Insertion, Retraction, Strange Debits… How seconds-long ATM fraud on bank premises puts every customer at risk

Insertion, Retraction, Strange Debits… How seconds-long ATM fraud on bank premises puts every customer at risk

FIJ

High achievements, they say, always take place in the framework of high expectations.

More often than not, people wake up every day with one thing in mind — to achieve their set daily targets and plans. When things go as planned, they end up saying they had a “great day”.

And on days things go awry, such are described as “bad”, “unpleasant” and “terrible” days.

For Ismaila Ibrahim, a 59-year-old printer who resides in the Onipanu area of Lagos, he did not just have a bad day on November 23, 2024; he had a bad period.

This was because he decided to use his United Bank for Africa (UBA) debit card for a N10,000 withdrawal at a Zenith Bank automated teller machine (ATM) in his area.

In the end, his debit card got retracted by one of the bank’s ATMs and as he was being advised by a security guard to visit his bank for a new one, he started receiving strange debit alerts and ultimately lost N307,000 to unknown fraudsters.

After the incident, Ibrahim wrote request letters to both Zenith Bank and UBA. He requested Zenith Bank’s CCTV footage of ATM transactions for the period of the incident and also visited a police station in the Onipanu area for assistance.

All the efforts he made at getting the banks to help recoup his N307,000 proved abortive. The event eventually led to a financial crisis for the printer.

‘I RAN INTO DEBT AS A RESULT OF THE STRANGE DEBITS’

Ismaila Ibrahim at His Printing Office

Ibrahim runs his printing business from a small office housed by an old worn-out one-storeyed building in Onipanu.

As this reporter made his way into the middle-aged printer’s office on the morning of November 7, Ibrahim, who was sitting very close to a printing machine called “the 201 machine”, hurriedly put a printing design he was working on aside and flashed a smile.

After pleasantries were exchanged, Ibrahim was asked whether he had further heard from Zenith Bank or UBA on the N307,000 ATM fraud on his account.

“My brother, I have not heard anything from them since that time o, especially Zenith Bank,” Ibrahim told FIJ.

“I was even forced to go to other offices of both banks, but nothing worthwhile came out of my efforts.”

Ibrahim then went on to tell FIJ about the impact the theft had left on his business.

“I won’t lie to you, my brother, things have not been easy for me since the incident happened,” said Ibrahim.

The Particular Zenith Bank Terminal Ibrahim Used at Onipanu

“The truth is, the N307,000 that was fraudulently stolen from my UBA account after my debit card got trapped by the Zenith Bank ATM, belonged to customers who had transferred money to me for printing their jobs.

“After their funds got stolen, there was no way I could go back to each and every one of them to tell them my story. Most of them, being businessmen, would not have even believed my story.

“What I then did was to borrow money from people so I could get their jobs done.

“As we speak, I am still in debt because I am yet to repay most of the loans I borrowed to complete clients’ job requests after the fraud was committed on my debit card.”

SAMSON ATANDA’S STORY

The Strange Debit Alert Atanda Received

On October 26, Samson Atanda, a paint maker in the Agege area of Lagos, visited a Union Bank branch located on Iyana Ipaja Road, Agege, with the intention of withdrawing N20,000 from one of the ATMs on the financial institution’s premises.

As he inserted his debit card into the ATM, the N20,000 he wanted to withdraw was not dispensed to him by the machine.

Strangely, rather than for the debit card to be ejected by the machine, it requested that Atanda type his password twice using the keyboard in front of him.

The paint maker promptly obliged, entering his password twice into the machine.

READ ALSO: N1.3m Leaves Woman’s Account Moments After Zenith Bank ATM Held Her Card

Instead of dispensing the cash, however, the machine still held on to Samson’s card. After waiting for several minutes and the card still would not come out, the paint maker sought help from the security guard who was on duty at the time.

“The security guard at the branch said he could not help,” Atanda told FIJ in an interview.

“The security man and another man at the other ATM advised me to come back on Monday as my ATM card was already hooked inside the machine.”

A Page From Samson’s Statement of Account Showing the Illegal Transaction’s Details

Sadly, while Atanda was on his way home, he received a N182,500 unauthorised debit notification on his phone. Interestingly, that was also the entire amount he had in his account.

