

Particularly if they weren't really checking signatures, that seems a reasonable way to explain the charges you saw - the bar staff would presumably raise an eyebrow if you just asked them for cash, but if it looks like it's just going to be re-spent on more drinks...
posted by russm at 3:24 AM on April 6, 2015

Yeah to me it sounds like they probably just bought stuff at the bar. If you're running them as credit there's no requirement for a PIN. Most bartenders and cashiers (particularly at a very busy place) don't have the time or inclination to verify signatures on cards vs. receipts, all that matters is they got a signed receipt. It wouldn't be hard to do.
posted by Kimmalah at 4:13 AM on April 6, 2015 [2 favorites]

If he used your card at the bar, does that transaction show up with the bank, and if so, what is it labeled as? That should be an indication whether or not the card was used to pay at the bar and is just being mislabeled as an ATM transaction.

Another thought is if it was used at an ATM and you were charged a fee, I would think that would/could/should show up as a separate transaction ($140 withdrawal, $3 fee).

Also, does your bank charge yet another fee for using an ATM that isn't one of its own? That might help you determine whether it was used at an ATM at the venue instead of at the bar.
posted by cali59 at 7:05 AM on April 6, 2015

Thanks, kapers, I realize now that my suggestion was silly. Of course there would be some limit to the number of pin attempts before the account would get locked.

Seconding everyone who says these were ATM transactions rather than bar/store transactions because the amounts were $140 and $80 (+$3 ATM fee). Bar/store transactions wouldn't have come out in nice neat amounts that were multiples of 20.

I've never heard of someone in the US buying drinks and getting cash at the bar as well. (I don't know if this situation occurred in the US, of course.)
posted by sunflower16 at 7:12 AM on April 6, 2015

So wait, how did he end up paying for the last drinks? Did he use your debit card, and if so, how did that show up on your statement? If he didn't use it, why not?

Is it possible he could have been drunk enough to make the withdrawals, forget about what happened, and then lose the wallet and the money?
posted by three_red_balloons at 7:53 AM on April 6, 2015

Best answer: I don't know much about the rollout of chip-and-PIN in the US, but with magstripes there's no way for the ATM to verify the PIN without sending the transaction to the bank. I can certainly imagine a policy decision that the ATM should permit smallish cash withdrawals without online verification, especially if the venue thinks they'll make money when people have easy cash access.

Thus, the hypothetical scenario is that the ATM connection had gone down that night, but that the venue policy permitted small withdrawals. The mystery thief then just has to try some random PIN and it would go through.
posted by katrielalex at 8:25 AM on April 6, 2015 [3 favorites]

My money is on this:

Someone saw him use the ATM, saw him type in the PIN, and then pickpocketed his wallet after the fact.
posted by eas98 at 9:27 AM on April 6, 2015

Response by poster: The charges for the drinks at the bar showed up differently. The venue we were at was called Mercy Lounge, which essentially takes up half of a larger venue that's called Cannery Ballroom.
The ATM withdrawals were labeled on my statement as "ATM W/D 1 CANNERY ROW NASHVILLE". (which is the venue's address.) The bar charges were labeled as "MERCY LOUNGE." The fraudulent charges on my fiance's cards were from the bar, labeled mercy lounge, and were for slightly smaller amounts (don't remember the exact numbers.)

I talked to him again about it this morning. I realize the first thought of Internet strangers will automatically assume that he did it; I'm actually surprised the answers didn't all say "he's a liar, DTMFA." Obviously I don't have proof that he didn't do it, unless the ATM still has video from 3 weeks ago, but I will say that after discussing it with him again today, I do trust him. He was a little drunk but not nearly to the point where he would do something like that he didn't remember. We left to go home pretty soon after all of that happened, maybe 12:15 am or so, and I remember some of our conversations in the cab home and he seemed like a normal level of happy drunk. We took an uber home and his brother who was with us paid for the uber with his phone, so thats why we didn't notice the wallet was gone at that time. I'm going to try and call the bank today and see if they have any theories about what happened.
posted by pimmscup at 10:33 AM on April 6, 2015

I have two thoughts:

1) Your PIN is probably not as obscure as you think, especially to someone who knows you.

2) What's the deal with this brother? Was he at the venue with you? Why did he pay for your uber? He certainly had potential access to the wallet even if he just picked you up at the curb. He'd have been smart to go withdraw money at the venue you were just at. Have you ever told your PIN to your finance in his presence?
posted by cmoj at 10:39 AM on April 6, 2015

Response by poster: I guess it's okay to say this since it's not my PIN anymore, but it was the last 4 digits of my SSN. I think part of the reason it freaks me out is that in the back of my mind I'm wondering if someone somehow found out my SSN. I realize that's next to impossible from just having my debit card, not even my ID or anything, but if they knew that they probably could have guessed the pin easily.

