Phantom FAQ
From Phantom
What is a phantom withdrawal?
In short, a phantom withdrawal is a cash withdrawal from an ATM where money has been taken from a customer's account, yet neither the customer nor the bank admit liability. ATM and card frauds are pretty commonplace these days, but true phantom withdrawals, which defy explanation are rather rare: probably only hundreds each year rather than thousands.
Am I a victim of a phantom withdrawal?
If you believe money has been stolen from your account at a cash machine (ATM), you have reported it to your bank and denied responsibility, so long as there is no obvious explanation for what took place, and the dispute remains unresolved, it could be termed a "phantom withdrawal".
Let's consider some examples:
- If you receive your statement at the end of the month and find half-a-dozen cash withdrawals on it that you are certain you did not make, and you have kept good care of your card and PIN, then so long as the bank does not offer an explanation to you this pretty much instantly qualifies as a phantom.
- If you have been mugged and your wallet was stolen shortly after visiting an ATM, it is likely that the perpetrator observed you entering the PIN, and then attacked to you get the card. This would not be considered a proper phantom withdrawal, as there is a pretty obvious explanation. Usually in this case your bank will only consider you liable for the first 50 pounds of the amount stolen, but if you are unlucky they might drag their feet. Even if your dispute is not technically a phantom, some of the information on this site may still be useful to you.
- If you check your bag and discover your wallet or purse has been stolen, and find on reporting it to the police or bank that money has already been taken from your account, this is probably a phantom withdrawal. So long as you have taken good care of your PIN (not written it down, not told it to anyone) then this is probably a phantom, as there is a clear unexplained part of the equation.
- If you are rung up by your bank and told that several thousand pounds have been spent on your credit card buying high-tech goods in a foreign country (e.g. televisions, phones etc), then your dispute probably is not a phantom withdrawal. Firstly, it does not involve a cash machine, and secondly, if the purchases were made in a foreign country, it is quite likely that a magnetic strip clone was used to make the fraudulent purchases. This is a very common type of fraud and it should be a simple matter to resolve this with your bank. If however, it turns out that the disputed transactions were made using the chip on your card, then this is not technically a phantom (as no ATM is involved); but as there is a strong unexplained element (how could the attacker have discovered your PIN?) then we are still very interested in this dispute. The information on this site should be useful to you, and you should consider documenting your caes.
What are the criteria for a phantom to be documented on the website?
Although the resources on this site may be applicable to a whole range of fraud victims, we are particularly interested in collecting and documenting cases with unexplained elements: particularly in explaining how the attacker discovered the PIN for the card. Use these guidelines to consider whether or not your case should be documented:
- Money must have been stolen from a credit or debit card account where a PIN was issued on the card
- The theft must have been reported to the bank (or to the police) such that a dispute is formally in progress
- The customer must affirm that he or she has taken good care of the PIN for the card (i.e. not written it down)
Up until 2008, the case list was manually maintained, and the maintainer had limited time available to continue processing and documenting cases. The new site is based on a Wiki (a website which is easy for anyone to edit), which should allow you to document your case yourself. Others can then contribute to it by reformatting and rewriting the details. The process is greatly speeded up if the information about the withdrawal is dropped into the standard template, and if not enough information is provided, your case may be considered for removal for the site; we are not looking for very vague brief comments, or for long vehement rants against a particular bank. At the least, you will need to know:
- The dates, times, amounts, ATM locations and affiliated bank of each phantom withdrawal made
- The location of all the registered cards and cardholders at the time of each withdrawal
- A copy of some correspondence reporting the dispute to the bank or police
Please be aware that the processes of documenting the withdrawals and providing informal advice are quite separate -- the former hopefully providing a valuable long term resource for everyone, and the latter being of short-term importance. The maintainer is glad to help in either circumstance but is subject to time constraints. A telephone call during office hours (see the Contact Information page) is more likely to yield a promt response to advice requests than an email.
What is the purpose of this website?
This website is designed with three goals in mind:
- to better inform victims of phantom withdrawals of the options available to them for reclaiming their money and provide resources to help them argue their cases competently
- to document the incidence, detail and magnitude of phantom withdrawals, to help academics and industry experts get quantitative and qualitative data
- to encourage the development of a better established and fairer procedure for resolving phantom disputes.
As a consequence, this site includes information questioning the security of ATM networks and card payment schemes. Though a lot of negative information is collected in one place, this is not to say that customers should have no faith at all in banking security. However there is a dire shortage of open information about the security of these systems, and in particular in the case of failures. Security mechanisms themselves are documented in the abstract in other places -- the website of banking software vendors for instance. But it is always difficult to get hold of information.
Who runs the site, and who wrote the information contained within it?
The site is run by Mike Bond, who was from 2000-2006 a computer security researcher at the Computer Laboratory of the University of Cambridge, UK. His key research topic was the analysis of security APIs (application programming interfaces) and tamper-resistant computer hardware, which are used in banking security systems. This forms the link with bank and ATM fraud history and methods. Visit the contact page to find out how to contact Mike. Now that the site has become a Wiki, of course information can be contributed by many authors. However, core pages such as this FAQ are "protected" and cannot be edited by the general public.
Am I liable for money withdrawn using my PIN and card, even though I didn't share them?
This is a tricky one. The most important document to refer to is your contract with the bank. Most bank contracts state that the customer will not be liable for withdrawals made after he has reported the theft, loss, or possible divulgence of the PIN to his bank. A small liability for the first 50 pounds or so of the sum stolen may be imposed. However these contracts usually include caveats that the customer will be liable if he or she has acted fradulently or negligently.
