The Bank of the West is warning customers that their debit card numbers and PINs have been stolen by skimmers installed on several of the bank’s ATMs.
The financial institute, which operates over 600 branches in the United States, first detected a wave of suspicious withdrawal attempts in November 2021 and coordinated with law enforcement to conduct an in-depth investigation.
A review of the bank’s entire ATM network was completed on April 18, 2022, revealing that someone had installed skimmers on an undisclosed number of cash-withdrawal terminals.
“The ATM skimming device that was installed interfered with the normal debit card transaction and allowed the theft of your card number, the PIN number associated with your card, and possibly your name and address,” explains the bank’s notice to impacted customers.
“This stolen information may have been used to create fake debit cards and attempt cash withdrawals.”
The bank claims that it promptly stopped the fraudulent use of stolen card information and actively monitored all accounts that were determined to be compromised.
Compromised customers should have their debit cards blocked now and will receive a new debit card and PIN. Additionally, Bank of the West will cover one year of free credit monitoring and identity theft protection services to all impacted clients.
ATM vs. website skimmers
Usually, people’s debit and credit card details are stolen in a more “online” fashion via stealthy JavaScript code that runs on order checkout pages of e-commerce sites, siphoning the details entered in the payment stage.
However, in those cases, the threat actors cannot perform direct withdrawals on ATMs, as they don’t possess magnetic stripe data or card PINs.
Hence, website skimming operators exploit their stolen cards by making online purchases, sending the goods to money mules, and laundering the funds from second-hand sales.
Because the victim in these cases has the opportunity to realize the compromise and report it, some of the fraudulent transactions may be reversed, and the damage can be contained.
In the case of Bank of the West and ATM skimmers, the stolen information is used to forge clone cards that work like the real ones, so nothing stops the adversaries from emptying bank accounts in one go.
Also, if these people perform the withdrawals in late hours and wear masks/hoods, identifying and prosecuting them would be complicated even if they’re caught on video.
Bleeping Computer has contacted the Bank of the West to ask if the authorities have made any arrests and to determine the number of compromised debit cards, but we have not heard back yet.
Source: https://www.bleepingcomputer.com/news/security/bank-of-the-west-found-debit-card-stealing-skimmers-on-atms/