“When I showed up at the bank on Monday, October 28, I was told that my debit card was not inside the machine. Truly, I am not satisfied with the explanation given to me by the bank,” said Atanda.

Having filed a complaint at that branch without any helpful response, Atanda does not believe that the bank’s hands are clean from the fraudulent transaction. He cited his reasons in a letter emailed to the bank’s headquarters.

“I am not a banker, but I do not think it is possible that an ATM would release a locked debit card after the machine has come to a standby, especially when two other customers have used the same machine,” Atanda explained.

Atanda’s Complaint Letter to Union Bank

“The transfer of N182,500 alert reached me under 10 minutes after I operated the machine. I do not believe that an outsider can do that on an ATM card within very few minutes, unless the person knows my PIN.

“I was even being told the transaction was not recorded on their system, but well, probably it was deleted because I have the alert on my small phone as well as my Union Bank mobile app and I wonder why they would tell me that even the N20,000 withdrawal attempts were not recorded.”

“I just need the bank to help retrieve my money which is meant for a contract I recently collected. I am now under pressure to deliver the job but the money has been stolen.”

Registration Details of the CEDETITO VENTURES.

The transaction’s narration, according to the debit alert, indicated a certain business name called ‘CEDETITO VENTURES’. Atanda suspects Cedetito Ventures is a point of sale (PoS) terminal operator.

Further checks showed that the venture was registered with the Corporate Affairs Commission (CAC), with business number 7535016, on May 30.

Curiously, the registered address of CEDETITO VENTURES is at Abeokuta Expressway in Iyana Ipaja, the same area where the bank is located, according to b2bhint, an online business data aggregator.

“Someone affiliated with the bank could have removed my card after I had left and made use of it to steal my money via the PoS terminal,” Samson told FIJ.

Atanda’s formal complaint emailed to the bank on October 29 had not yielded any positive outcome when FIJ spoke to him.

MYSTERIOUS DISAPPEARANCE OF N810,000 FROM UNION BANK ACCOUNT

Ikechukwu Chukwuonye

On June 12, Ikechukwu Chukwuonye, a Lagos-based auto dealer, attempted to withdraw N5,000 from a Guaranty Trust Bank (GTB) ATM located in Ladipo Spare Parts Market in Mushin, Lagos.

He needed the money to pay his transport fare when returning to his residence in Ikorodu.

“After I slotted in my debit card, I discovered I could not proceed with my transaction,” said Chukwuonye.

“While my card was still inside the machine, it neither gave me the option to proceed with the withdrawal I needed to make nor ejected the card.

The Debit Alerts Chukwuonye Received After the Fraud Was Committed

“While this went on, one of the security guards working at the branch came to me and said the machine had swallowed my card. He also said I would have to go to Union Bank, my bank, to request a new debit card.

“I waited for a few additional minutes to see whether the machine could still automatically eject my card, but when that did not happen, I eventually left the bank premises.”

Ten minutes after Chukwuonye left the GTB branch, a shocking incident happened.

Have a guess…

“Ten minutes after I left the branch, I suddenly received a debit alert of N800,000,” Chukwuonye said.

“I was shocked and almost fainted on the spot. When I regained a little bit of composure, I sprinted back to the GTB branch to tell the security guard, who had initially told me to go lodge a complaint at my bank, what had happened.

“When I got there, the particular security guard who referred me to my bank was no longer there. I only met his colleague, who became unnecessarily aggressive and would not do anything to assist me.

“As I was trying to further explain things to him, I received two additional debit alerts of N5,000 each. This meant that whoever retrieved my card after I left the branch’s premises had stolen N810,000 from my account.”

Despite the many complaint letters he wrote, Chukwuonye’s N810,000 was never recovered.

Speaking with FIJ on November 8, the auto spare parts dealer said he was yet to recover financially from the theft.

“The incident really affected my business. As we speak, I am yet to recover financially from it,” said Chukwuonye.

“At a point, a crooked lawyer also defrauded me by collecting N80,000 under the guise that he would help me fight the case in court. Till we speak, he has been silent on the matter.

“Presently, I have been borrowing from friends and fellow spare parts dealers to stay in business.

