Data Security At ATMs: Remember To Close Out Your Sessions.

One of the key aspects of data security is to make a proper exit, such as logging out after using a computer that is protected with laptop encryption software or closing and locking a door.  Call it the understatement of the century if you will, but it looks like it bears pointing out.

Man Uses Binoculars, Targets Open ATM Sessions

A man has been charged with multiple counts of identity theft.  How did he go about it?  Did he use a skimmer?  Or perhaps glance over the shoulder of an ATM user?  Or install a miniature camera?

No, no, and no.  He used binoculars to watch people punch in their PINs, and when certain customers left their ATM sessions still open, he went in and used the PIN he just acquired.  The story produces numerous questions:

  • How can binoculars be used to obtain someone’s PIN?  I mean, I’d imagine that my back would cover the number pad, be it on the countertop or in a screen in front of me.  Did he only target rail-thin models and anorexics or what?

  • Why are certain ATMs designed so that you have to log out?

I’ve always had a beef with such ATMs.  There are many types of ATMs out there.  There are machines where you’re supposed to swipe the card; others require you to insert the card.  Of the latter, some spit out the card right after you enter the PIN, while others return the card before giving you the money, and still others only return the card as a last step, after you’ve collected your money.

Generally speaking, the last type of ATM is the type I like: getting the card as the last step means that I know I’ve been logged out of the ATM session when I receive the card.  The one I personally dislike is where you swipe the card: the card never leaves your hand, but now you’ve got to remember to log off.  If you’re tired and in a hurry, sometimes you forget.

People sometimes forget to collect their card, sure; however, I personally have developed a routine where I always stuff the money into my wallet, check the presence of the card in the wallet, place the wallet in my front pocket (never the back pocket–easier for pickpockets), and then pat the outside of the pocket to make sure the wallet is really in there.  I’m not sure why I do that last step, I just do it (perhaps to make sure I don’t have a wallet-sized hole in my pocket?  I dunno).

Thankfully, certain ATM-types that I dislike are designed to ask for the PIN again if you’re going to proceed with a new transaction (which explains the man with the binoculars).  Some ask you to swipe or feed the card again.  There are others where all you have to do is hit “yes,” which is the absolute worst when it comes to security.

Whose Responsibility is it?

The ATM users’, no doubt.  But then, there is something to be said about creating a proper user interface so that a lot of the burden (a minimal one, in this case) is lifted off the customers’ shoulders if possible.

I mean, take laptop encryption and how you’re required to log off after each session.  It’s common knowledge that laptop encryption–aka disk encryption, since it fully encrypts the laptop’s internal hard disk–protects your data via the use of powerful encryption.

What’s not so common knowledge is that laptop encryption only works when your computer is turned off, or if the hard disk is taken out of a computer and hooked up to another computer (kind of like connecting an external portable hard drive).  If you are using your computer, encryption is currently not in place.

Makes sense, right?  Encryption protects your data by making it unreadable.  You’re using your computer, so you must be able to see (read) what’s going on.  Hence, your data is not encrypted anymore.

(This is what’s really going on: after the disk encryption software takes the correct password, the computer automatically decrypts the necessary information on-the-fly.  Technically, your information is still encrypted; in practice, it doesn’t really matter since the information is accessible as long as that computer is being used.  In other words, encryption is not in place for all intents and purposes…although, from a technical perspective, it is.)

When using disk encryption, to ensure that no one gets to your data, you have to log off the computer after each session.  If you leave it on for a couple of hours while you go visit clients, you don’t have any security in place from a practical perspective.  And, the software can’t really log out for you.

Or can it?  AlertBoot can be customized by a central administrator to log off users if the computer has been inactive for a set period.  This is not as good as physically turning off a computer since there is always a window (say, 15 minutes) during which someone could hop on to your computer and stick in a USB flashdrive (actually, AlertBoot also features USB port control in order to prevent unauthorized USB memory sticks from being used, but still…logging off is always a better practice).

The point is this: there are a bunch of security features that are included in disk encryption to ensure that you’re protected, but ultimately, protection is maximized if you a) keep your password secret and b) you log off after each computer session, two factors that can only be controlled by you, the user.  Likewise with ATM machines.

On the other hand, disk encryption is very straight forward and no-nonsense: log in and log out/turn computer off.  There’s nothing else to it.  You don’t have to hit Ctrl+Shift+F1 before logging out, or do the chicken dance, or whatever.

Which is different from ATM machine operation, where, depending on the machine, you have a number of different ways of closing out your session, as I’ve already described before.  Sure, it’s your responsibility to make sure you’ve properly ended your interaction with the cash machine, but some of them are not exactly helpful in this respect.

Related Articles and Sites:

Comments (0)

Let us know what you think