phantom withdrawals
on-line resources for victims of ATM fraud

(Home) (Documented Phantoms) (Discussion Forums) (FAQ) (Contact)

Frequently Asked Questions


  • What is a phantom withdrawal?
  • Am I a victim of a phantom withdrawal?
  • What are the criteria for a phantom to be documented on the website?
  • What is the purpose of this website?
  • Who runs the site, and who wrote the information contained within it?
  • Am I liable for money withdrawn using my PIN and card, even though I didn't share them?
  • Has anyone successfully recovered money from a bank after a phantom withdrawal?
  • Who should I bank with?
  • Where do I start if I want to recover my money?
  • How difficult will it be to reclaim my money?
  • How common are phantom withdrawals?
  • Who are the perpetrators of phantom withdrawals?
  • How many people have been convicted of ATM fraud?
  • Does the perpetrator have to know your PIN to withdraw money from an ATM?


  • What is a phantom withdrawal?
  • In short, a phantom withdrawal is a cash withdrawal from an ATM where money has been withdrawn, and neither the customer nor the bank admit liability.

  • Am I a victim of a phantom withdrawal?
  • If you believe money has been stolen from your account, the incident may or may not fall within our definition of a phantom withdrawal. For example, if you have been mugged and your wallet was stolen shortly after making a withdrawal, it is likely that the perpetrator observed you entering the PIN, and then attacked to you get the card. This is not considered a phantom withdrawal, and it is likely that the bank will only consider you liable for the first 50 pounds of the amount stolen. However, if your card was stolen and you are sure that there is no way your PIN could have been stolen or observed by the thief, and yet an ATM withdrawal is still made, this would likely qualify. In other cases, phantom withdrawals may occurr whilst the card is in your possession.

  • What are the criteria for a phantom to be documented on the website?
  • Although the resources on this site may be applicable to a whole range of fraud victims, the site has been designed to highlight a particular type of fraud where the method that the attacker used to discover the victim's PIN is unknown. Our criteria for a phantom withdrawal are as follows:

    • Money must have been stolen from a credit or debit card account with a PIN number issued
    • The theft must have been reported to the police, or to the bank in writing
    • The PIN must not have been written down, had an easily guessable value, or been coincidentally the same as a number written down on or near the card

    At the moment, the maintainer of the site has limited time available to continue processing and documenting cases. The process is greatly speeded up if the information about the withdrawal can be provided in a form matching the template case which is at the bottom of the Documented Phantom Withdrawals page. However please try and provide the following detailed information in addition, as it assists the maintainer in verifying the authenticity of the dispute:

    • The dates, times, amounts, ATM locations and affiliated bank of each phantom withdrawal made
    • The location of all the registered cards and cardholders at the time of each withdrawal
    • A copy of some correspondence reporting the dispute to the bank or police

    The more information you provide us with the better the case can be understood and documented. We restrict what information we display on the website, and you can remain anonymous if you wish. However, additional information is very useful to the authors of the site in compiling a better understanding of phantom withdrawals, and under certain conditions it might be useful to pass it on to other people who are in a similar situation to you. Should this situation arise, your permission would be sought first.

    Please be aware that the processes of documenting the withdrawals and providing informal advice are quite separate -- the former hopefully providing a valuable long term resource for everyone, and the latter being of short-term importance. The maintainer is glad to help in either circumstance but is subject to time constraints. A telephone call during office hours (see the Contact Information page) is more likely to yield a promt response to advice requests than an email.


  • What is the purpose of this website?
  • This website is designed to better inform victims of phantom withdrawals of the options available to them for reclaiming their money, provide resources to help them argue their cases competently, and to encourage a better established and fairer procedure for resolving such disputes.

    In particular the site includes information questioning the security of ATM networks. This information is not intended to undermine faith in ATM security in all cases, but to force banks to argue the case for their ATM security in using the specifics of their system, rather than appealing to general arguments, claiming perfect security for the whole infrastructure.

