New York Times
August 3, 2003
Criminals Focus on Weak Link in Banking: A.T.M. Network

He fenced stolen jewels, committed bank and credit-card fraud and had been accused of having links to an Albanian-Yugoslavian criminal gang. Cloaking himself in nine aliases and Armani jackets, he was a smooth, multilingual master of the con, investigators and people who knew him say.
His name is Iljmija Frljuckic, and by all accounts, he had no business being around anybody else's money.

Yet after being deported in the late 1990's, he slipped back into the United States and set up shop as a banker, not in a marble lobby under the watchful eyes of auditors and regulators, but in the virtually unregulated world of privately owned automated teller machines.

To tap into this electronic network, Mr. Frljuckic (pronounced Furl-YOU-kich) did not have to produce so much as a valid driver's license. After buying these machines — the kind commonly found in convenience stores, delicatessens and other retail outlets — he and his associates installed devices that captured, or "skimmed," personal bank account information from at least 21,000 people, prosecutors say. They used that information in 2001 and early 2002 to make fake A.T.M. cards, then stole at least $3.5 million, mostly from A.T.M.'s in New York City, according to the latest federal charges filed about two months ago in Manhattan.

Before Mr. Frljuckic came along, small-time crooks had made crude forays into A.T.M. fraud. But in its size and technical sophistication, investigators say, the Frljuckic case is a con of an entirely different order — a new turn on identity theft, a jolting warning of the vulnerability of an A.T.M. system that has exploded in size in the last few years.

No one can say precisely how much is lost through A.T.M.-related crimes. In fact, no government agency knows how many cash machines are operating, where they all are or who owns them. Though banks are reluctant to discuss their losses, they say there is no cause for alarm. But from Canada to Malaysia to the United Arab Emirates, investigators report new assaults on A.T.M.'s.

The criminals, both foreign and homegrown, include gangs, embezzlers and, on occasion, money launderers, according to investigators and public records. And while A.T.M. industry officials say the Frljuckic case shocked them into tougher self-policing of privately owned machines, they also confess that the thieves are remarkably resourceful, shifting their attention now to bank-owned machines. In recent months, skimming devices have been attached to bank machines around Boston and Chicago.

"A.T.M.'s have been viewed as a weak point in the banking chain — and so the criminals have focused on that," said Tom Harper, president of the A.T.M. Industry Association, the leading trade group.

The global wiring of banks to A.T.M.'s means consumers can gain instant access to their money around the world. But with the government monitoring only part of this electronic network, a thief using cheap equipment and a little imagination can steal someone's banking identity in Manhattan and within hours withdraw money from that person's account at a cash machine in Europe.

A.T.M. crime may also be a national security issue. Federal officials are investigating incidents in which suspected terrorists may have used the machines to fraudulently generate income, says Dennis Lormel, chief of the terrorist financing operations section of the Federal Bureau of Investigation.

Banks are supposed to reimburse victims of A.T.M. theft. But unlike credit card fraud, in which banks are stuck with bills for unauthorized purchases, A.T.M. thefts take cash from consumers, who may bear the burden of proving that withdrawals were unauthorized.

Kelly Quick of Studio City, Calif., said that when he reported $1,420 missing from his account early this year, his bank did not believe him. "They basically said that since I didn't give out my PIN number, it had to have been me," Mr. Quick said. Similarly, Mark Evans of Los Angeles said his bank was "basically accusing me of stealing the money." Both men say getting their money back involved a fight.

Complaints like these prompted the comptroller of the currency in September 2001 to warn banks of their obligation to make A.T.M. victims whole.

"Unfortunately there are people who say they have been defrauded when they have not," said John Hall, a spokesman for the American Bankers Association. As banks learn more about A.T.M. fraud, he said, they are getting better at helping customers.

A.T.M.'s have been around for decades, but became ubiquitous on the American landscape in 1996, when new surcharges on withdrawals made it possible for private entrepreneurs to profit by owning machines. Since then, the number of machines, which cost as little as $3,000, has tripled, to an estimated 370,000, fueling the growth of companies that sell and service them.

This growth, in turn, has spawned criminal activity that goes beyond just the skimming of bank account numbers. Embezzlements in recent years have involved companies that supply cash to the expanded A.T.M. market, including a New Jersey company, Tri-State Armored Services, where $50 million turned up missing. By contrast, the biggest bank robbery in the last 25 years, according to federal statistics, involved $11 million.

Banks call credit-card and check fraud a much bigger problem. Besides, they say, rare cases of A.T.M. fraud are a small price to pay for convenient cash. But banks are not eager to publicize breaches of A.T.M. security.

"They don't want to give people ideas," said Nessa Feddis, a lawyer with the American Bankers Association.

Another reason, some financial experts say, is that banks do not want to undermine confidence in a system that cuts their overhead while making them billions in fees, collected when their customers use private A.T.M.'s or machines owned by other banks. Several large banks also own parts of a network that connects the machines and financial institutions.

"These fees are cash cows for the banks," said Edmund Mierzwinski, of the U.S. Public Interest Research Group in Washington.

A former president of a Federal Reserve bank said: "You write your story and they will hate it because it will say, `Be careful where you stick your card.' "

4,000 Accounts Vulnerable

The nation's biggest A.T.M. fraud began in late 2000 with trial runs in California, Florida and New York. At 13 sites, thieves started installing machines rigged internally to capture bank data and personal identification numbers.

They were in no hurry; the longer they waited, the more account numbers they could steal. In four months, with just the dozen or so machines, they had the electronic keys to 4,000 accounts, fraud investigators say.

Only when the gang began siphoning money did banks and customers realize they had been scammed. By the time the rigged machines had been identified, they had vanished, along with their owners and tens of thousands of dollars.

By the end of June 2001, banks had identified the compromised cards and electronically blocked them.

"They covered their tracks throughout the process," said Michael Urban, who works for a division of Fair Isaac, a company that helps financial institutions detect electronic fraud. "We didn't know anything other than they had good PIN's, good cards."

Investigators say the machines were bought in the names Michael Dokovich and Michael Bugatti, who turned out to be the same man: Iljmija Frljuckic.

He is believed to have first entered the country in 1981. By the early 1990's, federal authorities had linked him to "an Albanian/Yugoslavian organized crime gang." The government wrote in court papers that the group "is believed responsible for a host of serious crimes, including arson, insurance fraud, bank fraud, large-scale mail theft, drug trafficking and sophisticated jewelry heists."

Mr. Frljuckic married the daughter of a Florida law enforcement official in January 1994, telling her that he was Michael Illyriani, an international businessman, court records show. He did not say he was facing federal bank fraud charges, filed in 1992, and was out of jail only because, hoping for a plea bargain, he had agreed to inform against the Albanian gang.

Actually, officials say, he was conning the government, too. While he helped on a few minor investigations, prosecutors say he provided "absolutely no assistance" in exposing the gang. Then, before the first case was settled, he was arrested in a new bank fraud.

After his release from federal prison in June 1996, a judge ordered him deported to Yugoslavia. But he soon returned to the United States, and by then the A.T.M. system had opened its doors to private entrepreneurs.