44

I received a rather intriguing email. It says that if I am at an ATM and I'm in the process of getting robbed, I just enter my PIN in reverse order e.g. 4321 instead of 1234. The ATM will still give me the cash but it will notify the police.

Is this true?

Other examples of this claim can be seen here, Image claim

Image reads

If a thief forces you to take money out of an ATM, do not argue or resist. What you do is punch in your pin # backwards. EX: if its 1234, you'll type 4321. When you do that, the money will come out but will be stuck in the slot. The machine will immediately alert the local police without the robbers knowledge & begin taking photos of the suspect. Every ATM has this feature. Stay safe.

Evan Carroll
  • 28,401
  • 42
  • 129
  • 239
maltadolls
  • 543
  • 1
  • 4
  • 4
  • 85
    Hmm, so what if you have a palindromic PIN like e.g. 4114? – Mad Scientist Mar 21 '13 at 09:05
  • I don't know, I am just quoting what the email said. Never tried it myself. I don't know whether it is an urban myth or not. – maltadolls Mar 21 '13 at 09:07
  • 3
    I've actually had one of those in the past, never did get the police raid an ATM or store while I was there... And many banks allow customers to change their PIN, none of them AFAIK (I've not seen the instructions for every single one of them) lists as a requirement that the number not be a palindrome. Ergo, there's no way to ensure a PIN is no palindrome, so no way for the machine to know it was entered in reverse, thus no way for it to know to contact the police. – jwenting Mar 21 '13 at 09:46
  • 4
    Even with non palindromic ones, that could be a problem. If the pin is `1231` it's fairly easy to enter `1321` accidentally. – vartec Mar 21 '13 at 10:06
  • 1
    Lots of palindromes in the top 20 pins http://www.datagenetics.com/blog/september32012/ – Biff MaGriff Mar 21 '13 at 16:27
  • 1
    It seems like PIN+1 would offer all the benefits of a reversed pin (easy to remember, unique per customer), plus work for palindromes. I.E., if your PIN was 1234, your panic code would be 1235. 9999 would wrap to 0000. – Ask About Monica Mar 21 '13 at 21:09
  • @kbelder: you are assuming the general public has a concept of "number wrapping"... ;) – nico Mar 24 '13 at 17:14
  • @kbelder quick, patent it and sue someone else who comes up with the same obvious solution! – Kip Mar 27 '13 at 18:33
  • 5
    @nico if someone picked 9999 as their PIN then they deserve to forfeit their right to call the police – Kip Mar 27 '13 at 18:33
  • 1
    Just saw this meme on FB, again! Felt compelled to debunk it, because someone could get really screwed if they thought it was true. – PoloHoleSet Jun 20 '17 at 15:19
  • 3
    Would you really take advice from someone who can't even spell a simple English word like "thief"? Or know how to properly use apostrophes? – jamesqf Jun 20 '17 at 17:53
  • 1
    @jamesqf - My first "real" job included maintaining and balancing a financial institution's ATM network. The use of "PIN #" (aka "Personal Identification Number Number"), already had this disqualified for me, before getting to more standard offenses against the English language. – PoloHoleSet Jun 20 '17 at 19:04
  • 1
    @PoloHoleSet ah, RAS syndrome. My second favorite syndrome, right after the villain from The Incredibles. – Asher Jun 23 '17 at 16:41
  • 1
    @Asher - though, if you're going to use the "ATM Machine," I guess a "PIN Number" would be appropriate.... – PoloHoleSet Jun 23 '17 at 17:16
  • There are house alarms connected more or less directly to the police, and they can have one real number that you should type to get in, plus a "panic" number that will also let you in, but also call the police (and it was reported by someone feeding the neighbours cat, typing in the wrong number, two times the police were too slow because he only took five minutes, and the third time police was waiting for him). – gnasher729 Sep 27 '21 at 09:49

3 Answers3

77

You can find information about this on Wikipedia:

ATM SafetyPIN software is a software application that would allow users of automated teller machines (ATMs) to alert the police of a forced cash withdrawal by entering their personal identification number (PIN) in reverse order. The system was invented and patented by Illinois lawyer Joseph Zingher (U.S. Patent 5,731,575). Contrary to a widely circulated hoax (see below), the system is not implemented in ATMs presently.

The same information can be found on Hoax Slayer:

Brief Analysis
The claims in the message are false. Reverse PIN technology does exist. However, it has not yet been implemented by any banks. At this time, entering your PIN in reverse will NOT call police.

Snopes also covers this, with a history of failed attempts to make it law.

