Sunday, January 15, 2012

Security of ATM machines

DBS Bank suffered several unauthorized withdrawals from their customer accounts. They are now introducing additional measures to enhance security.

It is important to have adequate security, but we have to distinguish between good and bad security measures. A good security measure is effective and does not increase the cost significantly or make it inconvenient for customers. A bad measure does the opposite.

The culture in Singapore is "security at all cost" to plan for "the worst case scenario". It is the culture in Singapore to over-react and take excessive measures to "enhance security". This is called our "kiasu" and "kiasi" syndromes. I have seen many examples of bad measures that are costly, and ineffective.  The trouble is - all of these measures keep on adding up, and making life quite complicated and stressful.

If you were in charge of implementing the good measures to enhance the security of ATM machines in a bank, what would you do?

4 comments:

yujuan said...

OCBC Bank recently boasted that they have installed a unique security system to protect clients using the ATM machine. So convincing is the boast that we are really tempted to close all accounts at DBS, a known moron at client protection, and transfer to OCBC.
The thumb print system used by Immigration at the auto entry and departure points is unfeasible, as some prints could not be captured.
Maybe recognising the picture of the user's face at the ATM may be workable.
Meanwhile, still trying to ask around what is so unique about the OCBC system.

Tan Kin Lian said...

I wish to look for a solution that does not involve the change of the current magnetic strip card. Currently, it is possible for a crook to skim the data on the card and get the PIN, and wow - money can be withdrawn.
One possible approach is for the ATM machine to ask the customer to use his registered mobile to dial a certain number. The bank will take the mobile number, using caller ID, to "activate" the account for withdrawal. For the crook to take out money, the crook needs to have the mobile phone as well. This will be a hindrance. It is like a 2FA using mobile phone.
Do you agree with this approach?

ATM Machines said...

I think its a great idea. The companies can message a new dynamic pin daily for every transaction on the phone that should expire by end of the day.

ATM Machines said...

Great idea.

Blog Archive