Would you trust this ATM?
By @edent
· rant security · 3 comments · 600 words · read ~1,307 times.
Fake cash-machines are an increasing problem around the UK. Criminals attach all sorts of machinery - including fake fronts - to ATMs with the aim of stealing cash or card details.
Wandering around Oxford yesterday, I noticed this sign attached to a bank's ATM:
"This ATM is running slow and may take a while to return your card. Please be patient while we try to resolve this issue. Thanks. TSB Oxford."
Let's count all the ways this is problematic.
Appearance
This is literally sticky-taped to the front of the machine. It isn't aligned. It is spelled correctly. But it looks sloppy and amateur. A criminal could have easily taped this to the front of the ATM to discourage people from complaining to the branch.
Authenticity
What could the bank do to make the sign look more authentic?
If this was the bank's handiwork, they could have printed the bank's logo. Or a phone number if people have questions.
Perhaps they could have added more information, or directed people to another cash-point, or had the bank manager sign the notice.
Validity
But, of course, a criminal could do all those things too! Colour printers are cheap, as are disposable phone numbers.
There's very little a user can do to immediately check the validity of the message. All they can hope for is that, if it were fake, staff would have spotted it and torn it down.
Verification
While the bank is open, it's trivial to enter the bank and ask the staff if the message is genuine.
When the bank is closed... Well, you can wait an indeterminate period on hold, only to be told by an off-shore call-centre that they don't have any knowledge of what's happening in local branches.
Accessibility
Visually impaired users will not be able to read this message. Short people may not see it. It's just polite to make an important message available to everyone.
Integration
Could this message be placed on the ATM's screen - rather than the regular rotation of adverts? From my experience working with banks, the ATMs are usually managed centrally - and are built on a fragile technology stack. That means banks are reluctant to change what's displayed on them.
Even if they did, people suffer from Notification Blindness - the fact that we're constantly visually assaulted by messages means that informational messages get lost in the noise.
Trust but verify?
One of the central problems of modern life is how to verify that something is trustworthy.
Whether it is a news report, a door-to-door seller, a new acquaintance - our social structures are just not set up for a distributed trust model.
A determined criminal can forge an identity card well enough that most people will not be able to spot that it is a fake - not without extensive experience and expensive equipment.
There's also the social pressure - it seems rude to ask someone to wait while you verify their identity. In the case of this ATM, do you want to go inside the bank and insult their sign - and then be forever known as "the jerk who thought the sign was dodgy"?
We can imagine a future where a sign like that had a code on it that your phone could read, which would lead you to a cryptographically signed message - verified by a trust-agent - that you could use to assure yourself that this was a genuine sign.
But, based on my observations of the ATM, most people wouldn't even bother to glance at the sign.
Andrew McGlashan says:
Here in AU, there is absolutely no need to use an ATM -- but there are still plenty around. If I need cash, then I do cash out at a major supermarket checkout where security is significantly better. Beides, ATM stands for "Accessory To Mugging/ or murder".
What is worse these days is the damage that can be done with a simple PayWave card -- my bank won't issue any cards without this "feature", but I think that is a serious personal security problem; a bad guy can mug 5 or 10 people in quick time and use the many cards they'll have on hand for quite a few thousands of dollars transactions before the banks will shut them down. I personally think PayWave should be banned; it benefits the banks and retailers for fast money, so of course they love it.
Hugh says:
I don’t really see how contactless fraud benefits the banks? Here in the UK Contactless without CVM is limited to £30 (and many POSs limit CDCVM txns to £30 anyway) and banks are legally required to compensate customers for card fraud within 24 hours. All that asside, Contactless fraud is still very low when compared to other types of fraud like PAN Manual Entry. It is significantly safer and easier for criminals to get hold of card details and then sell them on for someone to punch the digits into a card terminal. You don’t have to steal the physical card then…
Andrew McGlashan says:
The retailers take the risk, not the banks; I was told [at my bank] that retailers get lower fees because they take the risks, but they've got cameras everywhere and the chance of fraudulent transactions being prosecuted is higher, but it is still less of an issue than the sales they've achieved and the lesser fees /might/ be enough to make up for the fraud.