Catching up to past Sunday papers; this one from the Metro section dated 1/12/2008: the Times reports on a series of ATM fraud incidents at Grand Central station. A series of unauthorized withdrawals are traced to individuals lingering around the bank of ATMs, shoulder-surfing for PIN numbers and then stepping over to the ATM when the legitimate owner walks away without ending the session.
Not surprisingly the root-cause is bad usability: it is not intutitive to the user when they have “logged out” of the ATM for lack of better expression. There are two main design options: In the first case the card is inserted and stays inside the ATM until the transaction is complete. End of the session is signaled by the machine spitting out the card, letting the customer know it is safe to walk away. (For quick withdrawals there is even an additional forcing factor to guide users: the ATM will first return the card and wait to dispense cash until the user has taken the card back.) The Grand Central ATMs used a different model: the card is swiped and in order to end the session the user has to answer the question “Do you want another transaction?” The problem is that question stays up for 17 seconds according to the article, enough time for a crook to walk up to the ATM and dip into the other fellow’s funds. As for location, Grand Central is the perfect setting. Chances are people are hurrying to get some place or catch a train, making it even more likely they will not notice the ATM asking a question after the primary task is complete.