A friend of mine in Shanghai just had 9000 RMB (US$1500) stolen from his Korean bank account by somebody using his ATM card number in Poland. His bank is unsympathetic. They claim that he must have given his card or PIN number to somebody and that is how they  took the money out. But he never gave it to anyone, though someone may have rigged an ATM machine to read his info.
Your ATM card is a disaster waiting to happen. If someone gets your number and your PIN, by theft or guesswork, you may have no recourse. You must limit the use of your card to avoid having thieves scan it and not keep too much money in any account that can be stolen using an ATM card.
Whenever you use your card with a retailer, there is a chance that the retailer is keeping your PIN, perhaps inadvertently, and this PIN can then be hacked and sold to thieves. See the 2006 story from NBC News which explains some of the basic threats.
The more you use your card, the greater your risk. The more money in your account, the greater your risk. Keep some of your money in accounts that cannot be accessed with an ATM card using the terribly inadequate 4-digit PIN security system.
Surprisingly, money may be swiped from your account using your ATM card number even if the thieves don’t know your PIN number. Sound impossible? Our experience proves otherwise.
Recently someone in Germany started pulling about $300 a day out of our US bank account using our ATM card number from our US bank. This is a card we rarely use–I think we have never used it China but did use it on our trip to Italy in February 2014. the thieves struck in May 2014. They took the most they could each day for 3 days in a row before I happened to check my online bank account and notice the unexpected withdrawals. It was very fortunate that I noticed this right away instead of after our account was drained dry. Amazingly, there was no anti-fraud alert to the surprise bleeding that was underway. Bet they could have taken everything if I hadn’t noticed.
I immediately called the bank and they inactivated the card. Whether I would get the money back or not depended on one thing: did the thieves use my PIN number when making the withdrawals? If they had, then the money would be lost forever. No recourse. But because the bank in Germany that dispensed the money was not able to provide proof that the PIN had been used, my bank ruled in my favor and refunded the money.
How the thieves got money out of my account without my PIN was never explained. But it did happen, so it seems, and that means it can happen–to you! Check your account often for fraudulent charges. Use your card as little as possible. Don’t use it in shady locations–whatever that means. Assume every operation is shady and vulnerable. Guard your PIN zealously and watch for unusual attachments to ATM machines, and realize that people may be watching the keys you push, so cover the keypad and use false moves as well.
On the other hand, when PINs are just 4 characters long, someone could simply guess the PIN after enough tries with enough cards (several tries each on a thousand or more cards) and then they have a money machine. The chances of someone guessing your PIN on the first try are just 1/10,000. After 10 tries, though, it’s 1/1000. How many people have been trying to guess your PIN? Does your bank every tell you? Probably not. Your card might get inactivated with lots of bad guessing–a huge inconvenience, but better than losing everything. Check with your bank and understand their anti-fraud systems and what recourses you have to fraudulent withdrawals.
Remember, you are just 4 numbers away from disaster, and those numbers can be stolen or possibly even guessed.
