I wish that my bank would let me set a message to pop up whenever withdrawals over a certain amount (or percentage) are made. If we can't be secure, I'd at least like my would-be-account-ruiners to know "LOL STUDENT ACCT". What would be even better is if every time I accessed an ATM it would snap a photo (so many are all recording video anyway) and put it into my account mailbox to view the same way I view checks. That way I could track my facial expression over time as I watch my account go from $XXXX to $XX every time the rent is paid and chart it along with other personal metrics. On the off chance that someone does steal my card/pin/... at least I would be able to shame take a moment shaming them in Photoshop out of... grief?
---
This actually got me thinking about a relatively straight-forward way to make ATMs more secure. Many ATMs have cameras and are, presumably, recording each time someone makes a transaction. I don't know exactly how the system works, but here's what I think:
- People who use ATMs should pretty much expect to be recorded in some fashion for security purposes, even if it's just a camera in the corner of the room.
- By using an ATM most people, even the privacy-conscious, would agree to this amount of surveillance. If not, they are welcome to visit their bank during regular business hours, in a ski mask if they prefer, or better yet use the inside of their mattresses instead.
- Adding a camera to a device, particularly one like an ATM, is trivial to implement and should only make a slight difference in cost.
- This camera could also be sensitive to infrared or other bands in order to defeat the ski-mask (thieving) or eye-patch/bandage (handicapped or disfigured) crowds.
- The software could be made such that it only proceeds with certain actions IFF it recognizes that the camera is not being blocked, that it recognizes a face, and that the face is not being spoofed by a Polaroid or something silly.
- ATMs are networked and should be capable of uploading medium resolution photos. Assuming reasonable policies could be maintained, the photo could be sent over the wire directly to your card-issuing institution and then routed to you, perhaps with a 7-days-til-self-destruct mechanism. Obviously you could archive these if you wanted, but the point is that banks/credit companies would treat it the same as security footage, i.e. data glut that's only useful while it's fresh.
- As soon as you are made aware of some sort of fraud, you can simply report the transaction, with identifying snap, to the bank (who will hand it over to authorities).
I'll leave the potential problems of this system to your imaginations, but it seems to me like a fairly easy to adopt solution to small, regular ATM theft. Obviously a coordinated attack could perhaps find some sort of exploit, but maybe it could deter the small-timers enough to be worth it.
EDIT: I am aware that this doesn't solve any of the particulars in the article, but I still think it's "on topic" since we all like tech, and ATMs are tech :)
Off the top of my head, I can think of several ways in which your scheme can go wrong:
- A camera in the corner of the room is vastly different in its surveillance capacities as a camera in front of your face.
- People are not used to seeing cameras in front of them at an ATM, only on the wall behind them. In fact, a camera attached to the front of an ATM could very well be part of a skimming device.
- Banks are always looking for a way to hold you responsible for their fuckups. For example, it can be more difficult to dispute a debit card transaction if your PIN was used. Your bank can and will use the photo evidence against you in the same manner, unless you can prove beyond a doubt that it wasn't you.
- ATMs are networked, but not necessarily with high-bandwidth connections.
- The "authorities" can and will archive those photos and use them for questionable purposes. You're deluding yourself if you think those photos will self-destruct.
At my credit union, every ATM has a camera built in right above the screen. Same with the Chase ATMs I used when I banked with Chase. Perhaps I am used to this because I only use branded ATMs (aka, Chase ATMs or 5/3 ATMS etc).
- In my opinion, a corner cam is most useful for deterring break-ins and "the bank", whereas an ATM cam is only useful as a fraud prevention measure. Both advantageous to a bank but in different ways.
- Cameras are already on every bank ATM I've used in recent years. Usually, they are on the other side of a two-way mirror. It's no secret what's behind it, but I'm sure they get a really nice shot of anyone who wants to check their lipstick in it really quick. That being said, I've also seen plenty in the delis around that have a very blatant camera installed directly above the screen.