  • Who runs the site, and who wrote the information contained within it?
  • The site is run by Mike Bond, a computer security researcher at the Computer Laboratory of the University of Cambridge, UK. His work is in the analysis of security APIs (application programmer interfaces) and tamper-resistant computer hardware, and as such he has much experience of bank and ATM fraud history and methods. He can be contacted at Mike.Bond@cl.cam.ac.uk

  • Am I liable for money withdrawn using my PIN and card, even though I didn't share them?
  • Most bank contracts state that the customer will not be liable for withdrawals made after he has reported the theft, loss, or possible divulgence of the PIN to his bank. A small liability for the first 50 pounds or so of the sum stolen may be imposed. Contracts often do not explicitly state the extent of the customer's liability in cases where the customer can prove that neither he nor an accomplice could have made the withdrawal. The liability issue is further muddied in the common case when the customer cannot perform this difficult proof.

  • Has anyone successfully recovered money from a bank after a phantom withdrawal?
  • Yes, people have recovered money both through appeal to the bank and legal action. Visit the Documented Phantoms Withdrawals section of the site, and look at the withdrawals that are categorised as "resolved".

  • Who should I bank with?
  • Weigh up the risks you are taking by choosing a particular bank, and other factors such as services offered or ethics of investment. It would be of long term benefit to all for customers to choose banks which can demonstrate their security and thus trustworthiness most effectively. Unfortunately nearly all banks provide no objective information on their security systems which can be used to make a balanced judgement on where your money is safest. In light of this, if you want to maximise the security of your money, go with the bank with the best customer service record.

  • How can I keep my money safe?
  • Tentative advice is to split your money across several banks or accounts, keep your credit limits low, and have enough in a shoebox to stay in a hotel for a few days or travel to some relatives. (It has been pointed out to me that strictly speaking, if you want to minimise the chance of losing any money at all, then splitting your money across multiple accounts could increase the chance that one is randomly chosen by an attacker. But it would reduce the maximum amount the attacker could steal from the account attacked)

  • Where do I start if I want to recover my money?
  • Start by talking to your bank, neither you nor they want to get embroiled in a lengthy dispute, and even less go to court. But be prepared for the worst from the first day. Much important evidence in arguing your case later on during a dispute may be lost if you do not act quickly- for instance, CCTV footage will not be kept indefinitely. If the amount of money you have lost has a serious impact on your financial situation, you should contact a lawyer straight away.

  • How difficult will it be to reclaim my money?
  • It depends upon how much money you have lost, how you approach the bank, and crucially - luck. Some banks have refunded money with little question upon complaint, some have immediately denied responsibility, and some have even changed their minds, and reinstated transactions which they previously refunded without question. Have a read of the Documented Phantom Withdrawal cases to get an idea of the range of experiences that customers have had.

  • How common are phantom withdrawals?
  • One of the purposes of this website is to get a better idea of the answer to this question. There was a wave of this sort of fraud in the early nineties, and few if any phantom withdrawal cases have attracted significant attention until, within the last few years, phantom withdrawals have gone on the rise again. There is a counter on the front page of this site, which lists the total number of documented phantom withdrawals.

  • Who are the perpetrators of phantom withdrawals?
  • Three explanations seem immediately plausible to explain any phantom withdrawal. The first is that the customer is attempting a fraud against the bank, buy falsely disputing some transactions actually made. The second possibility is that a criminal or organised gang has managed to collect both the customer's magnetic stripe information, and her PIN. However, when we classify phantom withdrawals, we ensure that no criminal method already known to us could explain the withdrawals. The third (and most controversial) possibility is that the withdrawal was made in co-operation with an insider at the bank with access to customer account and PIN information.

  • How many people have been convicted of ATM fraud?
  • At least 1 in the UK. Many more have been convicted internationally, and ATM fraud severely damages bank revenue streams in developing countries. There are no recorded convictions for insider ATM fraud, but banks rarely prosecute.

  • Does the perpetrator have to know your PIN to withdraw money from an ATM?
  • Once you begin to question the infalliability of bank computer systems, a whole range of explanations move from impossibility to possibility. A bank insider might simply be able to return positive authorisations to an ATM to permit cash withdrawal no matter what PIN was entered. It is conceivable that an actual ATM withdrawal was never made corresponding to the recorded debit of a particular account.

    However, "possible" does not mean "probable" and nearly all plausible attack scenarios involve PIN recovery, rather than intricate hacking of the mainframe software surrounding the ATM infrastructure. So - no the perpetrator doesn't have to know your PIN, but in all likelyhood he did.