cross-posted from: https://fedia.io/m/privacy/t/346211
I need to check the balance of my bank card. It’s apparently becoming quite rare for ATMs to support balance inquiries. So as I try many different ATMs to check the balance, some ATMs demand PIN entry before you even see the service offers. So I enter my PIN and then it only gives a cash withdrawal option, at which point I eject.
Couple problems here:
anti-fraud AI sensors can be very fragile & trigger happy. If my card is inserted into several different ATMs with & no transaction is initiated, I am of course concerned that my account will be frozen due to fraud false positive.
some ATMs automatically print out your balance on the receipt if you ask for a receipt. Some show it on the screen Some ATMs will only print the balance on the receipt if you specifically requested the balance in your session. Some ATMs are completely incapable of balance inquiries (at least for cards from other banks). Consumers seem to have no way of knowing what kind of ATM they are dealing with in advance, which forces us to experiment.
Questions:
when an ATM demands PIN in advance, does that mean the transaction will signal the bank even if the session is terminated when the menu shows no balance inquiry option? IIUC, the PIN can be verified using the cards EMV chip without using the network - but is that necessarily the case?
when an ATM shows the menu options before asking for a PIN, can we count on no signal being sent to the bank?
One of my accounts got frozen for fraud. I called the bank, complained, demanded answers. The bankers themselves are kept in the dark and left guessing about what happened. One banker said “you asked for more than the daily limit 2 or 3 times, which failed, then you went to a different ATM and tried again. Since you went to a different machine, that likely looked like fraud”. (of course I tried a different machine -- why would a legit user keep trying the same machine?)
Sounds like you need a different bank, not an improvement to atms. None of that is normal.
I think it’s the new normal. Aren’t banks like n26 & Revolut purely by smartphone? This was a proper bank that became like the smartphone banks. I see how people all around me blindly trust smartphones & Google or Apple with reckless disregard. And they upgrade with reckless disregard. The Fedi crowd is more likely to see the absurdity in a bank-by-smartphone situation but the young generations would probably just as well have Snapchat handle their banking. It’s a terrible direction things are going in. I can’t even reserve public parking in my region offline anymore.
One of the traditional banks in my area is gradually removing features from the web service & making them exclusively app services. They probably hope to eventually pull the plug on the website. I’m close to pulling the plug on banking.
That all sounds god awful. You may consider giving Ally bank a try. No US banks can be truly private post patriot act, but their website is full featured and they essentially never charge fees. They also have crazy high interest checking rates, and decent customer service.
If you stick with your current horse corpse dumpster fire bank, I question the merit of avoiding downloading their mobile app and instead sticking your card into lots of random unverified ATMs to try to get balance reports. At least here in Montana, those reports will often incur a charge even if you don’t withdraw money. The app may not be great, but SSL is cryptographically sound and the bank has your social and your identity anyway. Sometimes it’s more secure to dance with the devil you know. Just a thought.
Either way, best of luck
My dumpster fire bank is not the US. But I would avoid Ally anyway since that bank’s website is tor-hostile and their privacy policy also scores below average on privacy. I suppose the low fees and high interest must be offset by data monetization.
Third party ATMs do not appear to exist in my region. All ATMs are bank-owned AFAICT.
The app requires trusting whoever the bank outsourced the coding to. Does the bank even get to see the source code? I wouldn’t trust the bank or the profit-driven closed-source developers to not include spyware or to look after the consumer’s interests. Especially in the case of US banks. Apart from that I object to Google keeping track of where I bank (data which can ultimately be sold to debt collectors) -- which is inherent in being forced to use the Play Store. I also object to buying a new phone (hardware) in order to chase the version requirements. These abuses are certain, thus a non-starter compared to the mere bad luck chance of fraud by a dodgy ATM which at least have the remedy of consumer legal protections.
You don't trust the bank's app because of who they might have outsourced the code to, but you will trust that the ATMs haven't been tampered with by criminals? Because the latter is by far more common than the exploitation of a security hole in a banking app.
