Re: duress ATM codes

["Barnes, Jeff" <jeffery () UCLA EDU>]

I think it is a good idea.  Forget the Money as you can usually only get
$300 a day out of an ATM.  The silent alarm is great.  A few years back
a guy held up someone at an ATM near my house.  The camera was rolling
in the ATM and caught the whole thing.  The guy gave him the $200 and
then got his head blown off without ANY provocation.  This ATM was 3
blocks from the sheriffs station.   

Incidentally they did catch the guy as a result of the ATM camera.  12
jurors did not agree when the jerk said the gun went off accidentally.  

In this case a police presence might have saved the guy who left a wife
and 3 kids behind.

Jeff

-----Original Message-----
From: Kevin Shalla [mailto:kshalla () UIC EDU] 
Sent: Thursday, December 15, 2005 9:56 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] duress ATM codes

The key here is to make sure the bad guy doesn't know what your true 
bank balance is.  If the receipt said "Thanks for using the duress 
PIN; your balance of $1497.36 is safe with us, so tell the bad guy 
you don't have any money" that would be one thing, but the receipt 
should say "we're sorry, your balance is $18.37, and so is too low to 
withdraw from this machine".  Why would the criminal think your 
balance is greater than $18.37?

We could make a comparison to a bank teller (he presses the silent 
alarm, but still cheerfully dispenses money), but bank robbers rob 
banks because "that's where the money is", and individuals may or may 
not have any money.  A teller cannot tell the robber that the bank 
just ran out of money, because banks ALWAYS have money.  In contrast, 
a robber demanding money of an individual has no idea how much money 
the person really has.  He's not going to take the time to check 
inside shoes, money belts, neck pouches, etc. if the person has a 
wallet.  It's too risky to do extensive searches.  I'm trying to make 
ATM visits risky to the robber as well

What I'm getting at here is that the criminal has no way to know if 
you're bluffing or not, and if word gets around (Muggers Illustrated) 
that robberies via ATMs often yield nothing and include a quick 
police visit, they're likely to settle for your wallet.

At 11:10 AM 12/15/2005, you wrote:
> Better keep this real quiet so the bad guys don't find out. Cuz if 
> they knew the secret, they say, "OK, sucker, be sure to enter the 
> right PIN. If the machine says you ain't got no money, I'm gonna 
> blow your head off."
>
> So...shhhhhhhh!
>
> Steve
> -----
> At 11:02 AM -0600 12/15/05, Kevin Shalla wrote:
> > I know that the SecureID product used to (and perhaps still does) 
> offer the ability for the user to supply a "duress" PIN when 
> accessing a system, which could immediately alert security 
> personnel that the user is being threatened.  Does anyone know if 
> any banks have implemented this at ATMs?  I could imagine something 
> like this:  A victim is carjacked and brought to an ATM and forced 
> to withdraw cash.  The victim enters in the duress PIN, and the 
> machine reports that the victim's balance is some random amount 
> under $20 (maybe even overdrawn), and so cannot get any money.  The 
> police are automatically given the location of the ATM, along with 
> a photo of the transaction which just occurred.  If this were a 
> standard feature (and victims could think well enough under stress 
> to enter the duress PIN instead of the real PIN), this type of 
> crime might be eliminated.