Security is an ugly business because when you have a problem there's rarely an elegant, straightforward solution. What you usually wind up with is a solution that's just "good enough." I recently learned of a great example that nicely illustrates this point.

A friend sent me a link to an amazing report titled "ATM Card Skimming and PIN capturing Awareness Guide". This document was authored by a gentleman with the job title "protective security advisor" and was published by Commonwealth Bank, a large Australian financial services provider.

Card skimming is the art of stealing data from the magnetic stripe on the back of an ATM card. The devices used to do this are smaller than a deck of cards and (this is the biggie) "often fastened in close proximity to or over the top of an ATM’s factory-installed card reader."

Then the crooks typically install another piece of equipment to capture the PIN associated with the user’s card. These devices have been found in the lights that illuminate the ATM's keyboard, near the speaker, in the indent that houses the screen, on the side fascias, or even near or over the keyboard. In other words, pretty much anywhere on the machine.

The report offers photographs of machines that have been modified with card skimming devices and the amazing thing is they all look like bona fide parts of the ATM. There is little visual clue that the device you’re pushing your card into is an add-on.

The same applies to the PIN capturing modifications, most of which seem to involve cameras mounted in things such as false fascias that are attached to the ATMs or in merchandising add-ons (for example, leaflet holders). Another approach is to overlay a false keypad on the real keypad.

According to the report the bad guys "tend to attach skimming devices either late at night or early in the morning, and during periods of low traffic … [and usually only leave them] attached for a few hours."

And the advice that the "protective security advisor" offers to those managing ATMs? He has several suggestions but allow me to summarize: Know thy ATM.

This is, of course, a poor solution because it assumes that those charged with the care and feeding of ATMs will be diligent and painstaking. While a percentage might well be, we know for certain that in a large population of these workers at least a few will not.