- When do you foresee this being a real issue? I agree that it would be very difficult to fight, but isn't that the point? If someone manages to spoof your card, your pin, and your face all at the same time that seems like a much different problem (like a hostage...) than simple fraud. I'm having trouble envisioning how such a system could work directly against you in the way that you suggest.
- True. Then again, compression technology is such that even an ATM on a dial-up modem could probably upload a useful snap by the time you could finish a transaction. I do think it's reasonable to expect that if the system were to be implemented that in a few years time all ATMs could be running on decent connections. Even if you count the few real backcountry areas with ATMs, it's a small issue.
- The rest of my comment will address your last point so that it's a little more readable, and because I think it's the most important to address.
First, if you believe this to be the case, then it's already too late. Your face is already in their databases doing perhaps all kinds of more interesting things than depositing your paycheck. This falls back to the issue of if you don't trust anyone, don't depend on anyone which ultimately leads to non-participation being the best bet for avoidance, or over-participation in order to blend in. You should probably worry much more about what the "authorities" are doing with your candid shots on facebook, your friends' facebook, or whatever than the pic snapped of while you withdraw $40 for an evening on the town.
The most obvious line of defense is, like the whole gun database ordeal, to stipulate that no government body may keep a record of this data beyond its expiration date and even then, only by the institution to which it is served unless directed otherwise by a warrant. If you're worried about your bank doing dirty things to your image, you might want to stop banking since they already have a copy of every other relevant bit of identifying data. If you're worried about the police, then you should be worried about the NSA. If you're worried about the NSA, good. Let me know once you've found a nice hiding space, I'll bring some board games. I don't expect we'll have much internet access.
You'd be right if you said that the stipulation would mean nothing to those interested in gathering that information, but the point is really just to prevent them from using that information in any way that's detectable.
When I say self-destruct, what I mean is the bank's copy. They have no reason to keep it, but sure, maybe the government does. But again, if that's the case then I'm sure they would have had a backdoor to the live feed of all those existing ATM cameras anyway.
---
Sorry if that was a bit rambling, but I hope you get the gist. We share some of the same concerns but in my opinion, it's already game over unless we can bring more information into the equation. That data is already out there. Your photo is already on the ATM and every security cam you walked past to get there. The best thing you can do is to have a copy of that information yourself because right now you know less than they do, and that's how you lose.
1) They used prepaid cards so your account wound't have been effected. They did it intentionally so that they wouldn't hit account limits.
2) The vast majority of ATMs have cameras. I would guess (only a guess) that all of the locations they hit had cameras to pull the max amount of cash.
3) If they didn't have cameras in the ATM, they were certainly cameras nearby. Likely the mistake they made was covering their face, but using a vehicle (since they had to hit a lot fast) with a mask on and some other camera got their plates.
But..., your idea of using not just visible light has merit and I hope someone figures out how to implement it.
> I wish that my bank would let me set a message to pop up whenever withdrawals over a certain amount (or percentage) are made.
ING Direct does exactly this!
I get an email (text messages possible too) every time I make a purchase over a certain amount that I've chosen. You can set the limit as low as $1 if you really wanted to, so you can be notified of literally every single debit card purchase.
This forward thinking is one of the many benefits (no fees EVER being another) I've enjoyed and why I love banking with them.
Online banking is definitely the future, or at least will grow to be a much larger part of it.
I actually meant a message popping up on the ATM screen, sort of like a vacation-away responder but for people with bad spending habits.
The functionality you're talking about is obviously much more useful :) I'll have to check and see if my bank has this function, as I probably would not have set it when I opened my account and have yet to receive anything like it. My girlfriend's bank sends her a message when her account is under a certain amount and flat out denies withdrawals over that same amount (i.e. notifies when under $500, can't withdraw more than $500/mo regardless).
Simple alerts via their iPhone application of every debit card transaction made -showing the places name, and a location on a map at the same time.
Because there is no cut off, other than turning off notifications, this sounds like it could be annoying. But in practice, it’s just nice, and gives you a sense of security.
