I’ve become a bigger fan of Mint.com than ever. Even though it has a few minor flaws, it provides an excellent dashboard to see current and pending transactions to all accounts at once.
I’m not compulsive about checking my accounts, but I find its phone app handy to check occasionally to plan or check spending, which is where I noticed an unusual withdrawal from my account, from an ATM, for $167.36. I don’t have a debit card, so this struck me as a fairly unusual amount to withdraw from an ATM, and I made a mental note to follow up as soon as my plane landed.
When I did, I made two additional discoveries:
- The ATM withdrawals had been made from Bogotá, Colombia
- Enough withdrawals had been made to completely drain my modest checking account
It’s worth pointing out that my ATM card was safely in my wallet, and I’d never given my pin out to anybody. Nor had I used any dodgy teller machines — I’d like to think I’d notice a skimming device, but they can be fairly sophisticated — at any rate, I do keep an eye out for such things on general principal.
A google consensus links fraudulent withdrawals from Bogotá specifically to compromised ATM’s in La Antigua, Guatemala… Where six months earlier, I’d spent a month. At the time, I had been diligent about checking for unusual withdrawals or activity, and it had all been legitimate at the time, and for six months after. (Articles describing the linkage are here, and here, among other places.)
There’s some rampant speculation in those articles, but I do know enough about ATM communication to know that no ATM uses “unencrypted communications.” That said, through complicity, skimming, or compromised ATM software, both my card number and PIN were acquired and transmitted to Colombia, where six months later, a copy of my card was used to drain my account.
My bank was relatively helpful, first canceling my ATM card, and saying that they “would investigate.” I waited a few days and called for more details — and I’m very glad I did, since I needed to fill out an affidavit and get it notarized. I was gratified by some of its language:
“I fully realize that [this affidavit] may cause the arrest of a person or persons for the unauthorized use of Credit/Debit card identified in paragraph 1 above…”
I should certainly hope so.
I was also informed that the notarized affidavit needed to be in their possession within 10 days or the money could not be refunded. Nice to know! I, for one, would hate to lose a bunch of money because a clock ran out that I didn’t even know was running. (10 days seems like an insanely short amount of time, given that bank statements are usually issued monthly. I was given a vague reason about “Visa regulations,” which is slightly odd since it’s an ATM card, not a debit card, and I don’t know of any ties to Visa, but I’m not about to argue the point since I actually can get the paperwork back to them that quickly.)
I supposed I can relax a bit since the money is [provisionally] back in my account, but I’d feel even better if I knew that a group of culpable Colombians and Guatemalans were rotting in a jail cell right now.