ATM security mugging/ robbery


(Hunter) #1

Hi!

So i have an idea and i want to share it and see what others think. First of, has anyone ever been mugged at an atm? Made to enter your pin and withdraw all the cash that you can?

Well, as i regular traveller (Currently on my 89th country) i hear about these type of muggings far too often and i have always thought there is a pretty simple way around this, maybe it already exists but i have never come across it!

The solution, a pin code that unlocks a 2nd account/ backup/ security account with limited funds in it to keep your main account safe.

You are being mugged and forced to enter your pin to withdraw money and instead of entering 1111 showing you have £10000 and can withdraw say £1000 you simply enter 2222 and it says you only have £100 and can only withdraw £100.

The thief thinks that is all you have and they are getting what they want and you get to walk away hopefully unharmed and having only lost £100.

It does not sound like it would be that hard to implement whatsoever, so maybe Monzo could get on board? Seeing as the FX fees are non existent i see this card getting a lot of attention from frequent travellers and to me at least it seems like a pretty good idea.

What do you think?


(Tommy Long) #2

Surely the best way to achieve this is just to keep limited funds in your primary account and transfer it over as needed.


#3

I think that the idea is great - I certainly have friends and family who have been mugged at cashpoints and it’s a very distressing experience for most individuals (and sometimes very dangerous).

It would be interesting to hear from Monzo and the engineers on the realistic technicalities of the solution as you suggest it though as I believe that the PIN is be checked against the encrypted data on the card and an Auth is created assuming it is correct which then used to successfully request account specific details. This potentially makes creating the flow you describe as quite difficult. That said, maybe it is possible to alter the appearance of the Authentication Token in such a way depending on the PIN used which Monzo can then use to return the appropriate response and account information.

Great idea though - looking forward to hearing further thoughts.


(Jolin) #4

It’s an interesting idea! I’m not sure :credit_card: can support this from a technical standpoint, but if they can this would be an excellent way to access different savings pots. Say that, for up to five savings pots, you could assign a unique PIN to each pot. Then when paying for something with the card, finds would be deducted from a savings pot based on the PIN you use when paying (obviously with a default PIN for the main account).

So if you’ve been saving for a weekend away, you then use that pot’s PIN when you are on your weekend break.


(Hunter) #5

Thanks Saul! :slight_smile:

Yeh, i have met MANY people who have been mugged and if a solution is in place to minimise the risk and danger involved then it has to be a good thing, right?

Well, i am not IT expert or whatever so i have no idea on the technicalities and it would be great to hear from Monzo! It sounds easy to me but again i am not an IT guy!
You sound like you know what you are talking about though so maybe you could add more info into how you think this could be achieved? Be awesome if we got it working!


(Hunter) #6

That is a great way of thinking about it in terms of saving pots. As this is a feature i would love anyway! Perhaps this is a way to get the feature i want but many others could just use it in terms of “saving pots” as you put it.


#7

Most banks will already have a maximum daily limit that can be withdrawn from an ATM.

And under this situation you’re covered by the bank anyway.

In a stressful situation like that are you even going to remember to use this second pin? Or could trying to remember this second and rarely used pin cause you to get it wrong and annoy your attacker more?


#8

You’re very welcome! :slight_smile:

It would indeed be an excellent thing - the distress of such incidents should not be underestimated. Particularly with the elderly, it can have a deep and long lasting impact that sometimes never gets resolved.

It’s quite a technical area of card processing and there are no doubt many rules to follow in the ISO guidelines for Chip and Pin.

Let’s see what the experts here at Monzo have to add but given that a cash machine should carry out an online cardholder verification and send the PIN encrypted to the issuer, it might well be technically possible to have a dummy account linked to the dummy pin. In this way, account/savings pots could be made to work as you go on to talk about.

A non-technical topic that needs to be discussed alongside is whether Visa and MasterCard and other Card Schemes would allow such a set up to be created as it could be considered to be knowingly allowing card fraud. They would probably argue that you should simply not give your PIN out to anyone. That said, this would be for the scenario that you are held at knife point etc.

Great topic, interesting idea and good discussion!


(Sacha) #9

On a related matter, how about having the technical ability to adjust your daily withdrawal limit within the app? Those who are more security conscious could set a lower daily limit whilst still having the ability to revise them up when needed?


