Fake cash-machines are an increasing problem around the UK. Criminals attach all sorts of machinery – including fake fronts – to ATMs with the aim of stealing cash or card details.
Wandering around Oxford yesterday, I noticed this sign attached to a bank’s ATM:
“This ATM is running slow and may take a while to return your card. Please be patient while we try to resolve this issue. Thanks. TSB Oxford.”
Let’s count all the ways this is problematic.
This is literally sticky-taped to the front of the machine. It isn’t aligned. It is spelled correctly. But it looks sloppy and amateur. A criminal could have easily taped this to the front of the ATM to discourage people from complaining to the branch.
What could the bank do to make the sign look more authentic?
If this was the bank’s handiwork, they could have printed the bank’s logo. Or a phone number if people have questions.
Perhaps they could have added more information, or directed people to another cash-point, or had the bank manager sign the notice.
But, of course, a criminal could do all those things too! Colour printers are cheap, as are disposable phone numbers.
There’s very little a user can do to immediately check the validity of the message. All they can hope for is that, if it were fake, staff would have spotted it and torn it down.
While the bank is open, it’s trivial to enter the bank and ask the staff if the message is genuine.
When the bank is closed… Well, you can wait an indeterminate period on hold, only to be told by an off-shore call-centre that they don’t have any knowledge of what’s happening in local branches.
Visually impaired users will not be able to read this message. Short people may not see it. It’s just polite to make an important message available to everyone.
Could this message be placed on the ATM’s screen – rather than the regular rotation of adverts? From my experience working with banks, the ATMs are usually managed centrally – and are built on a fragile technology stack. That means banks are reluctant to change what’s displayed on them.
Even if they did, people suffer from Notification Blindness – the fact that we’re constantly visually assaulted by messages means that informational messages get lost in the noise.
Trust but verify?
One of the central problems of modern life is how to verify that something is trustworthy.
Whether it is a news report, a door-to-door seller, a new acquaintance – our social structures are just not set up for a distributed trust model.
A determined criminal can forge an identity card well enough that most people will not be able to spot that it is a fake – not without extensive experience and expensive equipment.
There’s also the social pressure – it seems rude to ask someone to wait while you verify their identity. In the case of this ATM, do you want to go inside the bank and insult their sign – and then be forever known as “the jerk who thought the sign was dodgy”?
We can imagine a future where a sign like that had a code on it that your phone could read, which would lead you to a cryptographically signed message – verified by a trust-agent – that you could use to assure yourself that this was a genuine sign.
But, based on my observations of the ATM, most people wouldn’t even bother to glance at the sign.