RE: [field experience?] PIN echo and talking ATMs from Wlodkowski, Thomas on 2007-07-09 (wai-xtech@w3.org from July 2007)

From: Wlodkowski, Thomas <Thomas.Wlodkowski@corp.aol.com>
Date: Mon, 9 Jul 2007 12:57:43 -0400
To: <joshue.oconnor@cfit.ie>, "Charles McCathieNevile" <chaals@opera.com>
Cc: "Al Gilman" <Alfred.S.Gilman@ieee.org>, <wai-xtech@w3.org>
Message-ID: <1D65257B9F22C84F89F812FB1C24CA8D01B8FA35@EXCHNVA02.ad.office.aol.com>

I agree with Josh. Any password should be echoed as a star. If it's
available in audio then it's likely hackable. 

-----Original Message-----
From: wai-xtech-request@w3.org [mailto:wai-xtech-request@w3.org] On
Behalf Of Joshue O Connor
Sent: Monday, July 09, 2007 4:55 AM
To: Charles McCathieNevile
Cc: Al Gilman; wai-xtech@w3.org
Subject: Re: [field experience?] PIN echo and talking ATMs

>>> The Chevy Chase Bank talking ATMs echo the pin when an earphone is
>>> connected.
>>
>> So there is actual practice along these lines.  Thanks.
[...]
> I think this is about right. For what it is worth, when entering
passwords on phone browsers with numeric key entry or even handwriting, 
>there is a screen echo of the character, that is replaced (typically
with '*') after you start the next character or after a time delay. 

FWIW - The Chase Bank example would not be best practice or even common.
I would be surprised if it was. There is understandable hesitancy
amongst banks to make this echo feature a standard (or a feature users
can _ever_ expect) for accessible ATMs as there are serious security
considerations to bear in mind when echoing the users PIN numbers. I
would think that what Chaals suggests (replacing the output with '*')
would be more common - particularly with accessible ATMs. Therefore I
have a hunch that the example of the Chase ATM is the exception rather
than the rule.

Why? If the PIN that the user enters is echoed via the audio output,
would it be difficult for some device to be attached to the audio output
which records this information and transmits it to a third party?
Probably not. In Ireland there was no way an ATM with this feature would
be allowed on the street, particularly as this feature was installed
especially for blind users - who may not notice anything wrong with the
ATM unit or detect any tampering with the facade of the ATM, until of
course its too late.

All it takes is a couple of high profile scams - where  scammers abuse
an accessibility feature - to set to cause of accessible banking back to
the stone age (a tad dramatic but nonetheless true).

Cheers

Josh

Received on Monday, 9 July 2007 16:59:38 UTC