Re: What? No Velocity check?
Someone raises this every time a card-cloning scam comes up, and it's an example of the classic security research vs security in the real world clash.
Yes, you could check every transaction against a central database of past transactions and check if they're sane, but the problem is this would be really, really slow. Really slow. Remember most ATMs are lucky to have anything faster than dial up on board. Checking the validity of a card and its transaction limit are relatively simple, asking a server to do a lat/lon sanity calculation every time someone connects isn't. It takes time.
As a result, while dozens of these "Do these transactions make sense?" calculations take place, they usually take place after the fact, as anyone who's had their card cloned knows. The trick, and it's probably the trick used here, is to use the cloned cards in a synchronised manner, to not give the system time to respond. Pick ATMs you know to be particularly slow, get your gang of ill-intentioned ruffians to spread out amongst them and hit them for everything they've got all at the same time. The transaction system will do what it was designed to do - complete the transaction, and they'll be off with the cash long, long before any security system catches up.
Putting the security up-front would slow down the process immensely, almost certainly costing banks a hell of a lot more than they lose from once-in-a-blue-moon card cloning scams.