ATMs Aren't So Secure Either

from the transparency dept

Tue, May 27th 2008 1:07pm — Timothy Lee

Back in March, I responded to the common argument that since automatic teller machines are widely used and seem to be secure, secure electronic voting must be doable as well. I pointed out a couple of problems with this argument, but I took as a given that ATM machines are in fact, secure. But Matt Blaze recently discovered that ATMs aren't that secure either. When Blaze tried to withdraw cash from a Philadelphia cash machine, he encountered a bunch of problems. The information on the screen was screwed up, the machine gave him $10 more than he'd requested, and the machine failed to give him his receipt. Even more worrisome, when he went into the bank to suggest that they check out the machine and see what might have been wrong with it, the assistant manager actually argued with him, assuring him that the machine was working just fine and Blaze must be imagining things. Incredibly, when he tried to show her a screenshot he had taken with his cell phone, she cut him off by pointing out that photography isn't allowed in the bank.

Obviously, part of the problem here is a bank employee who has a bad attitude. But it also illustrates a couple of additional problems with the "ATMs work so why can't e-voting?" argument. First, people have a habit of trusting machines more than people. When elections are conducted with pencil and paper, everyone understands that some of the human beings might have hidden agendas and need to be watched closely. In contrast, people tend to assume that machines are completely objective and unbiased, and so they're less likely to notice problems with machines even when (as in the case of this bank manager) the evidence is staring them in the face. Second, if it turns out that the ATM screwed up, Blaze will at some point get a statement from his bank telling him how much money the bank thinks he withdrew, and he can object if it differs from what he actually got. There isn't (and due to voter privacy concerns, can't be) a similar process for e-voting. If a paperless voting machine screws up, there's no way to double-check the results after the fact.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: atms, reliability, security, verification

28 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Ima Fish, 27 May 2008 @ 1:16pm

ATMs secure?! They're just computers running Windows. Need I say more? Didn't think so.
[ link to this | view in chronology ]
Les B. Labbauf, 27 May 2008 @ 1:29pm

ATMs Secure?
Most of the ATMs that I use still run OS/2.
[ link to this | view in chronology ]
- Adam, 27 May 2008 @ 2:24pm
  
  Re: ATMs Secure?
  > Most of the ATMs that I use still run OS/2.
  
  You say that as though it is a bad thing...
  
  I feel compelled to point out OS/2 has true protected memory, is stable as a rock, and is not a common target of script kiddies and the scripters that script for them, to name just a few points in its favor.
  [ link to this | view in chronology ]
- Anthony, 27 May 2008 @ 2:43pm
  
  Re: ATMs Secure?
  Yeap, and are TELNET'd into your bank, not ssh. All i need now is ethereal...
  [ link to this | view in chronology ]
  - Adam, 27 May 2008 @ 5:24pm
    
    Re: Re: ATMs Secure?
    True, but not a problem with OS/2 per se. We agree?
    [ link to this | view in chronology ]
Another Moron, 27 May 2008 @ 1:36pm

Hey Now
I used to work on Lottery machines, they ran Windows 98 in the background... I'm not kidding! Let the comments fly on that one.
[ link to this | view in chronology ]
miggins, 27 May 2008 @ 1:45pm

Anyone notice the new BofA Diebold machines?
Bank of America just outfitted all of the branches that I know of here on the west coast with brand new ATM's. The only distinct advantage I can see with these machines is that they now scan personal checks as you put it in the machine.

Other than that, these new machines are much slower than the older versions.

Anyways, I just thought it was ironic that you mention voting machine security and ATMs in this article now that diebold is neck deep in the ATM machine business.
[ link to this | view in chronology ]
Evil Mike, 27 May 2008 @ 2:02pm

Fact of the matter...
if everybody believes it can, will, and should be done. It is only a matter of time before it happens.

Besides, for humans, the first (and most difficult) half of accomplishing anything is knowing it can be done.

Therefore, electronic voting can only be viewed as an inevitability.
[ link to this | view in chronology ]
- mobiGeek, 27 May 2008 @ 7:52pm
  
  Re: Fact of the matter...
  I strongly believe that e-voting can be secure. There are two main factors holding secure e-voting back: transparency and cost.
  
  If we were to invest into "democracy" just a teeny-tiny fraction of the money put into things like "security", then cost wouldn't be an issue.
  
  Now it is a matter of having a transparent process for development and implementation of the machines. This is one project that might, just might, be better taken on by the public sector for the "Greater Public Good", if no private organization is willing to work in the open.
  [ link to this | view in chronology ]
Sean, 27 May 2008 @ 2:08pm

This is about security?
The main thing that reading Mr. Blaze's post made me think is that people who use machines that are obviously at least a little broken shouldn't be surprised when the machine breaks even more when they continue to use it.
It's not security, "it's are you smart enough to know when to walk away?"
[ link to this | view in chronology ]
DJ, 27 May 2008 @ 4:15pm

Re: ATMs secure?
What about an open source voting solution? Make both the hardware and software public and let a world full of hackers and conspiracy theorists try to break it. It might or might not pan out, but if it does the result would be far better than vendor proprietary solutions.

Now we just need a complementary business model...
[ link to this | view in chronology ]
Don't believe the ATM, 27 May 2008 @ 5:06pm

re: I got ripped off by ATM/bank
I had receipts that showed odd amounts being withdrawn from my account via the ATM machine. The bank manager refused to do anything about it and said that I had obviously found a way to make odd amount withdrawals. I lost hundreds of dollars, got slapped with overdraft fees, and couldn't get the bank to own up to a crooked employee (the story broke later). I had receipts it did nothing for me. The bank said I had to prove I hadn't made those withdrawals. Go figure. Banks are just as crooked as the thief was!
[ link to this | view in chronology ]
Anonymous Coward, 27 May 2008 @ 5:06pm

Not a Prob - Ya right
Bank: the machine was working just fine and Blaze must be imagining things

one month later ......

