Network News

X My Profile
View More Activity

Practicing Street Smarts at the ATM

Each time I pull money out of a bank's automated teller machine -- even if it's an ATM that is very familiar to me -- I always use caution to ensure that no one or thing is surreptitiously trying to observe my transaction. Friends and family have heckled me for my paranoia about this, but when I read this latest news brief about an ATM incident in tony Tyson's Corner, Va., I felt vindicated.

From the brief:

"Surveillance equipment was found attached to an ATM at a bank in the Tyson's Corner area, an unusual type of high-tech criminal activity in Fairfax County, police said....Located nearby was a wireless receiver that is believed to be associated with the surveillance equipment. Fairfax police, working with the United States Secret Service, are trying to determine if customers' information was compromised."

The ATM Industry Association offers cardholders some tips to protect their data:

- Only use an ATM where and when you feel completely comfortable;

- Pay attention to the machine before using it. If something appears unusual or unfamiliar, use another machine;

- Never accept help from strangers at ATMs;

- Never disclose your PIN to anyone;

- Check that no one is trying to look over your shoulder, known as "shoulder surfing," to observe you entering your PIN; and

- Look after your bank cards and ATM receipts as carefully as you would handle cash. Do not leave wallets, purses or any form of personal identification unattended in public places.

What about you, Security Fix readers: Are you this careful when using ATMs? Has something fishy about an ATM ever dissuaded you from using it? If so, what was it that turned you away?

By Brian Krebs  |  April 16, 2007; 10:30 AM ET
Categories:  Fraud , From the Bunker , Latest Warnings , Safety Tips  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Tax Time Means Fraud Time
Next: Data Breach Aided University Phishing Scam


I saw a parked car sitting in the parking lot, with the occupants watching people at an ATM. This happened on a number of occasions, then I saw a police car parked in the same spot, with officers watching. The other car never came back after that.

I certainly didn't feel comfortable going to the ATM with the other car there watching people use the ATM.

Posted by: ATM User | April 16, 2007 10:56 AM | Report abuse

Frankly, I'm not as worried about someone sniffing my creds as I am someone hitting me over the head and taking money...but the same precautions apply to both situations. However, I've noted that those 3rd party atms in convenience shops are highly insecure, often using a simply modem line to communicate with servers. Installing sniffers on this would be trivial for insiders or i generally avoid them.

Posted by: DBH | April 16, 2007 11:01 AM | Report abuse

I'm completely paranoid about this too. I hate how most most ATMs put you in the most vulnerable position: you're facing a wall with limited peripheral vision, and you're withdrawing money. I've always thought it wouldn't take much to set up a high-powered telescope and start collecting PINs from afar. Plus, most people don't notice "skimmers" -- devices attached to the machine to steal the details on a magnetic stripe. ATMs are fraught with security risks that could be minimized with better designs.

Posted by: Jeremy | April 16, 2007 11:07 AM | Report abuse

I am rather concerned about the words in the article: Look after your...ATM receipts as carefully as you would handle cash. While I have always shredded these, however in doing so, felt..overly paranoid.

Brian, please expand, what (pertinent)information would be on an ATM receipt?

Posted by: JCD | April 16, 2007 11:07 AM | Report abuse

Sometimes, I avoid the ATM and add a cashback request when I'm at the grocery store. If I need cash for a trip, then I use the ATM and make sure I'm blocking the keypad when I punch in my PIN.

Posted by: cab91 | April 16, 2007 11:16 AM | Report abuse

I've developed a technique to press the PIN keys with my hand blocking view of the keyboard, using different fingers to press different numbers, and with some extra finger motions to mislead an observer about which strokes actually press a key. It may not be foolproof but I think it adds to the degree of difficulty to a shoulder-surfing camera.

Posted by: Alan | April 16, 2007 11:22 AM | Report abuse

JCD -- Each ATM receipt is different, and while most won't include full account numbers and so forth, receipts may include snippets of account numbers or other personal data that could be used by ID thieves to help piece together info about people.

I recall reading an article sometime in the past two years in the 2600 Hacker Quarterly Magazine about data that could be gleaned off of ATM receipts, but I can't seem to find the reference on their site.

Posted by: Bk | April 16, 2007 11:23 AM | Report abuse


While traveling in Latin America, I tried to withdraw money from a machine in an enclosure next to a bank, only to notice that the slot for dispensing the money was blocked. This was a low-tech attempt at theft - if the customer wandered off in search of help, the thieves could slip in, remove the plaque blocking the slot, and take the money. Fortunately, there were a half-dozen people behind me in line who waited while bank officials came out to fix the machine. I wouldn't be surprised if somebody tried to do this in the U.S. as well, so I encourage everyone check the entire ATM machine before using it.