Laurel
  • 30,040
  • 9
  • 132
  • 118
bummi
  • 1,657
  • 1
  • 15
  • 17
  • 8
    see comments on question. symetrical PINs exist, making the implementation of this system in ATMs impossible even if banks were so inclined. – jwenting Mar 21 '13 at 09:48
  • Hoax Slayer use an odd choice of wording: If the technology exists but isn't implemented, isn't that the same as the technology not existing? – Oddthinking Mar 21 '13 at 09:57
  • 4
    @Oddthinking it could exist in prototype/technology demonstrator form, yet not have been adopted by any bank for use in the wild (which as explained would be impossible). – jwenting Mar 21 '13 at 12:34
  • 2
    Just a technical note: The reverse PIN technology cannot be implemented in the ATM alone, but must be supported by actual PIN verification entity as well (mostly the issuing bank or the card itself). – Tor-Einar Jarnbjo Mar 21 '13 at 15:29
  • 2
    in fact it wouldn't need to be implemented on the ATM at all. The backend knows the location of the ATM, could be provided with information about how to contact security nearest to its location. – jwenting Mar 22 '13 at 07:46
  • 1
    Just because PINs can be palindromic doesn't make it impossible to implement. It makes it impossible for the use case to be carried out for a customer who has chosen a palindromic PIN. – Kaz Mar 22 '13 at 21:27
  • 7
    Furthermore, this scheme can be generalized. Rather than rely on this pin number being entered backwards, the user can simply have two PINs which are both completely arbitrary and selected by the user: a regular pin, and an emergency pin which triggers the silent alarm. Both could be palindromes, if the user wishes. – Kaz Mar 22 '13 at 21:28
  • @Kaz I just took a look at the patent application. It looks like the system patent was for a generally more expanded system that could trigger the alarm in a number of circumstances. When reading it my first concern was the high possibility of inadvertently triggering false positives – A Bailey Jun 20 '17 at 15:59
  • 1
    @Kaz More problematic would be a near-palindromic PIN. What if someone has a PIN of xyzx. One transposition reverses it. – Loren Pechtel Sep 25 '21 at 02:41
  • Also, if everyone - including would-be robbers - know about this "trick" it loses its value -- they'll realize what you did the moment the money fails to come loose, at which point you're held at gunpoint by someone who has several reasons to be very angry at you and already values your life less than money, with the police a minimum of several minutes away. This strikes me as highly suboptimal. – Shadur Sep 25 '21 at 19:41
  • Shadur, the money would come. There would be no way for the criminal you typed in the "wrong" PIN, because it works - it just calls the police immediately. – gnasher729 Sep 27 '21 at 09:52
39

There was a similar question over on IT Security. I answer here as I answered there, based on my job experience in the alarm monitoring industry. The short answer is that the reverse-PIN system is documented as a possibility, but is not currently in use by any ATM network or manufacturer.

The idea of the reverse PIN is the "duress code"; something that appears to allow access and let the assailant do what they will, but in fact also trips a silent alarm. These exist in home and commercial alarm systems, allowing a person being forced to disarm the system at gunpoint to signal for help in a way that's not obvious to their assailant.

In ATMs, however, there are two fundamental problems with the idea of a duress code PIN, no matter how it's implemented.

First, and foremost, is that ATMs are designed to be fast. You get the cash and you're gone. The average traditional bank robbery (getting the money from the human tellers in the office) takes about 3 minutes, according to an article in Police Magazine, and those include the amateur note-passers that only want one teller's tray; professional armed gangs posing a serious threat to life take longer because they want more money from more places. A home invasion or jewelry-store robbery normally takes much longer than that; the assailant needs the extra time to gather up the things of value they want to take, giving the police the time they need to respond. My company, which as I mentioned primarily does video verification of alarm signals, has documented smash-and-grabs and armed robberies of stores we monitor lasting upwards of 10 minutes.

The average ATM cash-out transaction? Less than one minute, according to InfoCash (an ATM manufacturer whose latest generation claims to reduce that average time to 28 seconds). This makes a duress code for an ATM nearly useless, because a patrolman would pretty much have to be in visual range of the ATM in the first place in order to respond fast enough to catch the robber fleeing the site. Keep in mind that several seconds can pass before the monitoring center even receives the alarm signal (the NFPA mandates a maximum of 10 seconds for fire alarms, which we often also monitor and so our entire system has to be that fast), and then the monitoring center must call the police dispatcher and the dispatcher must relay to the patrolman. Most ATM robbers are instead caught hours or days later using evidence from the scene, primarily recorded video from the CCTV system (which is, in addition to false alarm reduction, a primary service of our company; review the video, produce the stills, assist the police).

