Frequently Asked Questions
In short, a phantom withdrawal is a cash withdrawal from an ATM where money has been withdrawn, and neither the customer nor the bank admit liability.
If you believe money has been stolen from your account, the incident may or may not fall within our definition of a phantom withdrawal. For example, if you have been mugged and your wallet was stolen shortly after making a withdrawal, it is likely that the perpetrator observed you entering the PIN, and then attacked to you get the card. This is not considered a phantom withdrawal, and it is likely that the bank will only consider you liable for the first 50 pounds of the amount stolen. However, if your card was stolen and you are sure that there is no way your PIN could have been stolen or observed by the thief, and yet an ATM withdrawal is still made, this would likely qualify. In other cases, phantom withdrawals may occurr whilst the card is in your possession.
Although the resources on this site may be applicable to a whole range of fraud victims, the site has been designed to highlight a particular type of fraud where the method that the attacker used to discover the victim's PIN is unknown. Our criteria for a phantom withdrawal are as follows:
At the moment, the maintainer of the site has limited time available to continue processing and documenting cases. The process is greatly speeded up if the information about the withdrawal can be provided in a form matching the template case which is at the bottom of the Documented Phantom Withdrawals page. However please try and provide the following detailed information in addition, as it assists the maintainer in verifying the authenticity of the dispute:
The more information you provide us with the better the case can be understood and documented. We restrict what information we display on the website, and you can remain anonymous if you wish. However, additional information is very useful to the authors of the site in compiling a better understanding of phantom withdrawals, and under certain conditions it might be useful to pass it on to other people who are in a similar situation to you. Should this situation arise, your permission would be sought first.
Please be aware that the processes of documenting the withdrawals and providing informal advice are quite separate -- the former hopefully providing a valuable long term resource for everyone, and the latter being of short-term importance. The maintainer is glad to help in either circumstance but is subject to time constraints. A telephone call during office hours (see the Contact Information page) is more likely to yield a promt response to advice requests than an email.
This website is designed to better inform victims of phantom withdrawals of the options available to them for reclaiming their money, provide resources to help them argue their cases competently, and to encourage a better established and fairer procedure for resolving such disputes.
In particular the site includes information questioning the security of ATM networks. This information is not intended to undermine faith in ATM security in all cases, but to force banks to argue the case for their ATM security in using the specifics of their system, rather than appealing to general arguments, claiming perfect security for the whole infrastructure.
The site is run by Mike Bond, a computer security researcher at the Computer Laboratory of the University of Cambridge, UK. His work is in the analysis of security APIs (application programmer interfaces) and tamper-resistant computer hardware, and as such he has much experience of bank and ATM fraud history and methods. He can be contacted at Mike.Bond@cl.cam.ac.uk
Most bank contracts state that the customer will not be liable for withdrawals made after he has reported the theft, loss, or possible divulgence of the PIN to his bank. A small liability for the first 50 pounds or so of the sum stolen may be imposed. Contracts often do not explicitly state the extent of the customer's liability in cases where the customer can prove that neither he nor an accomplice could have made the withdrawal. The liability issue is further muddied in the common case when the customer cannot perform this difficult proof.
Yes, people have recovered money both through appeal to the bank and legal action. Visit the Documented Phantoms Withdrawals section of the site, and look at the withdrawals that are categorised as "resolved".
Weigh up the risks you are taking by choosing a particular bank, and other factors such as services offered or ethics of investment. It would be of long term benefit to all for customers to choose banks which can demonstrate their security and thus trustworthiness most effectively. Unfortunately nearly all banks provide no objective information on their security systems which can be used to make a balanced judgement on where your money is safest. In light of this, if you want to maximise the security of your money, go with the bank with the best customer service record.
Tentative advice is to split your money across several banks or accounts, keep your credit limits low, and have enough in a shoebox to stay in a hotel for a few days or travel to some relatives. (It has been pointed out to me that strictly speaking, if you want to minimise the chance of losing any money at all, then splitting your money across multiple accounts could increase the chance that one is randomly chosen by an attacker. But it would reduce the maximum amount the attacker could steal from the account attacked)
Start by talking to your bank, neither you nor they want to get embroiled in a lengthy dispute, and even less go to court. But be prepared for the worst from the first day. Much important evidence in arguing your case later on during a dispute may be lost if you do not act quickly- for instance, CCTV footage will not be kept indefinitely. If the amount of money you have lost has a serious impact on your financial situation, you should contact a lawyer straight away.
It depends upon how much money you have lost, how you approach the bank, and crucially - luck. Some banks have refunded money with little question upon complaint, some have immediately denied responsibility, and some have even changed their minds, and reinstated transactions which they previously refunded without question. Have a read of the Documented Phantom Withdrawal cases to get an idea of the range of experiences that customers have had.
One of the purposes of this website is to get a better idea of the answer to this question. There was a wave of this sort of fraud in the early nineties, and few if any phantom withdrawal cases have attracted significant attention until, within the last few years, phantom withdrawals have gone on the rise again. There is a counter on the front page of this site, which lists the total number of documented phantom withdrawals.
Three explanations seem immediately plausible to explain any phantom withdrawal. The first is that the customer is attempting a fraud against the bank, buy falsely disputing some transactions actually made. The second possibility is that a criminal or organised gang has managed to collect both the customer's magnetic stripe information, and her PIN. However, when we classify phantom withdrawals, we ensure that no criminal method already known to us could explain the withdrawals. The third (and most controversial) possibility is that the withdrawal was made in co-operation with an insider at the bank with access to customer account and PIN information.
At least 1 in the UK. Many more have been convicted internationally, and ATM fraud severely damages bank revenue streams in developing countries. There are no recorded convictions for insider ATM fraud, but banks rarely prosecute.
Once you begin to question the infalliability of bank computer systems, a whole range of explanations move from impossibility to possibility. A bank insider might simply be able to return positive authorisations to an ATM to permit cash withdrawal no matter what PIN was entered. It is conceivable that an actual ATM withdrawal was never made corresponding to the recorded debit of a particular account.
However, "possible" does not mean "probable" and nearly all plausible attack scenarios involve PIN recovery, rather than intricate hacking of the mainframe software surrounding the ATM infrastructure. So - no the perpetrator doesn't have to know your PIN, but in all likelyhood he did.