And when looking back over transactions at the end of the month - the maps are dang handy for jogging my memory…
> And when looking back over transactions at the end of the month - the maps are dang handy for jogging my memory...
Whenever I get an email from ING about a transaction or deposit (one that isn't totally obvious) I do this:
Click "Forward".
Delete all text/images.
Write a few words about the purchase or deposit.
And send it to myself.
That way I can look back in Gmail at any time and know EXACTLY what I spent that money on. This is helpful because sometimes knowing WHERE I spent money doesn't tell me anything about I actually purchased.
For example, I have a Debit Card Purchase of $10 at Farhad Monadjeem. What in the HECK is that???? Oh, that's actually the car wash at Mobil; the owner's name I suppose. This system is also great for online purchases, so I don't have to login to various websites to see what item(s) I purchased; it's all in my email.
PNC lets you setup alerts via text or email for a wide variety of options: balance over / under a limit, overdraft, check bounce, overdraft autotransfer, ATM withdrawal, check payment, or preauth payment over / under a limit, and a bunch of security-related things like login / profile changes.
Right now I only use the direct deposit alert so I know when I've been paid and the security alerts.
There was a case a few years ago in Australia where someone realized that their (foreign-issued) card would always authorize, but that the debit would never hit their account.
They had a field day (or months). Police estimated that the person had withdrawn up to $2M from ATMs.
But people are greedy - faced with a machine that effectively gave free cash, as much as desired - how was this person caught? A gambling spree (go figure - where's the real allure in "winning" when you can "win" at any ATM?) - on a losing streak, he couldn't be bothered to spread his withdrawals amongst multiple ATMs at or around the casino, and in one night emptied an ATM (approximately $100,000), which tipped off the bank, that had only filled it that morning. Some cross referencing, and it was all over.
Scarily, the bank noted that until then, there was "nothing that had been flagged in their system" alerting to a problem with this person/account.
If the ATM is verifying that the face belongs to an account holder, there's little worry of someone unauthorized accessing it. Use two cameras to get a real 3D biometric, they'd need a lifelike model of your head to access your account.
---
This actually got me thinking about a relatively straight-forward way to make ATMs more secure. Many ATMs have cameras and are, presumably, recording each time someone makes a transaction. I don't know exactly how the system works, but here's what I think:
- People who use ATMs should pretty much expect to be recorded in some fashion for security purposes, even if it's just a camera in the corner of the room.
- By using an ATM most people, even the privacy-conscious, would agree to this amount of surveillance. If not, they are welcome to visit their bank during regular business hours, in a ski mask if they prefer, or better yet use the inside of their mattresses instead.
- Adding a camera to a device, particularly one like an ATM, is trivial to implement and should only make a slight difference in cost.
- This camera could also be sensitive to infrared or other bands in order to defeat the ski-mask (thieving) or eye-patch/bandage (handicapped or disfigured) crowds.
- The software could be made such that it only proceeds with certain actions IFF it recognizes that the camera is not being blocked, that it recognizes a face, and that the face is not being spoofed by a Polaroid or something silly.
- ATMs are networked and should be capable of uploading medium resolution photos. Assuming reasonable policies could be maintained, the photo could be sent over the wire directly to your card-issuing institution and then routed to you, perhaps with a 7-days-til-self-destruct mechanism. Obviously you could archive these if you wanted, but the point is that banks/credit companies would treat it the same as security footage, i.e. data glut that's only useful while it's fresh.
- As soon as you are made aware of some sort of fraud, you can simply report the transaction, with identifying snap, to the bank (who will hand it over to authorities).
I'll leave the potential problems of this system to your imaginations, but it seems to me like a fairly easy to adopt solution to small, regular ATM theft. Obviously a coordinated attack could perhaps find some sort of exploit, but maybe it could deter the small-timers enough to be worth it.
EDIT: I am aware that this doesn't solve any of the particulars in the article, but I still think it's "on topic" since we all like tech, and ATMs are tech :)