And here the contracts usually are not explicit in defining negligent actions (or inactions), nor in stating the burden of proof for fraud. This means is can just be impossible to straightforwardly tell where the liability sits -- it becomes a matter for the lawyers. Further complications arise when considering that most banks promise to comply with the "Banking Code", which may make different but non-binding rules to the contract, may refer cases to the Banking Ombusdman, or may have clauses in their contracts struck off if the contract is determined in court to be "unfair".
Has anyone successfully recovered money from a bank after a phantom withdrawal?
Yes, it is reasonably common. Obivously a large proportion of people suffering fraud on their accounts are refunded within a couple of weeks without any fuss by their banks. But there are still tens of thousands of disputes each year which are more problematic. In the past, customers have recovered money both through appeal to the bank, negotiation (e.g. splitting the difference), escalating publicity (going to the media) and in a number of cases after legal action. But its complicated to figure out which method is most likely to be successful, and some approaches can be quite expensive or risky. Visit the Documented Phantoms Withdrawals section of the site, and look at the withdrawals that are categorised as "resolved".
Who should I bank with?
Weigh up the risks you are taking by choosing a particular bank, and other factors such as services offered or ethics of investment. It would be of long term benefit to all for customers to choose banks which can demonstrate their security and thus trustworthiness most effectively. Unfortunately nearly all banks provide no objective information on their security systems which can be used to make a balanced judgement on where your money is safest. In light of this, if you want to maximise the security of your money, go with the bank with the best customer service record.
How can I keep my money safe?
Tentative advice is to split your money across several banks or accounts, keep your credit limits low, and have enough in a shoebox to stay in a hotel for a few days or travel to some relatives. (It has been pointed out to me that strictly speaking, if you want to minimise the chance of losing any money at all, then splitting your money across multiple accounts could increase the chance that one is randomly chosen by an attacker. But it would reduce the maximum amount the attacker could steal from the account attacked). It's a good idea to have different PINs for your cash withdrawal and point-of-sale purchase accounts, and wherever possible to use credit cards. If fraud occurs on a credit card, you may have extra protection in many countries (for instance in the UK under the "Consumer Credit Act 1974"), but more practically, you might consider refusing to pay the bill whilst the dispute is taking place.
Where do I start if I want to recover my money?
Start by talking to your bank, neither you nor they want to get embroiled in a lengthy dispute, and even less go to court. But be prepared for the worst from the first day. Much important evidence in arguing your case later on during a dispute may be lost if you do not act quickly: for instance, CCTV footage will not be kept indefinitely. If the amount of money you have lost has a serious impact on your financial situation, you should contact a lawyer straight away.
How difficult will it be to reclaim my money?
It depends upon how much money you have lost, how you approach the bank, and crucially - luck. Some banks have refunded money with little question upon complaint, some have immediately denied responsibility, and some have even changed their minds, and reinstated transactions which they previously refunded without question. Have a read of the Documented Phantom Withdrawal cases to get an idea of the range of experiences that customers have had.
How common are phantom withdrawals?
One of the purposes of this website is to get a better idea of the answer to this question. There was a wave of this sort of fraud in the early nineties, and few if any phantom withdrawal cases have attracted significant attention until since the mid two thousands, phantom withdrawals have steadily gone on the rise. Bank fraud investigation departments deal with tens of thousands of fraud cases each year and have full-time staff investigating each case. Normally of course, a probable explanation is found, and the dispute resolved, so only a small proportion of these cases end up as long-term phantoms.
Who are the perpetrators of phantom withdrawals?
Three explanations seem immediately plausible to explain any phantom withdrawal:
- The first, and simplest, is known as "first party fraud". This is where the customer is attempting to commit a fraud against the bank, by falsely disputing some transactions that he, she or an accomplice actually made.
- The second possibility is that a criminal or organised gang has managed to collect both the customer's card information, and his or her PIN. However, when we classify phantom withdrawals, we try to ensure that no criminal method already known to us could clearly explain the withdrawals.
- The third and rarest possibility is that the withdrawal was made as result of a more sophisticated attack, for instance in co-operation with an insider at the bank who has access to customer account and PIN information. The hardest to resolve phantoms often come down to deciding between the relative chances of insider attack at the bank versus first party fraud by the customer.
How many people have been convicted of ATM fraud?
There have been dozens of people convicted within the UK, usually members of gangs that attach "skimmers" to ATMs, or sabotage Point-of-Sale terminals. Many more have been convicted internationally, and ATM fraud severely damages bank revenue streams in developing countries. When it comes to insider fraud, banks rarely prosecute, so it is much more difficult to tell the incidence. Occasionally there are convictions of bank employees at branches or credit card issuing centres, but it is not usually related to card fraud or methods of extracting PINs.
Does the perpetrator have to know your PIN to withdraw money from an ATM?
Once you begin to question the infalliability of bank computer systems, a whole range of explanations move from impossibility to possibility. For example, a bank insider might simply be able to return positive authorisations (i.e. "yes" responses) to a cash machine over its phone line, to tell it to dispense the cash every time, no matter what PIN was entered. It is even conceivable that an actual ATM withdrawal was never made corresponding to the recorded debit of a particular account.
However, "possible" does not mean "probable" and nearly all plausible attack scenarios involve PIN recovery, rather than intricate hacking of the software surrounding the ATM infrastructure. So - no the perpetrator doesn't have to know your PIN, but in all likelyhood he did.