Bank: and if you do not return the stolen ten dollars we will be forced to contact the DA, oh and you owe us interest.
[ link to this | view in chronology ]
ATM Mistake, 27 May 2008 @ 5:24pm

ATMs don’t make mistakes people do. I worked on them for 7 years,
the cassettes that are put into them have ID tabs in the back. So if a 10.00 cassette gets charged with 20 dollar bills the machine does it job perfectly, it’s just the person the loaded the cassette that made the mistake. There is a electronically journal that will tell the bank who got the extra cash and the will ask for it back
[ link to this | view in chronology ]
- Rose M. Welch, 27 May 2008 @ 6:42pm
  
  Re:
  ATMs do in fact make mistakes. Sometimes they don't print out receipts, sometimes when you try to type in the amount you want, it says more or less than what you typed, et ceterah. You can't say that because you worked on x number of machines for 7 years, that all ATMs everywhere work perfectly forever. That's just silly.
  [ link to this | view in chronology ]
Madie, 27 May 2008 @ 5:27pm

Maybe if voting machines were programed using open source software, there would be ample opportunity for techies - or anyone for that matter- to have a gander at the code before elections. That way, machines would be less likely to output several thousand random votes for a specific candidate.
[ link to this | view in chronology ]
Tony, 27 May 2008 @ 5:32pm

Way to lose customers
I'm looking for a new bank right now. Reading about how the PNC Bank Manager handled this situation has made me cross them off my list of possibilities.

And @12 - are you saying that ATM's are bug-free?
[ link to this | view in chronology ]
HoustonSerenity, 27 May 2008 @ 5:49pm

=>12
All mistakes a machine makes is human errors. In design,programing or maintains.
[ link to this | view in chronology ]
Crazy Coyote, 27 May 2008 @ 6:16pm

Secure my a**
There is a walk-in ATM near my house and I can hear the tones generated, PIN included, on my police scanner. Just need someone with a good ear and hit them as they walk out. It also picks up every cordless phone in the neighborhood. Now that's entertainment!
[ link to this | view in chronology ]
- Nasch, 28 May 2008 @ 9:39am
  
  Re: Secure my a**
  What do you mean by hear the tones on your police scanner? Like the beeps it makes when you push a button? Or you can intercept the PIN, or what are you saying?
  [ link to this | view in chronology ]
Ben, 27 May 2008 @ 6:31pm

Preventing errors
I always count the money in front of the camera. That way there is no dispute how much you got. And, yes, they do make mistakes, because I once got $160 after requesting $60. Before the bank opened, they already withdrew the extra $100 from my account.
[ link to this | view in chronology ]
Anonymous Coward, 27 May 2008 @ 6:31pm

I have not used an ATM since they started charging to use it, ummm lets see now ... that was 1980 I believe.
I refuse to use the damn things and from the looks of it, I am justified in this conviction.

Oh - one more thing - get off my lawn !
[ link to this | view in chronology ]
- tubes, 28 May 2008 @ 5:34am
  
  Re:
  As long as you use your own banks ATM there are no fees!
  [ link to this | view in chronology ]
Rekrul, 27 May 2008 @ 9:15pm

If the ATM gives you more than you asked for, or it says you have more in your account than you do, tell the manager. If he insists that there's no problem, have him sign a statement to that effect. When they discover the error and want the money back, take the statement to your lawyer and tell him that the manager assured you that there was no problem.
[ link to this | view in chronology ]
Mark, 28 May 2008 @ 2:40pm

> There isn't (and due to voter privacy concerns, can't be) a similar process for e-voting.

Sure there is. The voting machine can print a receipt that doesn't identify you, but identifies the vote (machine sn + transaction #). Publish the tallies for each machine after the election on a web site so voters can check against their receipt.
[ link to this | view in chronology ]
- Tim Lee, 28 May 2008 @ 2:49pm
  
  Re:
  This doesn't work because one of the goals of a voting system is a secret ballot: that is, that voters can't prove to a third party how they voted. Otherwise there are risks of vote-buying and other forms of coercion.
  [ link to this | view in chronology ]
Crazy Coyote, 28 May 2008 @ 5:38pm

RE: #24
I can hear the tones, just like dialing a phone number. I can hear distinct tones when the PIN is entered. If I somehow got the card of that person I would know the PIN. I suppose it could be intercepted. My scanner is an older model so it wasn't subject to the government restrictions put on the newer models.
[ link to this | view in chronology ]
Michael, 29 May 2008 @ 10:23am

i think we should have govt issued devices that hook up to wireless networks that would make an ssh 256 bit encrypted connection to a govt ip to do voting. It could run some variant of unix with a little gui on top. And set up wireless networks around voting places. Yeah some one could and probably would try and figure out how to hack it, but thats the nature of the beast. It's all part of the progress, besides wouldn't you rather some hacker looking out for your best interests instead of some corrupt politician stuffing boxes? I mean if we had a system that said that only one SS# could vote once, wouldn't we have the same system we have right now? It would only be digital, therefore easer to track and verify data. Unlike now where dead people constantly vote in major elections and it doesn't get found out till years after. But i guess really my main complaint is with the system in its self, it doesn't really matter what system of voting we use, our votes don't count anyway. We should probably get rid of these delegates make them get "real" jobs then use that money to make my idea :P
[ link to this | view in chronology ]