“Even the N810,000 that was stolen from my account was not entirely mine. I was insulted and hounded by the actual owners of the funds till I was able to pay them back.

“There were times I had to hide from my creditors anytime I sighted them from afar. It was a terrible period for me, honestly.

“Our banks are now full of thieves and fraudsters.”

OVER N7.5 MILLION STOLEN THROUGH TRAPPED DEBIT CARDS

Between 2023 and November 2024, FIJ published several stories on how unsuspecting Nigerians had been digitally robbed while trying to withdraw cash from bank ATMs.

In all, and through the stories, the victims have lost at least N7,582,600 to fraudsters.

This is apart from an FIJ report that detailed how Nigerians lost at least N816 million to fraudulent withdrawals perpetrated by bank staff in the first half of 2024.

Each incident of debit card fraud had the same pattern; a customer inserts their debit card in the ATM; the card gets trapped; the customer is advised to either come back another time or go to their bank to lodge a complaint; the customer receives a strange debit within minutes of leaving the bank’s premises.

All the incidents published by FIJ occurred on Zenith Bank, Union Bank, First Bank, Guaranty Trust Bank (GTB) and Sterling Bank ATMs. So, it is a problem affecting customers across the board; it does not matter which bank they use or trust.

FIJ SPEAKS TO AN ETHICAL HACKER

To unearth how fraudsters and criminals could use customers’ retracted debit cards to steal funds from accounts, FIJ spoke to Lukman Abdulrauf, a Nigerian ethical hacker and information technologist.

“You see, debit card skimming or fraud is a global conundrum; it is not peculiar to Nigeria. In fact, a recent report had it that the number of debit card skimming surged globally by 96% between 2022 and 2023,” said Abdulrauf.

“To answer your question, debit card fraud is perpetrated through three most common ways.

“One of such ways is through the placement of hidden cameras at the ATMs.

“You will agree with me that ATMs have cameras placed in them. Bank management would always claim the cameras are for security purposes, but those in charge of the surveillance and monitoring of these machines are human beings.

“You can never rule out the possibility of fraud once sensitive card details become exposed to humans through such means.”

Abdulrauf went on to talk about the two other ways.

“The second possible way is by installing devices capable of stealing users’ information on ATMs,” the ethical hacker told FIJ.

“These devices collect users’ information from their cards and transmit such details wirelessly to other devices that are eventually used in committing monetary fraud.

“The third way happens when fraudsters place overlay keypad (fake keypad) on ATMs. These mostly happen on offsite ATMs. When I say offsite ATMs, I mean machines that are placed at strategic locations that are usually far from bank premises or branches.

“In the instance where users’ cards get trapped/retracted by the machines, the skimmers, more often than not, are always aware that card owners are already displaced.

“They can see every activity going on at the ATMs and that’s when they seize the opportunity to carry out their fraudulent attacks.

“These cases can be complex most times because they often require comprehensive forensic investigations.

“That’s why I always advise people to avoid using their cards on Point-of-Sale (POS) machines whenever they can. In fact, it is often always better if you can do away with the use of debit cards.

“Those skimmers and fraudsters are always very tactical and clever in their craft that they hardly get caught.

“You will also notice that these fraudulent acts are mostly suffered by customers who use their debit cards on other bank ATMs.”

Just as Abdulrauf had said, about 95% of the cases published by FIJ happened when customers had their debit cards trapped in ATMs belonging to other banks.

DEVICES AND SOFTWARE USED IN PERPETRATING THESE FRAUDS

Abdulrauf explained further and told FIJ about some devices fraudsters use to steal unsuspecting debit card details on compromised ATMs.

“There are a lot of card reader devices these fraudsters use to steal people’s savings from their accounts,” Abdulrauf told FIJ.

“As a matter of fact, these devices vary from one manufacturer to another. It all depends on the brand the fraudsters have at their disposal.

“There is the Flipper Zero, a very small and unsuspecting device. The moment it is placed close to a customer’s credit or debit card, such customer’s sensitive details are gone.

“Another one is the MSR X6. Once your card gets swiped with this device, your information is gone. Card readers come in different forms than you can ever imagine. People just have to be very careful with their cards.”

HOW DOES A FLIPPER ZERO WORK?