#10

That’s a nice idea Sacha!

You could, if security conscious around ATM’s, set a withdrawal amount from the app that expires after a certain period of time.

If you’re then mugged post removing the funds and held at knifepoint to enter your PIN, Monzo would reject further withdrawal requests stating “withdrawal limit reached”. At present, most attackers would be unlikely to know that you could create another “withdrawal time window” in your app, should you genuinely need/wish to withdraw again in the day.

I think that the possibilities here really highlight how valuable Monzo’s real-time, app based approach is and how at risk the incumbent banks are from this kind of innovation!


(Sacha) #11

There are other things which could be done too. For instance, if you freeze or block your card, there could be an option to flag any attempted withdrawals as fraud in such a way which could be passed to either the police or the bank/organisation if there were subsequent attempts to withdraw or spend on the card.


#12

Absolutely - perhaps an option to allow the fraud attempt data to be anonymised and output across all accounts in a data feed could form the start of a third party fraud insight tool. Other card providers (as they modernise) could also contribute data and the third party process, analyse and identify risky transaction areas that could be fed back to the card issuers such as Monzo.

It’s a hugely exciting area of innovation - for sure!


(Marta) #13

Interesting stuff is flowing!

Most UK banks don’t allow more than £300-400 a day from ATM, that’s good enough cover for me.
Adjustable limits for ATM (to make them lower) - yeah, why not, but I wouldn’t use them for mugging aspect. It could be a good tool for people to control their spend.

Special PINs for mugging and using lower limits in the context of being mugged, umm, not so much :expressionless: . I’d be too afraid to enrage the robber, who was hoping for payday, but is getting measly £100 instead. I’m simply not willing to risk getting beaten or stabbed, I’m happy to give them £400.
I also find it likely that experienced robbers would recognise Monzo card and actually be aware of app settings. Not everyone knows Monzo yet, but in 2 years time?

Special PINs to withdraw from specific pots, tempting! I’m worried that doablity could rely on chip modifications, or worse, the need for ATM/terminal to support it (no chance in the world that world would adapt to one Monzo functionality). On top of that, poor usability, because logically it couldn’t affect magstripe and contactless payments. I doubt that many people would give up contactless payments and use chip/pin for withdrawals from specific pots.


#14

All very valid points @Avishai.

It’s certainly a sensitive area with lots of angles to consider, a crucial question being whether restricting access is likely to increase the risk in reality. Perhaps a tricky one to product test!

I agree that chip modifications would not be attractive but, it could be possible to do it without modification (further research required). ATM/terminal workflow modifications would be a no go - agreed.

A great discussion though provoking lots of thinking about how to hack the current options and set up to add value.


(Jolin) #15

My understanding is that the chips in chip cards can run multiple applications (the ‘debit card’ is just an app running on the chip). What I don’t know is how they can be selected. Certainly there are some terminals that allow selection of different apps on a card, but I’m not sure you’d be able to get the chip to select an app to run based on the PIN you enter.

I think that would be ok (at least in the way I envisage using such a feature). By default, including mag and contactless, it would come out of your main account. That would cover the majority of transactions. I’d happily switch to chip+PIN for a subset of transactions to have them come out of my savings pots automatically. That’s a lot less hassle for me than having to go to the app to manage it.

As I say, though, whether this is even an option technically is far from certain!


(Darren Phipson) #16

I’ve seen that when using ATMs abroad, after entering your PIN, the ATM will ask if you want to withdraw money from your Savings, Checking or Lending account.

This would imply that current systems don’t have the ability to link a PIN to an account type.

It has been suggested that the simplest solution would be to keep a small amount of money in the account and top it up as required but

1 when travelling abroad you might not have access to the internet
2 when Monzo becomes a current account and, therefore, your only account, it’s going to be the account with all of your money so you’ll have nowhere else from where to transfer money.

I think the idea of having two accounts in the app would get around this problem. You could have one account linked to your card and PIN and a second account where you could move your money to in order to reduce the amount potentially taken from you.


(Tommy Long) #17

I’d suggest that everyone should have multiple accounts with their main bank (I have 5 with HSBC currently) and only keep their expected spending for the next x (week? month?) in their main account. As things move to digital this should become easier and easier and makes even more sense.