[amelius]

Fortunately most people stay at the machine after typing their password.

Anyway perhaps now is a good time to get some 2fa hardware token.

[cricalix]

There are ATMs in Europe that will take the card, ask for what you want to do, ask the amount if it’s a withdrawal, and then ask for the PIN and dispense it. This reduces the time between typing and dispensing. No idea if it’s a significant enough reduction in the time versus card, pin, navigate to withdraw, dispense such that it would enable this attack.

[Semaphor]

What do ATMs elsewhere do? This is the only way I know.

[SketchySeaBeast]

The ATMs I regularly use authenticate THEN ask for what you want to do.

[pluc]

Even with 2FA, any sort of "remember me for a minute and I'll go get a coffee" makes it pretty useless.

[jbj]

not if that machine is an ATM

[codetiger]

So in case of ATMs we now need to make sure we soft touch some random buttons to ensure this trick doesn't work.

[agent008t]

I have already seen some ATMs that shuffle the numbers on the numberpad around for each PIN entry. It is inconvenient for muscle memory, but prevents this kind of attack.

[soco]

I know somebody working at a bank talking about their implementation, and how many elderly customers block their cards after wrongly entering their pin.

[drath]

Also, to mitigate the problem somewhat, one could obfuscate the order at which the numbers were pressed by setting a custom pin with repeating numbers. Ideally, just repeating one./s

[amelius]

With an ATM you are already using a hardware token ;)