innismir.net

OK, this floated across Twitter over the weekend:

With the annual cost of ATM crime in Europe approaching half a billion Euros, ENISA, the European Network and Information Security Agency, is urging consumers to be more aware of the risks and take precautions to avoid personal loss. The rapid growth in the number of ATMs, combined with more sophisticated attacks and fraud has resulted in an alarming 149% rise in ATM attacks in 2008.

For those of you who don’t know what ENISA is, they’re kind of the EU equivalent to US CERT. While I think that the “Golden Rules” are mostly fluff, I’ve always felt that Europe is more of the FEBA of ATM based attacks. This is a good start at trying to address issues with ATMs and I applaud it. However, with more and more sophisticated attacks coming out against ATMs, is ENISA trying  formulate battle plans against horse cavalry when the bad guys are deploying armored tanks? Could the effort of creating these be better used to start pushing banks to start reevaluating ATM security? ENISA seems to be aiming for “low hanging fruit” in this case, however,  this strategy could backfire. It’s possible that they’re setting themselves up for failure if these malware based attacks start to prevalent. If people, by some strange miracle, start taking these recommendations to heart, follow them, and still get owned, ENISA is going to have a tough time explaining themselves.

There are a lot of issues with it, but I’ll be the first to say that the perfect is the enemy of the good. This is a step in the right direction. I would love to see this start being pushed in the United States. ATM skimming scams are starting to become increasingly common across various regions in the United States. Various European gangs are starting to export attacks, sending them to other countries to steal data, so this is rapidly becoming a global problem. Ideally, in the United States at least, it would be great if some of the big banks started pushing PSAs to their customers regarding skimming and shoulder surfing. This could be sticky as I think we’d see “third party” ATM vendors scream bloody murder if the big banks say “Look out for sketchy ATMs!” I also know for a fact that Bank Of America has “free standing” ATMs (like the one at the MA-24/I-495 rest stop, complete with a Cisco router visible inside the machine, *shudder*) in some spots and I doubt they would want to drive people away from them. But still, could you picture a bank embracing ATM security? I’d certainly consider moving my business to them. The more evil side of me would love to see technology advocacy groups start pushing this as well. It be interesting to start seeing stickers on ATM proclaiming them possibly unsafe to use similar to the circa-2005 “This phone is tapped” stickers that were placed on pay phones across the US. I am sure that the banking industry would be in a tizzy if these started showing up on numerous ATMs overnight.

So, this has become a bit of a rambling post with no clear point to tie it all together. So, I’ll guess I’ll just give kudos to ENISA and tell everyone to read the Golden Rules and follow them. You’ll be glad you did.