If you’re looking for security tips or best practices for preventing your information (and money) from being stolen at an ATM, you can turn to organizations such as the American Bankers Association, law enforcement agencies, or the bank that issued your card. On the other hand, you’re probably better off avoiding advice from unsourced social media posts.
In November 2018, many Facebook and Twitter users encountered a message claiming that pressing the CANCEL button twice before swiping their cards at ATM machines would prevent their PINs from being stolen:
Always press ‘cancel’ button twice before inserting the card in ATM machine. If anyone has set up the key pad to steal your PIN code, this will cancel that set up. Please make it a habit and part of every transaction that you make. Please share with those about whom you care.
This message did not originate with law enforcement, a financial institution, a cybersecurity firm, or any other authoritative source (although some versions referenced a vague “banker friend“). Nor did this bit of advice specify what form of ATM fraud it would putatively deter. Although it’s possible that some particular ATM theft scheme exists which might be thwarted by a user’s pressing the machine’s CLEAR button twice ahead of a transaction, this advice will not work as a general safety mechanism.
The most common methods for capturing account information and PINs via compromised ATMs are:
1) The installation of a false front on an ATM.
2) The installation of a card “skimmer” (i.e., a device attached to a card reader slot which copies information).
3) The installation of a “Lebanese loop” (i.e., a small plastic device with a barb that holds a card back in the machine).
4) The installation of an overlay on top of the numeric ATM pad to capture PINs.
5) The installation of hidden cameras to record user keystrokes (including the entry of PINs).
None of these schemes is likely to be thwarted by pressing the CLEAR button before a transaction, as none of them relies upon “front-loading” the encrypted PIN pad with input.
Instead, the most common PIN safety tips are the following:
- Memorize your PIN number and don’t write it down and/or carry it in your wallet (or anywhere else).
- Cover the keypad when you enter your PIN to prevent it from being seen by onloookers or cameras.
- Change your PIN regularly.
- Don’t choose your PIN based on personal information (such as date of birth or address)
When we reached out to the American Bankers Association to verify whether they had heard of this advice, or if they themselves had ever recommended ATM customers to press “cancel twice” in order to prevent their PINs from being stolen, they told us that “this was not something that we have heard of” and offered some additional ATM safety recommendations:
This is not something we have heard of. The best guidance we can provide is to make sure you’ve got fraud alerts set up on your account, look for any type of potential tampering or out of place items on the ATM, and cover your hand when you type in your pin, which stops both pin hole cameras and potential “shoulder surfers.” Finally, be sure to report any suspected fraud to your bank immediately so they can investigate.
David Tente, the executive director of the ATM Industry Association, told us that this claim was “completely false”:
This is completely false. U.S. cards do not store the PIN — the authentication is online. Most international cards use an offline process, which means that the PIN is stored on the card and could conceivably be skimmed. A cancel command from the keypad, though, would not have any impact on the transaction, except to cancel it. The mag stripe data (which is what is skimmed, even on a chip card) would either be captured or not captured — all of it.
In most cases, the PIN is actually captured by a pinhole video camera focused on the PIN pad, an overlay keyboard that captures the button-push as the customer enters it, or someone shoulder-surfing. Use a magazine, your other hand, etc to hide the PIN pad from view as you enter your PIN. If the PIN pad is raised and not flush with the surface of the ATM fascia, try tugging on a corner to see if there is any “give” to it. It should also not feel as if your pressing the button is a two-step (button under button).
Hitting the “cancel” button twice before using an ATM may not have any downside, but users shouldn’t expect this procedure to do much of anything to keep their information safe from thieves and scammers.