Posted by: Silver Spring, MD | April 16, 2007 11:36 AM | Report abuse

Just like credit card receipts, most ATM receipts now obscure or omit sensitive information like your account number. I always check first, but I throw them in the trash if I feel they don't have enough information to be useful, and I don't remember the last time one had anything more useful than my pitiful checking balance. I do shred the ones I keep though, since those could very obviously be connected to my name and home address when disposed of from my home.

Posted by: The Cosmic Avenger | April 16, 2007 12:16 PM | Report abuse

I never use ATMs after dark--unless one is in a busy, well-lit area. It just requires a bit of budget planning so you don't have to. But the idea that thieves are starting to actually install devices on or in the ATMs themselves is a harrowing one. Does anybody know what these devices look like? I have never thought to check out the machine itself. Yikes!

Posted by: M. A. George | April 16, 2007 2:32 PM | Report abuse

There was a case reported in New Hampshire within the past couple of years, thieves installed a high tech device at an ATM to record customers' card information. They were then able to withdraw money from the users' accounts. The device was not discovered until a customer complained about unauthorized withdrawals from his account, at a bank location he'd never used.

Posted by: nh | April 16, 2007 4:01 PM | Report abuse

I think the comment about better design is a good do feel awful vulnerable standing there with your back to everyone. I used to drive to a local ATM, which was at our bank, but at night, I always would imagine someone waiting in the bushes nearby to jump out and grab my arm or the was pretty scary. Thanks.

Posted by: John Mulshine | April 16, 2007 4:06 PM | Report abuse

I'm actually uncomfortable using the keypads on Metro's SmarTrip machines. They're completely exposed, right on the face of the machine, and anyone behind you can easily see what your PIN is. Not such a great design...

Posted by: Mike | April 16, 2007 4:36 PM | Report abuse

I hardly ever use ATMs. I get cashback at the grocery store. No fees!

Posted by: A | April 16, 2007 6:21 PM | Report abuse

I am assuming that "surveillance equipment" means visual, i.e. some sort of camera. If that is the case, I am not sure I understand the concern. Thieves would need my PIN and card to get at my account through an ATM. If they mugged me for my card, I'd certainly know that and report it. And if they tried to get at my account on-line, they'd need my PIN plus my user name, plus my password (at least for my bank, others might be more lax). So, observation at an ATM, even of the PIN entry, would not seem to go very far. What am I missing?

Posted by: david | April 16, 2007 7:21 PM | Report abuse

To the commenter who worries about the "modem" connected ATM. Don't be worried. The protocols used to connect the ATM to the system use a very, very high grade encryption.

Posted by: Arlington | April 16, 2007 7:50 PM | Report abuse

Whenever I use an ATM or punch in a phone code in an airport or other high-risk place, I fake punch several additional keys -- I don't actually push the keys, but I jab my finger at them to simulate it. Anyone watching to attempt to get the PIN or phone code will have extra digits to contend with.


Posted by: Rpike | April 17, 2007 12:35 AM | Report abuse

I've been to Maine and have always loved the ATMs in that state. I had always hoped they would "travel" down south, but that's not been the case. Since these machines were out in the town, they were enclosed and large enough to require one to insert their card in to a slot in the door to gain entrance. After entering the one could conduct a normal transaction. And if you saw someone suspicious, they had phone so you could call the cops. While someone could install cameras to do bad things, and the phone cables could have been cut, it SEEMED more secure.

Posted by: umm.huh | April 17, 2007 1:12 PM | Report abuse

As long as there is a shield to hide what I am doing at the keypad, I actually feel more secure at an ATM in a very public, indoor place. Some friends last year got burned in a skimming scam to the tune of nearly $20,000 drained from their bank account. Bank insurance, thankfully, covered the loss, but the whole affair was still a major hassle. The police in that case advised them to use only ATMs found inside the bank itself--thieves are much less likely to walk inside the bank to install a camera and skimmer. Places where someone is always watching the ATM are much less susceptible to this kind of attack.

Or we can just go back to using bank tellers. At least I don't have to be paranoid and glancing over my shoulders when dealing with a bank employee.

Posted by: blert | April 19, 2007 10:59 PM | Report abuse

I find it amazing how so many individuals sacrifice security for convenience! Being in the atm business myself, the best advice to give is to never leave anything in default status (default pins, default passwords, etc)

Posted by: John | May 9, 2007 9:45 AM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company