ATM Security? Don't bank on it.

This story actually goes back a couple of days, but I was at a forensics conference in Canterbury for the past few days - in fact, that's where the photograph below comes from - and when I did get back the 'Irish Virus' story seemed a little more urgent.

In any case, this isn't so much a hot newsworthy item as something to keep in mind for the next few decades...

Brian Krebs has published some very useful information about the use of skimmers and related devices, eavesdropping attacks on ATMs and so on. And it appears that ATM users need that information. In his article A Handy Way to Foil ATM Skimmer Scams he notes that video footage from cameras hidden at ATMs showed that:

"...out of the dozens of customers that used the compromised cash machines, only one bothered to take the simple but effective security precaution of covering his hand when entering his 4-digit code."

There are more sophisticated ATM attacks than ball cameras and shoulder-surfing, but lo-tech attacks are often surprisingly successful. Covering your hand at an ATM - or, come to that, when you're paying by card in a shop or restaurant - is not going to protect you from all kinds of ATM attack, but it's a pretty good way of reducing your exposure to the most common approaches to PIN theft, and it's as lo-tech as you can get.

Unfortunately, it won't protect you from the kind of ChipTAN attack described by The Register's John Leyden here, or the sophisticated malware attacks on smartcards described by our own Aleksandr Matrosov in Smartcard vulnerabilities in modern banking malware and elsewhere.

But surviving in the online world isn't usually about eliminating risks so much as reducing them. You can 'play the odds' as one of the comments to the Krebs article suggests, by assuming that when you use an ATM the odds are that it hasn't been compromised. But why neglect a simple (not to say obvious) precaution that involves no significant effort and may one day make a big difference? It's your cash: you don't want it to be freely available to the wrong people.

David Harley CITP FBCS CISSP
ESET Senior Research Fellow