Mike Lynch, Chief Strategy Officer at InAuth says that mobile device security is key to the success of cardless ATMs
Banks worldwide are continuing to create better customer experiences, reduce cost and mitigate fraud. Focusing on new ways to service customers continues in the ATM channel. For example, new capabilities in ATMs allow customers to be helped via a live teller at the ATM using video banking. Another type of innovation is the cardless ATM process. A number of major financial institutions are deploying cardless ATM capabilities, allowing customers to withdraw money from an ATM using a mobile app to initiate the transaction. Banks are taking a number of different approaches to cardless ATMs transactions, including requesting a one-time code via their banking app that the customer inputs into the ATM to complete their transaction.
Another method involves sending a QR code to the mobile device that is then read by the machine to complete the transaction. And a more sophisticated process involves a customer loading debit card details into an existing ‘xPay’ mobile wallet (i.e. Apple Pay, Google Pay and Samsung Pay) and then using the nearfield communications (NFC) tap-and-pay technology built in to the mobile device at the ATM in conjunction with a PIN. Some financial institutions are employing a seemingly riskier technique where cardless cash codes are sent to recipients for ATM withdrawals.
Cardless ATMs are certainly a way to improve the customer experience by eliminating the need to carry and replace cards, which can be easily lost or compromised, as well as reduce the cost to the institution to replace them. And cardless ATMs should help eliminate skimming, which is the use of a physical device that fits over the existing card reader to scan and store your card information.
But as with any emerging technology, financial institutions should take caution to not open a security loophole that could increase fraud activity. Using history as an example, cardless ATM fraud was seen as early as 2012 in the UK with one of the first pioneer cardless ATM products. The ATM channel has been such an area of pervasive fraud and fraudsters may be highly motivated to find a way to continue to commit fraud on this channel, even if cardless ATM systems are deployed. According to FICO, the number of payment cards compromised in ATMs and merchants across the US rose 70 per cent in 2016. Done securely with cardless ATMs, this number may decrease.
But, with inadequate security, some institutions may see an increase in ATM fraud in the short term. As the mobile device takes on an increasingly higher profile role in facilitating financial transactions of all types, financial institutions must increase their focus on the device itself as part of their security strategy. In many cases, the security protocols underlying mobile transactions still unfortunately rely on vulnerable and outdated username and passcode protocols, as well as app-generated one-time passcodes which can also be easily intercepted and exploited by fraudsters. And vulnerabilities such as Crimeware, which is malware devised for financial loss, can also be present on the device and target customer account information for future fraud attempts.