cross-posted from: https://fedia.io/m/privacy/t/346211
I need to check the balance of my bank card. It’s apparently becoming quite rare for ATMs to support balance inquiries. So as I try many different ATMs to check the balance, some ATMs demand PIN entry before you even see the service offers. So I enter my PIN and then it only gives a cash withdrawal option, at which point I eject.
Couple problems here:
anti-fraud AI sensors can be very fragile & trigger happy. If my card is inserted into several different ATMs with & no transaction is initiated, I am of course concerned that my account will be frozen due to fraud false positive.
some ATMs automatically print out your balance on the receipt if you ask for a receipt. Some show it on the screen Some ATMs will only print the balance on the receipt if you specifically requested the balance in your session. Some ATMs are completely incapable of balance inquiries (at least for cards from other banks). Consumers seem to have no way of knowing what kind of ATM they are dealing with in advance, which forces us to experiment.
Questions:
when an ATM demands PIN in advance, does that mean the transaction will signal the bank even if the session is terminated when the menu shows no balance inquiry option? IIUC, the PIN can be verified using the cards EMV chip without using the network - but is that necessarily the case?
when an ATM shows the menu options before asking for a PIN, can we count on no signal being sent to the bank?
One of my accounts got frozen for fraud. I called the bank, complained, demanded answers. The bankers themselves are kept in the dark and left guessing about what happened. One banker said “you asked for more than the daily limit 2 or 3 times, which failed, then you went to a different ATM and tried again. Since you went to a different machine, that likely looked like fraud”. (of course I tried a different machine – why would a legit user keep trying the same machine?)
I don’t fear ATMs. Just pointing out that if you’re going to every single ATM in your entire town and putting your card in every single one, you’re massively increasing your chances of having your card skimmed. Consumer protections are all very well for fixing the damage after the fact, but it doesn’t change the fact that you’re spending time and energy getting it sorted out.
The magstripe is useless in my area. The bank also automatically blocks the use of the card in non-EMV regions. A travel notice is needed to make the card function in non-EMV areas. The magstripe encodes a flag that declares that an EMV chip is present so EMV-capable readers will reject the magstripe. So a skimmer would have to find out my travel plans to a non-EMV region. They will be waiting a very long time because I have a different card for non-EMV regions. I could just as well scrape the magstripe off if I thought skimming were a significant risk.
The other exploit is trapping the card using a plastic sleeve then fetching it after you give up and leave. If my card gets stuck in a machine, I would operate under the assumption that that attack is in play. An attacker can drop off a compromised ATM… a whole machine. Those are always free-standing. I don’t think free-standing ATMs exist in my area.