His brother was at the concert with us. I have no reason to believe he could have done it; he was sitting down near me most of the show. He couldn't have known my pin. Fiance and his brother aren't particularly close and don't even live in the same city, he was just up visiting. Also, the brother is younger than us (in college) and has unlimited access to his parents' funds. He took care of the uber because he hasn't ever used uber before (they don't have it where he lives) so by signing up for an account he was able to get the $20 off or whatever the discount is for your first time using it.

Cali59 -- whenever I make an atm withdrawal, it shows up exactly like it did this time, like $103 or $102.50 (if i were withdrawing $100, for example) and the next day I get a credit back for that $2.50 or $3, whatever the fee was. My bank does not charge its own fee, that was one of the perks of this checking account was no ATM fees.
posted by pimmscup at 10:52 AM on April 6, 2015

So is this bar/venue in the same town as your doctors, bank, dentist, DMV, etc? Because the last 4 digits of your SSN are known to anyone who has ever taken your bank info or medical history or mortgage or rental info or health insurance. It's a really bad choice for a PIN, and it's not impossible that someone who previously had access to your personal info found the card and recognized your name. I mean it's probably just as likely as your boyfriend or his brother having a previously undetected drug or gambling habit that led them to rob you.
posted by poffin boffin at 10:58 AM on April 6, 2015 [1 favorite]

I processed the I-9s for everyone at my last job, and even though it's been many months I can remember all kinds of personal numerical details of these people I didn't even care about or want to rip off, just because I have a weird memory for numbers. SSNs, credit cards, birth dates, apartment numbers...

Your social gets blasted out to so many people, the list of folks who might know it is huge.
posted by phunniemee at 11:29 AM on April 6, 2015 [1 favorite]

Response by poster: I don't live in Nashville (where this occurred) and as far as I know have never given my SSN to anyone even remotely close to there. I mean, I guess its not the wisest choice for a PIN but the chance of a random wallet thief in a bar (in a state where I've never lived) being the person who processes my tax return or my health insurance seems so vanishingly small it's almost laughable.
posted by pimmscup at 11:36 AM on April 6, 2015

I mean, it seems more likely that they called the number on the back of the card and social-engineered their way into getting your PIN or getting a temporary authorization to withdraw some cash.
posted by muddgirl at 12:09 PM on April 6, 2015 [1 favorite]

Wouldn't the simplest explanation be that what it says on the bank statement does not mean what you take it to mean? You are assuming that it means somebody used a pin number to steal money. It seems murky enough from hacked terminals to just different point of sale machines/networks that I would think they just needed the card without a pin. The answer might be obscure and hard to find out. You could ask the venue directly how they process cards, you can ask the bank, I doubt they will know in the branch but I'm sure somebody does though they themselves may be impossible to reach.
posted by Pembquist at 12:43 PM on April 6, 2015 [1 favorite]

If it's any consolation, I can't think of any way a third party now has your full SSN (unless it was in fact written down.) But of course keep an eye on the ol' credit report for a while.

If you get any helpful info from your bank or the venue or what have you, I hope you'll update us if you have time. I've been polling everyone and we haven't come up with anything that hasn't been mentioned. Many have concluded that that call is coming from inside the house. I'm def not jumping to anything close to DTMFA, but in your position my eyes would be open for anything unusual. Trust but verify, as they say.
posted by kapers at 3:02 PM on April 6, 2015

As a data point - the reason I suspected Cash Advance was because someone stole my credit card in 2007 and managed to get a $600 cash advance from various gas station ATMs, without a PIN or my ID.
posted by muddgirl at 3:04 PM on April 6, 2015

Cash advance theory: Not only does a cash advance by definition come from a line of credit (credit card), which I believe OP said she didn't have connected to her debit card, but OP said that her bank had refunded the ATM fees as it normally does. Presumably the bank's ATM detection method is more robust than scanning for numbers that happen to be (multiple of 20)+(likely ATM fee amount).

With that last point in mind, barring the work of some possibly mythical pin-hacking machine, someone knew your PIN. It's possible that some crooked doctor's assistant with photographic memory happened to be at the venue with you. However, the simplest explanation is your finace or his brother, and that could encompass a whole range of situations and reasons for doing this.

My mind goes straight to the brother, maybe because you for some reason discount that idea from the beginning. You say he'd have no way of knowing your PIN, but it was the very first number I'd personally try if I were trying to guess most people's PIN. If he's been in your house, it's written on your bills. You last four SSN digits are about as secure as your address.
posted by cmoj at 10:52 AM on April 7, 2015

I know it's illogical, but debit cards absolutely can be used to get a cash advance. The bank or ATM used to request the advance doesn't care if it's a credit or debit card - the difference is handled at the issuing bank.
posted by muddgirl at 11:46 AM on April 7, 2015

« Older Google Maps for FSX?   |   I need automatic grouping with my flocking... Newer »
This thread is closed to new comments.