A Flipper Zero

A Flipper Zero is a toy-like portable hacking tool most times used by cybercriminals to perpetrate fraud. The gadget is also a powerful and intuitive tool that is used during cybersecurity investigative missions globally.

As a result of its ability to read signals wireless devices emit, revealing a significant amount of information about a spectrum of electronic devices becomes possible for hackers and fraudsters who have it.

A Flipper Zero contains a few different antennas. These antennas help it capture, store, clone and emulate wireless signals. These then make it possible for the device to read bank debit and credit cards that generally use Near Field Communication (NFC) signals.

To read a wireless signal, the user holds the Flipper Zero up to the source of the signal, selects the program that corresponds to the signal type, and then selects the “read” option.

THE MSR X6

An MSR X6

The MSR X6 is a magnetic card reader and writer that encodes, reads and verifies card data just by a single swipe.

It converts information on the magnetic stripe of credit, debit and gift cards into computer-readable data.

It also works with all the major operating systems such as Windows 7, 8, XP, Vista, 2000 (32 and 64 bits), Apple devices, Linux and Android.

These tools are bad news in the hands of financial criminals, and they aren’t the only card detail-stealing tools on the market.

Once a thief, armed with any of these devices, has a moment with a debit card its details could be snatched within seconds. Access to the bank account will occur within minutes. Whether they want to steal the money in bits or at once will be down to the fraudster’s fancy.

FIJ REACHES OUT TO ZENITH, GTB, UNION, FIRST AND STERLING BANK ON THE ISSUE

On Sunday, FIJ sent emails to the customer care desks of Zenith, GTB, First Bank and Sterling Bank on the issue of fraud being perpetrated after customers’ debit cards were retracted by ATMs on the bank’s premises.

In the emails, the banks were asked to state the measures they have since put in place to ensure such acts of fraud do not continue to happen.

RESPONSES FROM THE BANKS

Chukwunweike Udeorah, a Zenith Bank official, was the first bank representative to respond to the emails sent out by FIJ.

Here is Udeorah’s November 10 response:

Thank you for your mail to ZenithDirect regarding the allegations.

Kindly be informed that such claims are to be reported to and investigated by the banks of the affected card holders.

Therefore, we suggest that you advise the affected persons to follow the appropriate channels to lodge their complaints.

On Monday, a Sterling Bank official who simply referred to herself as Ifunanya also issued the following response:

We apologise for the delayed response and any inconvenience caused.
Kindly provide your account number to enable us assist further. We hope to hear from you soon. All inconveniences are sincerely regretted.”

With this, it clearly showed the bank official did not take her time to read through FIJ’s mail before responding.

On the same day, Olajumoke Subuloye, a First Bank official, also responded:

We acknowledge receipt of your complaint and do empathise with you on the issue raised.

Kindly advise the account holder to engage us with his account number via the registered email on the account to enable us investigate and assist.

We apologise for any inconvenience this situation may have caused and want to assure you of our ongoing dedication to providing you with improved service.

Ironically, when the debit card fraud victim last contacted First Bank to lodge a complaint, he did not get a favourable response from the financial institution.

IMPORTANT PROTECTIVE MEASURES

Following years of investigative reports and conversations with experienced banking and IT professionals, FIJ came up with eight important ways customers can adopt to protect themselves from debit card fraud.

These include using uncompromised ATMs stationed on bank premises, minimising the use of debit cards for online transactions, desisting from giving out debit card details to strangers, minimising the use of debit cards on PoS machines, avoiding the use of offsite or remote ATMs, avoiding the use of ATMs with suspicious-looking keyboards, immediate reporting of the loss of a debit card for hot-listing and not keeping all of one’s savings in just one account.

THIS STORY FIRST APPEARED IN FIJ

More

Leave a Reply

Your email address will not be published. Required fields are marked *

Insertion, Retraction, Strange Debits… How seconds-long ATM fraud on bank premises puts every customer at risk

 

Log In

Or with username:

Forgot password?

Forgot password?

Enter your account data and we will send you a link to reset your password.

Your password reset link appears to be invalid or expired.

Log in

Privacy Policy

Add to Collection

No Collections

Here you'll find all collections you've created before.