Educause Security Discussion mailing list archives
Re: duress ATM codes
From: Kevin Shalla <kshalla () UIC EDU>
Date: Thu, 15 Dec 2005 11:55:41 -0600
The key here is to make sure the bad guy doesn't know what your true bank balance is. If the receipt said "Thanks for using the duress PIN; your balance of $1497.36 is safe with us, so tell the bad guy you don't have any money" that would be one thing, but the receipt should say "we're sorry, your balance is $18.37, and so is too low to withdraw from this machine". Why would the criminal think your balance is greater than $18.37? We could make a comparison to a bank teller (he presses the silent alarm, but still cheerfully dispenses money), but bank robbers rob banks because "that's where the money is", and individuals may or may not have any money. A teller cannot tell the robber that the bank just ran out of money, because banks ALWAYS have money. In contrast, a robber demanding money of an individual has no idea how much money the person really has. He's not going to take the time to check inside shoes, money belts, neck pouches, etc. if the person has a wallet. It's too risky to do extensive searches. I'm trying to make ATM visits risky to the robber as well What I'm getting at here is that the criminal has no way to know if you're bluffing or not, and if word gets around (Muggers Illustrated) that robberies via ATMs often yield nothing and include a quick police visit, they're likely to settle for your wallet. At 11:10 AM 12/15/2005, you wrote:
Better keep this real quiet so the bad guys don't find out. Cuz if they knew the secret, they say, "OK, sucker, be sure to enter the right PIN. If the machine says you ain't got no money, I'm gonna blow your head off." So...shhhhhhhh! Steve ----- At 11:02 AM -0600 12/15/05, Kevin Shalla wrote: >I know that the SecureID product used to (and perhaps still does) offer the ability for the user to supply a "duress" PIN when accessing a system, which could immediately alert security personnel that the user is being threatened. Does anyone know if any banks have implemented this at ATMs? I could imagine something like this: A victim is carjacked and brought to an ATM and forced to withdraw cash. The victim enters in the duress PIN, and the machine reports that the victim's balance is some random amount under $20 (maybe even overdrawn), and so cannot get any money. The police are automatically given the location of the ATM, along with a photo of the transaction which just occurred. If this were a standard feature (and victims could think well enough under stress to enter the duress PIN instead of the real PIN), this type of crime might be eliminated.
Current thread:
- duress ATM codes Kevin Shalla (Dec 15)
- <Possible follow-ups>
- Re: duress ATM codes Steve Worona (Dec 15)
- Re: duress ATM codes Cal Frye (Dec 15)
- Re: duress ATM codes Willis Marti (Dec 15)
- Re: duress ATM codes Kevin Shalla (Dec 15)
- Re: duress ATM codes Barnes, Jeff (Dec 15)
- Re: duress ATM codes Kevin Shalla (Dec 15)