Second is that, because ATMs and their function are so widely known and used, a common, easy-to-remember duress PIN is not an option (as it would be for all users of a single alarm panel, or even for multiple panels of a chain store's various locations), because if there was one duress code for all ATMs of a particular bank, it's very likely the robber will know it. That means that each user must choose a unique duress PIN on top of a unique "normal" PIN. With many users having trouble remembering their normal PIN that they use regularly with only the pressure of the person behind them in line, how many would you expect to remember a duress PIN they've never used before when held at gunpoint? We have problems with alarm system keyholders remembering the common duress code to their own alarm panels, which is why we put human eyes on every opening and closing in our monitoring center.

The reverse PIN mechanism, which has been documented and patented as other answers stated, but is not currently in use with any ATM system according to Snopes, is designed to mitigate this second shortcoming by allowing the user to remember one number and simply enter it backwards. This however produces another problem; the resulting system will not tolerate palindrome PINs. The documented system apparently has additional methods to derive a "panic PIN" from the normal one in the case of palindromes, but that's an additional complexity which would make it that much harder for someone to remember under stress, and given that there are only 10,000 possible four-digit values, from a security perspective you want as many of them to be potentially valid as possible, to prevent a lucky guess at the PIN from someone who's stolen the card (which is, from raw numbers of losses to bank robberies versus card fraud, a much greater financial concern to banks). Making any of them invalid for any reason, including not being able to derive a duress PIN from it, works at cross-purposes to the greater problem.

KeithS
  • 1,963
  • 4
  • 16
  • 23
  • Welcome to Skeptics. Please add references to support your claims [FAQ]. – Sklivvz Mar 21 '13 at 16:57
  • Links to stats backing me up added. As I mentioned, I earn my living as a software developer for an alarm monitoring/video surveillance company, which gives me a personal insight into these problems and potential solutions. – KeithS Mar 21 '13 at 17:12
  • 3
    Agreed, however that bears no relevance here as we don't accept arguments from authority :-) – Sklivvz Mar 21 '13 at 17:25
  • Understandable. Do the added links provide enough of a foundation for the rest of what I said? – KeithS Mar 21 '13 at 17:26
  • They are OK by me, but obviously that's up to the community to decide. Thanks again. – Sklivvz Mar 21 '13 at 17:30
  • 2
    While the short time would indeed make it useless to catch the robber red-handed, it might be useful to give out money sprayed with invisible marker (just like when the ATM is forced open) – vsz Mar 22 '13 at 07:23
  • Please add a link to your answer on IT security. – Martin Schröder Mar 22 '13 at 18:08
  • +1 for a good answer, especially pointing out the problems with users forgetting the PIN and the fact that transaction are fast. – nico Mar 24 '13 at 17:19
  • I'm not in any way disagreeing with your answer but it occurs to me that all the rules for good PIN selection could be applied in reverse to your duress PIN. Make it your birthday, street address, whatever. It's easy to remember and it might catch the odd person who steals your card and tries to guess your PIN. Not that that makes this idea worth implementing in my opinion, it just struck me as interesting. – Eric Nolan Sep 27 '21 at 09:55
0

While the technique is possible, and as noted, the time it would take for a response to an alert to the nearest public safety office would probably be beyond a relevant response time. There would be the additional risk of failure in getting the response - who becomes responsible for this.

It would expose the bank to liability that they can externalise by simply not implementing the approach.

In San Bernadino county a study shows that response to burglar alarms have a mean duration of just over 17 minutes. A major manufacturer of ATMs indicates that they await demand from customers (presumably the banks) to implement a solution. A US public safety response is mandatory (ATM Consumer Protection Act 15 U.S.C. 1693 918 (b)) if activated.

Pekka
  • 101
  • 3
  • 2
    [Welcome to Skeptics!](http://meta.skeptics.stackexchange.com/questions/1505/welcome-to-new-users) Please [provide some references](http://meta.skeptics.stackexchange.com/q/5) to support your claims. (In practice, I'd simply suggest that the ATM client hash both the PIN and the reverse PIN, and do two lookups in the database. No plain text. No reversed PIN in the database.) – Oddthinking Mar 21 '13 at 23:12
  • Quite valid. I have removed the PIN storage argument while retaining the externalisation view. The suggestion to send both values only works if the PIN is not all the same digit, and only if it is implemented on the ATM. It is far more likely that the acquiring bank would want to perform teh verification check. This or course makes response even more difficult as the ATM location may not be known to the bank. – Pekka May 21 '13 at 20:47