It’s easy to steal your ATM pin, and easy to stop it – why won’t US banks fix it?

The image is of an ATM skimmer. This is a device that a fraudster sticks onto an ATM machine that captures the magnetic stripe data and pin code typed in. The data is then used to create bogus cards that are sold to petty criminals.


Skimmers come in all shapes and sizes, Brian Krebs (who I took this photo from) has a whole gallery you can check out.

Now before going any further, I should point out that banking security is my main business, or rather was before the crash. Chances are that sometime today you will use a security system I had a part in designing.

I lost interest in banking security after the crash because security is all about risk management and the crash proved that the banks were doing a lousy job at managing the risks they were meant to understand. According to estimates based on my conversations with bank security staff and information from financial reports etc., Internet related fraud costs US banks approximately $1 billion a year of which about a quarter is actual losses and the rest is the cost of dealing with the fraud. A billion dollars sounds a lot of money because it is a lot of money. But the banks managed to blow over a trillion dollars because it turned out they had been mismanaging the risk of mortgage lending for decades.

Technology exists that could make ATM skimming impossible. There is a little chip embedded in the card that implements a cryptographic protocol which allows the card to prove that it is genuine without revealing the secret key used to generate the proof. The banks in France have been using this technology for twenty years and recently the same technology was deployed throughout Europe to secure credit card payments (Chip and PIN).

There are several reasons that US banks have not followed the European’s lead. But the biggest difference is the lack of government leadership in the US. The Bush administration was as uninterested in the actual business of governing as the banks were in banking. The US has 10,000 banks. The costs and benefits of deploying Chip and PIN would fall on different banks. Without strong government leadership it only takes one bank to scream ‘anti-trust’ to collapse an industry-wide initiative.

The result of US government inaction is that organized crime is currently stealing a quarter billion dollars from US banks who pass that cost (plus markup) onto consumers. It also means that anyone with a US bank account is finding it increasingly difficult to use a credit card outside the US.

PS There’s another result.  US credit cards are increasingly not accepted abroad – they simply don’t work.  I’ve had my card refused by a hospital emergency room (that was fun) among other places.

Share This Post

© 2019 AMERICAblog Media, LLC. All rights reserved. · Entries RSS