ATMs Aren't So Secure Either

from the transparency dept

Back in March, I responded to the common argument that since automatic teller machines are widely used and seem to be secure, secure electronic voting must be doable as well. I pointed out a couple of problems with this argument, but I took as a given that ATM machines are in fact, secure. But Matt Blaze recently discovered that ATMs aren't that secure either. When Blaze tried to withdraw cash from a Philadelphia cash machine, he encountered a bunch of problems. The information on the screen was screwed up, the machine gave him $10 more than he'd requested, and the machine failed to give him his receipt. Even more worrisome, when he went into the bank to suggest that they check out the machine and see what might have been wrong with it, the assistant manager actually argued with him, assuring him that the machine was working just fine and Blaze must be imagining things. Incredibly, when he tried to show her a screenshot he had taken with his cell phone, she cut him off by pointing out that photography isn't allowed in the bank.

Obviously, part of the problem here is a bank employee who has a bad attitude. But it also illustrates a couple of additional problems with the "ATMs work so why can't e-voting?" argument. First, people have a habit of trusting machines more than people. When elections are conducted with pencil and paper, everyone understands that some of the human beings might have hidden agendas and need to be watched closely. In contrast, people tend to assume that machines are completely objective and unbiased, and so they're less likely to notice problems with machines even when (as in the case of this bank manager) the evidence is staring them in the face. Second, if it turns out that the ATM screwed up, Blaze will at some point get a statement from his bank telling him how much money the bank thinks he withdrew, and he can object if it differs from what he actually got. There isn't (and due to voter privacy concerns, can't be) a similar process for e-voting. If a paperless voting machine screws up, there's no way to double-check the results after the fact.



Reader Comments (rss)

(Flattened / Threaded)

  •  
    identicon
    Ima Fish, May 27th, 2008 @ 1:16pm

    ATMs secure?! They're just computers running Windows. Need I say more? Didn't think so.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Les B. Labbauf, May 27th, 2008 @ 1:29pm

    ATMs Secure?

    Most of the ATMs that I use still run OS/2.

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      Adam, May 27th, 2008 @ 2:24pm

      Re: ATMs Secure?

      > Most of the ATMs that I use still run OS/2.

      You say that as though it is a bad thing...

      I feel compelled to point out OS/2 has true protected memory, is stable as a rock, and is not a common target of script kiddies and the scripters that script for them, to name just a few points in its favor.

       

      reply to this | link to this | view in chronology ]

    •  
      identicon
      Anthony, May 27th, 2008 @ 2:43pm

      Re: ATMs Secure?

      Yeap, and are TELNET'd into your bank, not ssh. All i need now is ethereal...

       

      reply to this | link to this | view in chronology ]

  •  
    identicon
    Another Moron, May 27th, 2008 @ 1:36pm

    Hey Now

    I used to work on Lottery machines, they ran Windows 98 in the background... I'm not kidding! Let the comments fly on that one.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    miggins, May 27th, 2008 @ 1:45pm

    Anyone notice the new BofA Diebold machines?

    Bank of America just outfitted all of the branches that I know of here on the west coast with brand new ATM's. The only distinct advantage I can see with these machines is that they now scan personal checks as you put it in the machine.

    Other than that, these new machines are much slower than the older versions.

    Anyways, I just thought it was ironic that you mention voting machine security and ATMs in this article now that diebold is neck deep in the ATM machine business.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Evil Mike, May 27th, 2008 @ 2:02pm

    Fact of the matter...

    if everybody believes it can, will, and should be done. It is only a matter of time before it happens.

    Besides, for humans, the first (and most difficult) half of accomplishing anything is knowing it can be done.

    Therefore, electronic voting can only be viewed as an inevitability.

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      mobiGeek, May 27th, 2008 @ 7:52pm

      Re: Fact of the matter...

      I strongly believe that e-voting can be secure. There are two main factors holding secure e-voting back: transparency and cost.

      If we were to invest into "democracy" just a teeny-tiny fraction of the money put into things like "security", then cost wouldn't be an issue.

      Now it is a matter of having a transparent process for development and implementation of the machines. This is one project that might, just might, be better taken on by the public sector for the "Greater Public Good", if no private organization is willing to work in the open.

       

      reply to this | link to this | view in chronology ]

  •  
    identicon
    Sean, May 27th, 2008 @ 2:08pm

    This is about security?

    The main thing that reading Mr. Blaze's post made me think is that people who use machines that are obviously at least a little broken shouldn't be surprised when the machine breaks even more when they continue to use it.
    It's not security, "it's are you smart enough to know when to walk away?"

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    DJ, May 27th, 2008 @ 4:15pm

    Re: ATMs secure?

    What about an open source voting solution? Make both the hardware and software public and let a world full of hackers and conspiracy theorists try to break it. It might or might not pan out, but if it does the result would be far better than vendor proprietary solutions.

    Now we just need a complementary business model...

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Don't believe the ATM, May 27th, 2008 @ 5:06pm

    re: I got ripped off by ATM/bank

    I had receipts that showed odd amounts being withdrawn from my account via the ATM machine. The bank manager refused to do anything about it and said that I had obviously found a way to make odd amount withdrawals. I lost hundreds of dollars, got slapped with overdraft fees, and couldn't get the bank to own up to a crooked employee (the story broke later). I had receipts it did nothing for me. The bank said I had to prove I hadn't made those withdrawals. Go figure. Banks are just as crooked as the thief was!

