Banking Security – Part 1

A look at the misplaced confidence, trust and liability that surrounds the consumer banking industry.

Decorative Image - bankBank accounts. Everybody has one, many people have several. They vary from every day current accounts, savings accounts, credit accounts and various other guises. We trust faceless corporation’s with our hard earned money because we have very little choice if we want to be part of the modern world. Many of us never question the trust and confidence we place in these banks and hopefully we will never have need to do so. These posts are intended to shine a little light on what most of us take for granted…

Cash Machines (ATM – Automated Teller Machine)

There are over 60,000 ATMs in the UK alone processing around 1 million transactions every hour so it’s little surprise that they are such a big target for crooks trying to get your money. If a crook wants to get your money they are going to need your card and your PIN.

Some of the most common approaches are to physically steal your card either discretely or by force, or to attach a camouflaged scanner to the card slot of the ATM so that the crooks pick up a copy of the card details as you insert the card, which they can later use to produce a clone.

As for learning your PIN this can be done with a discrete hidden camera, a camouflaged keypad overlay, peering over your shoulder, using a long distance lens or a thermal camera which can detect your key presses several minutes after the event. There have also been reports of crooks installing fake ATMs which do nothing more than capture the card and PIN details before displaying an error message.

Card Payments (PDQ Terminals – Process Data Quickly)

In the past decade banks and credit card providers in many countries have promoted a switch from signing for payments to entering your PIN as the means of proving that the card is yours. One of the main drivers behind this was so the financial agencies could shift liability for fraud to any merchants that chose to continue taking signatures. This principle was misplaced,  as evidenced above it is trivial for a crook to obtain your PIN, probably easier in fact than convincingly forging your signature.

PDQ terminals themselves are vulnerable to compromise and there is a shady underworld where crooks will buy second hand units, tweak their software and put them back into second hand circulation. An unsuspecting business then looking to save a few bucks could inadvertently find themselves sending out their customers card information to the cunning crooks. In situations like this the merchant is likely to be completely unaware that there is anything nefarious happening.

Another trick is the old school method of taking an impression of the card. This is usually quite obvious so can be avoided by not letting your card out of your site. No merchant should expect you to forfeit your card although it may mean having to get up from your restaurant table and walking over to a fixed terminal.

What to do?

Be wary of anything that doesn’t look quite right. A camera can be as small as a button so can be hidden inside a slim leaflet holder or wedged into a corner. Anything that looks loose or mismatched in colour or texture should raise suspicion as being out of place. Be aware of anyone loitering or standing unnaturally close, shield the keypad with your body or your wallet/purse.

Unfortunately with such a wide variety of manufacturers, each constantly updating their designs, it’s not a straight forward case of familiarising yourself with what’s legitimate and what’s not. Some crooks will even produce devices specifically targeting individual machines so it becomes very convincing and difficult to spot.

As with many scenarios where security is vital, the one take away point from this post is to be aware.

Next week I’ll take a look at on-line and telephone banking…