The purpose of exposing this hacking technique is not to encourage thieves but to persuade banks to improve security. Ironically, this hack takes advantage of a security feature that is designed to protect our cash in case we are being mugged at the ATM, or we just forget
Precaution 1: Most ATM¡¯s are covered by camera.The thief will therefore have his face covered.
Precaution 2: The thief will have to wait about 20 seconds (which can seem like an eternity when in a rush) and the ATM may make some noise thereafter. The best time to attempt this hack is therefore at night, when there is nobody around. Remember, most ATM¡¯s are accessible 24 hours a day.
Precaution 3: Obviously the thief will need to know the pin number. This hack is not about hacking the pin. The thief can use their own credit card, at least once.
Precaution 4: The thief must ascertain whether the bank operates a ¡®cash retraction/retention policy¡¯ for their ATM machines. Most banks do have such a policy.
Step 1: The thief uses an available credit/debit card (preferably with a large withdrawal limit) and selects the option to withdraw a specific amount of cash.The greater the number of notes the thief withdraws, the easier step 2 becomes.The card is returned and the cash is released into the cash dispenser.
Step 2: This is the critical point. Calm and have steady hands are important: The thief holds firm of the top or bottom few notes of the cash pile (with a slight push into the dispenser) with one hand and with the other hand, slide- pulls the remaining (larger pile) of cash from the dispenser.
Step 3: If the thief has successfully managed to keep a few notes in the cash dispenser, he has to about wait 20 seconds.Warning:The ATM machine may make a few noises. But after the elapsed time, the ATM will take the remaining cash back into the ATM.
Having assumed someone is attempting to mug the thief, the ATM takes the cash back and cancels the entire transaction. ATM¡¯s can count the cash out but can¡¯t count the cash back into the machine.
If the thief chose to withdraw
If the thief chose to withdraw 5000 and retain 500 within the ATM, the bank will cancel the entire 5000 transaction. And the thief will have pocketed 500 of ¡®free cash¡¯.
There are a couple things banks can do to improve their security. If machines can count cash out, they should be able to count incoming cash from the same cash dispenser. Or banks can disable the automatic cash retraction policy and have the account holder come in to the bank to make a claim.
Some banks (such as first bank fcmb etchave cancelled their cash retraction policy, altogether.
But banks in the UK appear to be moving in the opposite direction. In the past, banks such as HSBC, Royal Bank of Scotland (RBS) and Tesco Bank held on to retracted money in reserve until the account holder made a claim.
Barclays Bank plc and Lloyds TSB Group have an automatic cast re-crediting policy, as do Santander but only if the account holder is a Santander customer.
It is time for banks to improve their ATM technology so the cash can be counted back into the machine.