Breaking ATMs

The nice people at Breaking Banks invited me onto their radio show to comment on the impressive rise in card counterfeiting in the US.

“Criminals are stealing card data from U.S. automated teller machines at the highest rate in two decades, preying on ATMs while merchants crack down on fraud at the checkout counter.”

[From Theft of Debit-Card Data From ATMs Soars – WSJ]

The figures are astonishing: compromises at bank ATMs up a couple of hundred percent in the first quarter, comprises at non-bank ATMs up more than three hundred percent! What is being stolen is the data from the trivially-counterfeitable magnetic stripe on the back of the card (“skimming”). This data can only be used to make counterfeit magnetic stripes: you can’t use it make clones of the chips on the cards. Hence the data is only useful if you can find somewhere that will let you pay for something using a magnetic stripe copy of the trivially-counterfeitable magnetic stripe. Oh wait, I know somewhere..

Yep. The USA. Skimmed card data from around the world makes it way to America, which is why payment card fraud losses there are so a greater of world losses (double, in fact) than payment card volume is of world payment card volume.

“Total global payment-card fraud losses were $11.3 billion in 2012, up nearly 15% from the prior year. The United States—the only country in which counterfeit-card fraud is consistently growing—accounted for 47% of that amount, according to the Nilson Report”

[From Skimming off the top | The Economist]

Now, we all know that in the long run the way get round this is to get rid of trivially-counterfeitable magnetic stripes (and the use of card numbers online, but that’s a different story) and use chip and PIN instead (actually, in terms of fraud reduction it’s the PIN that’s doing the heavy lifting, the chip not so much). And, indeed, chips are making their way on to US cards at last, just in time to be rendered obsolete by Apple Pay, Android Pay, PayPal Venmo, Samsung Pay and the like.

“However, most ATMs don’t yet accept the [chip] technology, though J.P. Morgan Chase & Co. and Bank of America Corp. have recently begun to install the more advanced machines”

[From Theft of Debit-Card Data From ATMs Soars – WSJ]

Actually, this won’t stop the card data from being stolen. All of the ATMs in the UK read chip but you still have to put the card into a slot that can read stripes from the legacy cards carried by American tourists. Since you have to put the card into a slot, the fraudsters can still fit their devilish devices to the machines and read the stripe as you push the card through. Then they steal the PIN by shoulder-surfing or keypad cover plates or hidden cameras or whatever. This has been going on for ever. Here’s what I wrote about it eight years ago.

“Fraud on UK cards overseas has increased because the stripes are counterfeited and the PINs are then used to withdraw cash at foreign (non-chip & PIN) ATMs.”

[From Card fraud in the UK]

So where do we go? Well, one obvious way would be to simply decline all stripe transactions made using chip and PIN cards, but I have chip and PIN cards that I still use in card swipes when in the US so this might generate too many customer service calls. Another way would be to let me use my mobile app to turn my debit card on and off, and for someone like me who rarely uses a debit card (basically for ATM withdrawals only) this might work. But another idea might be to stop me from having to put my card into a slot.

“Spain’s CaixaBank has commissioned Fujitsu to build 8,500 ATMs with contactless capabilities.”

[From Spanish bank spends €500m on contactless ATMs]

My debit card has been contactless for years, yet I’ve never seen one of my bank’s ATMs with a contactless interface as CaixaBank has. But my bank has an excellent mobile app too, and surely there must be some way of using this instead of a card when I nip out for a late-night legal high just before the government ban comes into force.

“With the new CommBank app and its Cardless Cash feature, you can withdraw cash from over 3,000 ATMs without your card.”

[From Cardless Cash with the new CommBank app – CommBank]

Unfortunately my bank doesn’t yet have cardless withdrawals either, but it does have an excellent text message authentication and alert system that deals with the ATM problem, so if my card gets ripped off it’s harder to use and, to be fair, although I’ve used my card in some pretty dodgy-looking ATMs, to the best of my knowledge it’s not been skimmed.

Mobile is surely the way forward though, isn’t it? Perhaps my bank could put in some mini-ATMs at branches: no keypad, no screen, just a contactless reader and cash dispenser. I tell my bank app how much I want to withdraw and than tap the phone on the reader and the cash pops out. This way, the bank app can send a token instead of the real card details and the criminals will leave my account alone and move on to easier pickings.

Doing away with card and PIN entry is possible because the mobile phone provides for an effective alternative identification and strong authentication mechanism. There are other strong identification methods that could be used though, like the finger vein readers used in some countries. My favourite suggestion is…

“You stand at the ATM but, instead of producing your card and PIN, you unbutton your trousers while a dachshund, trapped in the machine, sniffs around your intimate regions, identifying you by your unique scent.”

[From ATM dog: Forgotten your pin? Please join the queue for the dachshund | Technology | The Guardian]

Using the dog’s nose as a biometric system to identify people is actually rather an old idea. In fact I wrote this about it eight years ago.

“If I could integrate an odour detector and analyser with the power of a dog’s nose into a chip in my laptop, then my laptop would know who else was in a room with me, because dogs can easily discriminate between different people.”

[From Going to the dogs]

I rather keen on smell as a biometric, but whether this particular implementation will overcome the embarrassment of being seen drawing out cash in a public place, I can’t say.