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, May 27th, 2008 @ 5:06pm

    Not a Prob - Ya right

    Bank: the machine was working just fine and Blaze must be imagining things

    one month later ......

    Bank: and if you do not return the stolen ten dollars we will be forced to contact the DA, oh and you owe us interest.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    ATM Mistake, May 27th, 2008 @ 5:24pm

    ATMs don’t make mistakes people do. I worked on them for 7 years,
    the cassettes that are put into them have ID tabs in the back. So if a 10.00 cassette gets charged with 20 dollar bills the machine does it job perfectly, it’s just the person the loaded the cassette that made the mistake. There is a electronically journal that will tell the bank who got the extra cash and the will ask for it back

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      Rose M. Welch, May 27th, 2008 @ 6:42pm

      Re:

      ATMs do in fact make mistakes. Sometimes they don't print out receipts, sometimes when you try to type in the amount you want, it says more or less than what you typed, et ceterah. You can't say that because you worked on x number of machines for 7 years, that all ATMs everywhere work perfectly forever. That's just silly.

       

      reply to this | link to this | view in chronology ]

  •  
    identicon
    Madie, May 27th, 2008 @ 5:27pm

    Maybe if voting machines were programed using open source software, there would be ample opportunity for techies - or anyone for that matter- to have a gander at the code before elections. That way, machines would be less likely to output several thousand random votes for a specific candidate.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Tony, May 27th, 2008 @ 5:32pm

    Way to lose customers

    I'm looking for a new bank right now. Reading about how the PNC Bank Manager handled this situation has made me cross them off my list of possibilities.

    And @12 - are you saying that ATM's are bug-free?

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    HoustonSerenity, May 27th, 2008 @ 5:49pm

    =>12

    All mistakes a machine makes is human errors. In design,programing or maintains.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Crazy Coyote, May 27th, 2008 @ 6:16pm

    Secure my a**

    There is a walk-in ATM near my house and I can hear the tones generated, PIN included, on my police scanner. Just need someone with a good ear and hit them as they walk out. It also picks up every cordless phone in the neighborhood. Now that's entertainment!

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      Nasch, May 28th, 2008 @ 9:39am

      Re: Secure my a**

      What do you mean by hear the tones on your police scanner? Like the beeps it makes when you push a button? Or you can intercept the PIN, or what are you saying?

       

      reply to this | link to this | view in chronology ]

  •  
    identicon
    Ben, May 27th, 2008 @ 6:31pm

    Preventing errors

    I always count the money in front of the camera. That way there is no dispute how much you got. And, yes, they do make mistakes, because I once got $160 after requesting $60. Before the bank opened, they already withdrew the extra $100 from my account.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, May 27th, 2008 @ 6:31pm

    I have not used an ATM since they started charging to use it, ummm lets see now ... that was 1980 I believe.
    I refuse to use the damn things and from the looks of it, I am justified in this conviction.

    Oh - one more thing - get off my lawn !

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Rekrul, May 27th, 2008 @ 9:15pm

    If the ATM gives you more than you asked for, or it says you have more in your account than you do, tell the manager. If he insists that there's no problem, have him sign a statement to that effect. When they discover the error and want the money back, take the statement to your lawyer and tell him that the manager assured you that there was no problem.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Mark, May 28th, 2008 @ 2:40pm

    > There isn't (and due to voter privacy concerns, can't be) a similar process for e-voting.

    Sure there is. The voting machine can print a receipt that doesn't identify you, but identifies the vote (machine sn + transaction #). Publish the tallies for each machine after the election on a web site so voters can check against their receipt.

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      Tim Lee, May 28th, 2008 @ 2:49pm

      Re:

      This doesn't work because one of the goals of a voting system is a secret ballot: that is, that voters can't prove to a third party how they voted. Otherwise there are risks of vote-buying and other forms of coercion.

       

      reply to this | link to this | view in chronology ]

  •  
    identicon
    Crazy Coyote, May 28th, 2008 @ 5:38pm

    RE: #24

    I can hear the tones, just like dialing a phone number. I can hear distinct tones when the PIN is entered. If I somehow got the card of that person I would know the PIN. I suppose it could be intercepted. My scanner is an older model so it wasn't subject to the government restrictions put on the newer models.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Michael, May 29th, 2008 @ 10:23am

    i think we should have govt issued devices that hook up to wireless networks that would make an ssh 256 bit encrypted connection to a govt ip to do voting. It could run some variant of unix with a little gui on top. And set up wireless networks around voting places. Yeah some one could and probably would try and figure out how to hack it, but thats the nature of the beast. It's all part of the progress, besides wouldn't you rather some hacker looking out for your best interests instead of some corrupt politician stuffing boxes? I mean if we had a system that said that only one SS# could vote once, wouldn't we have the same system we have right now? It would only be digital, therefore easer to track and verify data. Unlike now where dead people constantly vote in major elections and it doesn't get found out till years after. But i guess really my main complaint is with the system in its self, it doesn't really matter what system of voting we use, our votes don't count anyway. We should probably get rid of these delegates make them get "real" jobs then use that money to make my idea :P

     

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This