BOSTON -- During a recent trip to the bank, Cindy Palmer Steele noticed someone else's private account information lit up on the key pad machine at the window.
She alerted the teller.
“She said oh that’s probably the girl that was in front of you, it’s probably her account and I said well that doesn’t really make me feel very good because does that mean the guy behind me can see mine?”
A cybercrime expert found something even more troubling. With hidden cameras rolling, Willis McDonald went in to seven bank branches, lingering at empty teller windows.
Employees at six of the banks, including Cindy Palmer Steele’s bank, allowed McDonald to fiddle with pin pads unchecked.
“Frankly I am surprised. I expected to be stopped many times,” McDonald said.
The former FBI agent said he could have doctored the machines or installed a card skimmer.
“Yeah. It would’ve taken five seconds, maybe even less, to walk into the bank, place something on the device to be able to read cards or even cards inserted with the chip and PIN,” McDonald said.
Skimmers are easy for criminals to install
“It's really easy to just plug a skimmer. They are easy to make, really small, you stick it on with glue,” said Adriel T. Desautels, a former hacker who's now the managing partner and CEO at Netragard, inc. “You can also record the pin numbers usually, because you put little cameras inside the skimmers.”
“It would be odd to me that another consumer can access somebody else's account off of one of those machines,” said Daniel Forte, president of the Mass Bankers Association. The trade group that represents 150 banks across the state.
Forte says what McDonald found is unusual, in part because banks train employees to identify and report suspicious behavior. He believes a skimming device would be discovered.
“At the end of each day, all the equipment is monitored and double checked in the event there is any attachments to them. The bad guy needs to come back and remove that skimmer to get that information he's trying to capture,” Forte told Boston 25 News.
Forte has not seen cases of that happening inside a Massachusetts bank. He said when a bank customer is the victim of fraud in other cases, typically the bank will reimburse them.
Banks respond to undercover video
Wells Fargo sent our sister station a statement saying their PIN pads use up-to-date security and they're constantly testing new security devices. They didn't address why two branches didn't stop McDonald.
Wells Fargo also said that the only information Palmer-Steele saw was the last four digits of the previous customer’s account and it was nothing that could be compromised.
Three Bank of America branches also let McDonald fool with their machines.
In a statement, the company did not address why. “Protecting customer information is our highest priority. During the past decade of using the Quick Service Terminals to help verify a client’s identity, we have had no security issues (or skimming devices) related to the terminals, and customer accounts remain secure.”
Chase Bank said: “We train our employees to watch for unusual behavior in the branch and are disappointed with what we saw in this video.”
Cox Media Group