ATM emergency PIN ignored by Oz banks

Summary:The old wives' tale of entering your ATM PIN in backwards to call for help if you're at the ATM under duress has been around for a while, but even though the technology exists to provide additional security for customers, no Australian bank has plans to implement it.

The old wives' tale of entering your ATM PIN in backwards to call for help if you're at the ATM under duress has been around for a while, but even though the technology exists to provide additional security for customers, no Australian bank has plans to implement it.

(ATM Keypad 2 image by William Grootonk, CC BY-SA 2.0)

The idea behind an emergency PIN implementation is that a user enters specific numbers that indicates they are under duress. While traditionally this was an original PIN typed backwards, there's no reason an alternative PIN couldn't be used to avoid problems when a user's PIN is a palindrome.

Entering the emergency PIN then allows the bank to take precautionary action, which could be as simple as flagging the customer's transaction as suspicious, to activating the ATM's internal camera and calling local police. US laws to implement such an initiative had been proposed in the US Congress as far back as 1986, but the concept only exists today in the form of chain mail hoaxes.

However, making the implementation a reality isn't that far-fetched. In fact, ATM manufacturer Diebold has stated that it is aware of technology that would allow ATM users to contact police in an emergency, and is willing to implement it if the banks request it.

But no Australian bank has any plans to do so, even though NSW Police earlier this year stated that Australian ATMs are considered a laughing stock to Romanian crooks due to a lack of security chip measures.

The Commonwealth Bank said that while it reviews its security operations continuously it was not considering emergency PINs.

The National Australia Bank (NAB) considered its security sufficient enough to not give emergency PINs any further consideration.

"NAB has a range of security measures in place for customers transacting at ATMs including video surveillance and sensors as well as daily cash limits to reduce risks, so at this stage, we have no plans to implement emergency PIN technology."

ANZ stated that the initiative wasn't something the bank had considered or that it was on its agenda.

Westpac did not respond to several requests to comment on the matter.

The Commonwealth Bank did state that there may be issues around the logistics of implementing the initiative to tens of thousands of ATMs nationally, but Diebold said that the investment to implement emergency PINs would only need to occur in the back-end systems. It said that there would be nothing to update at the physical ATM.

"The ATM encrypts the customer-entered PIN, but does not validate that data. The encrypted PIN block is then transmitted to the authorising entity, which interacts with a Host Security Module (HSM) to validate a 'good PIN'. Therefore, all investment of identifying a 'duress PIN' is done at the authorising entity, which must then determine to authorise (or not authorise) the withdrawal to the consumer under duress and dispatch local police to the site," said Diebold vice president of ATM security and systems, Chuck Somers.

Ovum principal analyst Graham Titterington said it was likely that it hadn't been implemented because Australian banks didn't think it was worth their while.

"Implementation would just require a relatively minor extension to the ATM software. However, before this could be done there would have to be agreement across all banks in the ATM network, including foreign banks that participate in it, as it involves an extension to the service protocols — no easy challenge."

Titterington suggested that involving the police might create more problems than an implementation might solve, but that simpler precautionary measures should be easy to implement.

"Simply blocking the card across all banks should be relatively simple, but notifying the police adds another level of complexity and cost, particularly if a human operator gets involved at this stage. There is also the question of how the thief/attacker would react."

Topics: Security, Banking

About

A Sydney, Australia-based journalist, Michael Lee covers a gamut of news in the technology space including information security, state Government initiatives, and local startups.

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.