To Secure ATM Transactions: Ditch the Card

chicksdaddy writes: Security Ledger has a piece that looks at the efforts of a string of startups to secure ATM transactions from skimmers and malware-based attacks. Step 1: get rid of the ATM card. The article profiles a couple different companies. One, Trusona, has technology that can uniquely identify standard issue ATM cards by analyzing the unique distribution of Barium Ferrite particles on their magnetic strips and using it to connect the card to the customer. The company combines that with card swipe biometrics to thwart malware-based replay attacks. The article also mentions upgrades that will allow banking customers in the U.S. to use a mobile application to withdraw cash from ATMs without a card or PIN, and a prototype from Diebold that combines proximity based sensing (via NFC) with iris scans to authenticate customers and authorize transactions. Cool as it sounds, its worth remembering that most ATM attacks are decidedly "low tech." A survey by the ATM Industry Association in 2015 listed "physical attacks" and those using "explosives" as the second and third most common type of ATM attack after card skimming.

Re:Who is still using mag stripes on ATM cards?

[fraxinus-tree]

You are from Europe, right? US still use mostly the strip. And while the chip is good, it only offers protection from skimming. Other vectors (theft, burglary and likes) still exist.

Re:Who is still using mag stripes on ATM cards?

[Alwin+Henseler]

Not sure how theft, burglary, etc are a problem if you do not write down your pin?

Common method is to look over victims' shoulder when the PIN is used in a legitimate transaction. Often at supermarkets: just think about how 'hard' it is to see what PIN a customer in front of you enters on the keypad.
Then card is stolen / pickpocketed to be used immediately with the just-obtained PIN. Happens regularly, especially with elderly people as victims. But normally unless customer is clearly to blame, card issuer will compensate the damage (well okay... somehow spread out over all customers, that is).

But overall incidence is not that high. So in terms of cost to the average user, chip + PIN is a pretty good system. As a bonus, often the perps are caught on cam when they (try to) use the card at an ATM, retail store etc.

In some European countries (like mine) processing this type of payment has become so efficient, that (per transaction) it's as cheap if not cheaper than exchanging a few coins & bills. And of course store owners love it as it makes for less cash in house & thus less incentive for robbers.

Recently they've introduced the option of PIN-less payments for low-amount transactions (so there's less need to use your PIN 'everywhere'). And/or combined with some kind of electronic wallet that holds a limited amount (up to ~150 Eur or thereabouts). We'll see how that goes.