A Lebanese loop is a device used by to commit fraud and identity theft by exploiting automated teller machines (ATMs). In its simplest form, it is a strip or sleeve of metal or plastic which blocks the ATM's card slot, causing any inserted card to be apparently retained by the machine, allowing it to be retrieved by the fraudster when the card holder leaves.
Its name comes from its regular use amongst Lebanese financial crime perpetrators, although it has since spread to other international criminal groups. The scam has been reported in countries with high numbers of ATMs such as the UK, the United States, Germany  and France. Romanian criminal gangs are known to have involvement in the execution of this and other fraud techniques. The Lebanese loop is becoming one of the simplest and most widespread forms of ATM fraud.
The term “Lebanese loop” is applied to any number of similar devices that are used to perpetrate ATM fraud by retaining the user's card. In their simplest form, Lebanese loops consist of a strip or sleeve of metal or plastic (even something as simple as a strip of video cassette tape) that is inserted into the ATM's card slot. Lebanese Loop devices are relatively simple to construct, requiring less technical skill than a card skimming technique.
When the victim inserts their ATM card, the loop is long enough for the card to be fully drawn into the machine and read. The victim then enters their PIN as normal, and requests the funds. The ATM then tries to eject the card, but a "lip" folded at the end of the loop prevents the card from being ejected. The machine senses that the card has not been ejected, and draws the card back into the machine. The cash drawer does not open, and the money that has been counted is retained by the machine. In most cases, the victim's account is not debited. The victim believes the machine has malfunctioned or genuinely retained their card.
In a typical scam, the perpetrator will obtain the victim's PIN either by watching them enter it the first time (shoulder surfing), or by approaching the victim under the pretense of offering help and suggesting they re-enter their PIN (and again, watching them do so). More sophisticated variants of the Lebanese loop scam have developed. In some cases, the fraudsters attach a small camera to the ATM to record the victim entering their PIN. The video from this camera is then transmitted to the fraudsters, who may be waiting near the machine and viewing the video on a laptop computer, meaning they need not approach the victim directly. There have been cases where a fake keypad is fitted to the machine over the top of the real one, and this records the PINs entered.
Once the victim has left the area, the perpetrator retrieves the loop and the trapped card, and uses it, along with the stolen PIN, to withdraw cash from the victim's account.
Since the Lebanese Loop is only able to capture one card at a time and the card holder will usually react quickly to the loss of the card, the technique must be widely deployed to net a useful number of cards in a short amount of time. This may require a large workforce to accomplish the task.
ATM manufacturers have resorted to several methods to counteract the Lebanese Loop, generally consisting of adding various sensing mechanisms to the card readers. Various network activity profiling processes can be applied to attempt to detect this activity. Often ATM vestibules have video surveillance equipment installed in them, which can make identification of the perpetrator and method easier.
ATM industry groups counsel cardholders to take precautions when entering their PIN into any device. Customers are also advised to avoid an ATM if strangers are standing next to it (especially if they do not move after being asked), be careful of ATMs which appear out of the ordinary (such as having unusual instructions attached), to never enter a PIN number more than twice (to prevent the card from being retained by the machine), and to ignore advice from "helpful" strangers who may approach when they see a customer is having difficulty.
Other forms of card fraud
Other variants of fraud may use a “skimming” technique, where an electronic device is fitted over the ATM's card slot and which reads the information encoded into the magnetic strip on the back of the victim's card as it is inserted. This variant does not require the card to be retained; the transaction runs normally, and the data recorded from the original card is copied to another blank magnetic stripe card, which is then used to withdraw cash.
At their most sophisticated, scams can involve the construction and installation of fake fascias built to fit particular ATMs or other card reading devices. These false fronts can house any of the above devices to gather data from the user and allow the perpetrators to acquire or clone cards and their associated PINs. These fakes can often be indistinguishable from unmodified devices to the untrained eye.
- Schreiber, Barry. ATM Security Forecast at Forefront of 1996 Plans. EFT Report, vol. 19 issue 2, Jan 18 1996
- Summers, Chris; Toyne, Sarah (2003-10-09). "BBC News - Gangs preying on cash machines". Retrieved 2006-07-21.
- ATM Security | Landscaper admits to Lebanese loop scam at ATMs in 4 states and D.C. | ATM Marketplace
- TU Berlin - Hoax-Info - Extra-Blatt: Ausspionieren von EC-Karten-Daten
- Google cache of Detroit Free Press article
- Nettleton, Philip. Lebanese loop is new cashpoint con. Evening Standard (London), Feb 5 2001 
- Fraud fight gets more proactive at ATMs | ATM Marketplace
- SiliconRepublic.com: Attack of the clones
- Lebanese Loop at Snopes.com.