You can safely scratch out the word “might”. It’s very unlikely that a bank would write their own app in-house.
I don’t trust the outsourced entity, nor do I trust the bank. Banks use the cover of “KYC” to collect abusive amounts of information. Closed-source projects need to profit too & banks would be happy to reduce their cost by allowing 3rd party data collection. Most banking apps are outright tagged that they call for perms to collect your GPS location. I also don’t trust Google not to profit from information about where Google pawns do their banking -- that’s too valuable to debt collectors to let it go unexploited.
I trust consumer protections to be enforced. I’ve made use of those protections in an ID theft situation so I’ve seen 1st hand that they work. If you fear ATMs then you cannot easily fight the #warOnCash. Do you get your cash over the counter, or do you simply support the war on cash and all the data leeches banks feed? If you’re quite worried about it, I suggest using the indoor ATM at a bank that’s only accessible during business hours.
You get no consumer protection from bank snooping that you agreed to in the ToS. You should read your bank’s ToS and privacy policy sometime. It’s interesting to see what they needlessly collect.
An outsider exploit is not the biggest threat. It’s the bank itself snooping lawfully (and monetizing that data to keep your fees down) that’s the most certain compromise. Though exploits cannot be ruled out either since closed-source blocks users from auditing the security.
I don't fear ATMs. Just pointing out that if you're going to every single ATM in your entire town and putting your card in every single one, you're massively increasing your chances of having your card skimmed. Consumer protections are all very well for fixing the damage after the fact, but it doesn't change the fact that you're spending time and energy getting it sorted out.
The magstripe is useless in my area. The bank also automatically blocks the use of the card in non-EMV regions. A travel notice is needed to make the card function in non-EMV areas. The magstripe encodes a flag that declares that an EMV chip is present so EMV-capable readers will reject the magstripe. So a skimmer would have to find out my travel plans to a non-EMV region. They will be waiting a very long time because I have a different card for non-EMV regions. I could just as well scrape the magstripe off if I thought skimming were a significant risk.
The other exploit is trapping the card using a plastic sleeve then fetching it after you give up and leave. If my card gets stuck in a machine, I would operate under the assumption that that attack is in play. An attacker can drop off a compromised ATM.. a whole machine. Those are always free-standing. I don’t think free-standing ATMs exist in my area.
it's really not though. You can tell because, while I'd be willing to bet that almost everyone in this thread has a bank account, none of us think of it as normal.
Every region has a different norm. Smartphone banking may not have caught on in the US but the European normal is quite different in the banking sector.
Europe even has cashless banks (not joking). These are “banks” that actually have no vault, only computers, and do not handle cash. No cash deposits. Withdrawals only possible at ATMs. If your ATM card fails and you need cash, you go to the bank and a banker walks with you to the ATM so the banker can withdraw the cash using a special card. It’s normal in Scandinavia but I think it would be shocking if a US bank were to operate this way. A cashless US bank would be an embarrassment.
The #WarOnCash have made bigger strides in Europe than the US.
If you want to withdraw $15k in banknotes in the US, it’s normal. In Europe it’s not only abnormal but sends red flags. I know someone who tried to withdraw €15k from her bank account and the bank called the police and arrested her. She was not charged with anything but they fully documented the attempt and released her. That was in a country where cash transactions greater than €3k are illegal. Spain, France, and Belgium all have cash limits like this. Netherlands is next. (to be clear, I think a €15k withdrawal would not be illegal on the part of the consumer but it likely exceeded the ToS of the bank and also triggers suspicion.. some of the details are murky)
In my region it’s illegal for a bank to offer 1FA logins. So the banks give you an RSA token of sorts.. a hardware device. Some banks have opted to use mobile phones for 2FA instead of buying and maintaining special purpose devices for everyone. Then they leaped to the assumption that everyone has a smartphone. From there it’s natural for them to figure there’s no longer need to maintain a website.