The ATM is such a ubiquitous staple of life now that we don't even think about the process of putting the bank card in and taking money out anymore.
ATMs have so many bells and whistles attached to them -- ordering movie tickets, watching ads, or making phone calls -- that the act of withdrawing money from your account seems almost an afterthought.
Unfortunately, that same nonchalance may be catching on with banks.
Several recent incidents indicate that that it's easier than ever to not only hack an ATM and steal all the cash, but to steal a bank customer's PIN number and drain their checking account without them ever being the wiser.
Dancing On A PIN
According to "The Unbearable Lightness of PIN Cracking," a new report released by a pair of Israeli security researchers, a weakness in how PINs are transmitted across global financial networks could enable unscrupulous bank employees to crack a cardholder's PIN using as few as one or two guesses.
The flaw could enable crooked insiders to gain access to a PIN if the cardholder withdraws money from their bank, even if the cardholder's money is in another bank. It could also be used to generate new PINs that would work just as well as the legitimate number.
Researchers Odelia Moshe Ostrovsky and Omer Berkman demonstrated several weaknesses in the "chain" a PIN goes through when it is transmitted from the machine a user enters it into, through a series of "switches," to the verifying bank that the user does businesses with.
One weakness centers around the "translation" of PINs as they go through the chain, while another targets ATMs that enable users to select PINs during online banking.
Ostrovsky, of Algorithmic Research (ARX), and Berkman determined that even if the issuing bank addressed every possible vulnerability on their end, customers would still be vulnerable to attacks along the chain if other banks did not improve their systems.
"To be protected from this attack, countermeasures in all verification paths to the issuer must be taken," they said. "As this is unrealistic, solutions outside the standard must be sought."
The two researchers claimed that the vulnerabilities could account for many unexplained instances of "phantom withdrawals" from cardholders' accounts.
"The attacks are so simple and practical that issuers may have to admit liability not only for future cases but even retroactively, " they said. "The attacks can be applied on such a large scale...that such liability can be enormous."
The authors went public with their research after presenting it to major credit card issuers and banks, none of whom acted on the information.
MP3 vs. ATM
Sometimes it doesn't take a sophisticated hack attack or the work of greedy insiders to break a bank network open. In one case, all it took was a simple MP3 player.
Manchester, England resident Maxwell Parsons was recently convicted of stealing 200,000 pounds from cash machines throughout Britain. Parsons would find "free-standing" ATM machines, plug his MP3 player into the back, and record the tones of the keys when users would input the PIN numbers.
Parsons would then run the recorded tones through separate software programs to decipher them, and created "clone" cards which he then encoded with the recorded PINS, according to a report in The Register.
Parsons was arrested by sheer luck when he was pulled over for an illegal U-turn in London. The police found a fake bank card in his wallet, and after searching his residence, turned up 26 other fake cards, 18 of which were cloned.
Parsons was sentenced to 32 months in prison for deception and unlawful interception of communications transmissions. The authorities believed he was the ringleader of a gang, The Times reported.
Representatives of the U.K. banking industry claimed to be so shaken by the incident that they planned to move immediately to fix the flaws in free-standing machines to prevent similar crimes.
What You Can Do
Avoid using any ATM machine that looks like it's been tampered with
or damaged in any way. If you see people loitering around an ATM who
don't seem to be getting money out, find another one to use.
Try to stick to ATMs from your bank or in your credit union's network. It won't remove vulnerability to fraud, but it can reduce it -- and you'll be saving yourself extra money by not incurring withdrawal fees from ATMs.
When using an ATM, shield the keypad from view so that your PIN can't be seen by onlookers.
Keep receipts from ATM withdrawals at the time of the transaction, but be sure to destroy or shred them later.
Regularly check your bank account or statements for unusual activity.
The complete text of "The Unbearable Lightness of PIN Cracking" is available online as a .pdf document.