ATLANTA — A Channel 2 Action News investigation has discovered the keypads at the bank teller window could tell information about you to the next person in line.
Channel 2 consumer investigator Jim Strickland put banks, and those machines, to the test undercover.
Strickland started with a Wells Fargo bank branch on Clairmont Road after a bank customer told us about what she saw displayed on one of those keypads.
A cybercrime expert found something even more troubling.
We went is with two cameras and kept them rolling as a man in a hoodie walked into the bank.
:quality(70)/arc-anglerfish-arc2-prod-cmg.s3.amazonaws.com/public/GJ4PTG4CEREEY2BSZTZUWAM2AQ.jpg)
The video shows him fiddle with the card reader at a teller window. He was there for minutes. A bank employee even walked right by him and no one said anything.
“And he’s right next to the office of the manager’s office. He walks right by him and didn’t say a thing. That’s amazing,” customer Candy Palmer-Steele said.
“How does it make you feel about the security of your bank account?” Strickland asked Palmer-Steele.
“Well I didn’t feel good to begin with, not after that happened to me,” she told Strickland.
Palmer-Steele called Channel 2 Action News after she had to alert a Wells Fargo human teller that the machine at the window was lit up with someone else's account information.
MORE 2 INVESTIGATES STORIES:
- Is legal pot a good thing? We travel to Colorado to get the real story
- 50+ horses missing across southeast after vet student ‘adopts' them
- City to open investigation into bonuses, party prizes by former Atlanta mayor
“She said, ‘Oh! That’s probably the girl that was in front of you. It’s probably her account.’ And I said, ‘Well that doesn’t really make me feel very good, because does that mean the guy behind me can see mine?’” Palmer-Steele said.
So, Strickland called the man seen in the video in the hoodie.
Cyber security contractor Willis McDonald used to work for the FBI.
McDonald said he had plenty of time to doctor the PIN pad while inside the bank.
“Yeah. It would’ve taken 5 seconds, maybe even less, to walk into the bank, place something on the device to be able to read cards or even cards inserted with the chip and PIN,” McDonald said.
We followed McDonald as he went into seven banks and one credit union using PIN terminals. Seven out of eight times, he was able to manhandle the machines, no questions asked.
“Are you surprised?” Strickland asked McDonald.
“Frankly, I am surprised. I expected to be stopped many times,” McDonald said.
Of the PIN terminal equipped institutions, only the Wells Fargo branch at Atlantic Station questioned McDonald.
The bank sent us a statement saying their PIN pads use up-to-date security and they're constantly testing new security devices. They didn't address why two branches didn't stop him.
Three Bank of America branches also let McDonald fool with their machines. That bank also didn't address why. Telling us in a statement Protecting customer information is our highest priority. During the past decade of using the Quick Service Terminals to help verify a client’s identity, we have had no security issues (or skimming devices) related to the terminals, and customer accounts remain secure.
Strickland was with McDonald checking out a Chase bank machine. Only Chase addressed the lack of attention we got.
In a statement to Channel 2 Action News, Chase said: “We train our employees to watch for unusual behavior in the branch and are disappointed with what we saw in this video.”
“If I’m a customer watching this story, should I be concerned?” Strickland asked McDonald.
“I would be concerned,” McDonald said.
Adam Marlow with Georgia’s Own Credit Union, which was the one the credit union we visited, did address the video and told Strickland their customers shouldn’t be concerned.
In fact, they told him, they were aware of the activity before Channel 2 Action News contacted them.
“We do proactively go back and periodically through audits review our security footage to see what’s going on. We did catch this instance,” Marlow said.
If someone does succeed in tampering with a device, Marlow said they’ve got that covered too.
“These devices, these card reader devices, are equipped with similar technology to our ATM machines. In the event something gets tampered with or something prevents dipping the card or sliding the card, the can be automatically disabled until we can get out there to review it,” Marlow said.
He also told Strickland they train their employees not to approach suspicious characters.
“We train our staff not to address any conspicuous or odd activity in our facilities, but rather to report it after the fact. From a safety perspective it’s just not the best for them to be addressing those situations up front,” Marlow explained.
Wells Fargo told Channel 2 Action News that the only information Palmer-Steele saw was the last four digits of the previous customer’s account and it was nothing that could be compromised.
The Georgia Bankers Association said in an email that millions of transactions take place every day and they are unaware of any tampering on any in-branch terminals and that employees may note suspicious behavior and report it without confronting the individual.
That is little comfort to Palmer-Steele. She’s prioritizing security from now on, telling Strickland that she's shopping around.
“It takes a lot of time to switch banks,” Palmer-Steele said.
“But that’s your decision?” Strickland asked.
“Yeah, that’s my decision,” Palmer-Steele said.
Cox Media Group
:quality(70)/cloudfront-us-east-1.images.arcpublishing.com/cmg/M67XNI4N7VEJ3LZEFTN5JBWP7U.png)
:quality(70)/d1hfln2sfez66z.cloudfront.net/11-05-2024/t_15e9e77f65644576b06fea6c80962c83_name_6PP_RESTAURANT_MOVED_DEK_PKG_transfer_frame_368.jpeg)
:quality(70)/cloudfront-us-east-1.images.arcpublishing.com/cmg/Q5HFEVPNU5BWJAKHVMTAK4T5XA.jpg)
:quality(70)/d1hfln2sfez66z.cloudfront.net/10-24-2024/t_b7a2665f505840a18c0063d5c421b3d6_name_5PP_POWERBALL_WINNER_BUFORD_PKG_transfer_frame_829.jpeg)
:quality(70)/cloudfront-us-east-1.images.arcpublishing.com/cmg/KACGKUFYC5GW5EB22EG7CSG5C4.JPEG)