Blog article
See all stories »

Cardless ATMs: Best Practices To Support Cardless ATM Innovation

A number of major financial institutions are continuing to innovate with their cardless ATM capabilities, allowing customers to withdraw money from an ATM using a mobile app to initiate the transaction.

Large banks are taking a number of approaches to cardless ATMs transactions, including enabling customers to log in to their banking app with their username and password to request a one-time passcode that the customer inputs into the ATM to complete their transaction. There are also other methods being piloted by other banks for executing cardless ATM transactions—for example, sending a QR code to the mobile device that is then read by the machine to complete the transaction. Yet another method involves a customer loading debit card details into an existing "xPay" mobile wallet and then using the near-field communications (NFC) tap-and-pay technology built in to the mobile device at the ATM in conjunction with a PIN. In addition, some FIs are employing a seemingly riskier technique where cardless cash codes are sent to recipients for ATM withdrawals.

Many financial institutions view cardless ATMs as a way to improve the customer experience by eliminating the need to carry and replace cards, which can be easily lost or compromised, as well as reduce the cost to the institution to replace them. They also look at this as a means to leverage opportunities for increased engagement at the customer's preferred channel.

But as with any emerging technology, financial institutions should expect—and in fact, already have experienced—early instances of fraud resulting in losses and reputational damage. And while the jury is still out as to whether cardless ATMs will reduce the risk of fraud for ATM transactions in the long run, it is reasonable to expect increased fraud activity as criminal actors rush to take advantage of security loopholes before they're found and patched. Using history as an example, cardless ATM fraud was seen as early as 2012 in the UK with one of the first pioneer cardless ATM products.

In general, ATM fraud is such an area of pervasive fraud that fraudsters will be highly motivated to find a way to continue to commit fraud on this channel, even if cardless ATM systems are deployed. According to FICO, the number of payment cards compromised at U.S. ATMs and merchants rose 70 percent in 2016. Done securely with cardless ATM's, this number may decrease. However, with inadequate security, we may actually see an increase in ATM fraud in the short term.

As the mobile device takes on an increasingly higher profile role in facilitating financial transactions of all types, financial institutions, merchants and other organizations must increase their focus on the device itself as part of their security strategy. In many cases, the security protocols underlying mobile transactions still unfortunately rely on vulnerable and outdated username and passcode protocols, as well as app-generated one-time passcodes which can also be easily intercepted and exploited by fraudsters. According to Gartner Fraud Analyst Avivah Litan, "Identity proofing remains the weakest point in mobile banking."

The combination of organizations hastening to leverage the convenience and engagement opportunities afforded by continual innovations in the mobile channel are often at odds with a less rigorous focus on security innovations. Organizations must ensure innovations in cardless ATMs are implemented with the latest security advances possible underpinning them in order to avoid embarrassing and costly security snafus. For example, fraudsters exploited one such cardless ATM security gap, when a bank customer was defrauded as a result of cybercriminals gaining access to her mobile banking login credentials which they then used to register a new mobile device for cardless ATM access.

In this instance, the bank learned a costly lesson—both in terms of financial loss and reputational damage. Incidents like this don't happen for a lack of available technology to secure the mobile device. Robust security solutions currently exist that can help identify legitimate customers using a multi-factor authentication (MFA)-based approach and device and transaction risk assessments that do not compromise the user experience, including authenticating the device being used to conduct the transaction. When these solutions are implemented along with common-sense operational policies and procedures, the risk of fraudulent cardless ATM access can be greatly mitigated.

Financial institutions should consider these available, best-in-class security tactics to help combat fraud targeting cardless ATM transactions at the point of access (the mobile device), including mobile fraud detection with real time decisioning, biometrics and a permanent device ID:

  • Mobile Fraud Prevention with Real-Time Decisioning

A mobile fraud prevention solution with real-time decisioning provides the ability to detect many different types of risks inherent in mobile access to ATM transactions. The ability to thwart attacks on the device before it transacts with the bank helps reduce friction for customers, while still providing superior security. Real time decisioning capabilities help eliminate points of friction in the security flow for good transactions, while providing FIs the ability to flag suspicious access attempts for additional scrutiny.

  • Biometrics

Many financial institutions and other organizations dealing in the exchange of sensitive and valuable information have added biometric identification to their security lineup as a more secure way to establish the identity of their customers.

The increasing availability of built-in biometrics capabilities on mobile hardware presents an opportunity to ditch outdated username and password methods for confirming a user's identity. As a bonus, biometrics are also quickly becoming the preferred method of authentication among consumers themselves, who view it as more convenient and more secure way to establish their identities (and it is!).

However, biometrics alone are not the one-size-fits-all solution for mobile transaction security. The biometric login by itself only proves that the enrolled user is attempting access. The login authentication alone does not ensure the security of the device the biometric operates on—which brings us to the third leg of a solid mobile device security strategy.

  • Permanent Device ID

A holistic mobile security strategy must also secure the device on which cardless ATM access is being requested and initiated. A permanent device ID is a way to identify a device using its unique attributes in order to establish the first layer of trust by fulfilling the "something you have" factor in a multifactor solution.

Establishing a device as trusted provides financial institutions with the confidence they need to allow good customers to transact with the least amount of friction, while at the same time, allowing institutions to consider an unknown device for a particular customer to be higher risk and potentially challenged with another authentication step, or potentially denied if other high risk indicators are present. This helps protect both the true customer and the financial institution.

  • Customer Behavior Analysis

Behavioral analysis ensures the device is one typically associated with the customer, ensures the ATM transaction activity is typical for this customer, and that the location makes sense for this particular customer. There are many other combinations of rules that a financial institution can employ to gain insight into whether this is likely the true customer.

  • Device Integrity Screening

Organizations should utilize fraud detection capabilities that identify evidence of malware, malicious/tampered applications, emulators, GPS spoofers, device spoofers, key loggers, SMS forwarders, or other fraud tools used by criminals to defraud customers and hijack their account.

Deploying a mobile-specific security strategy that includes solutions to authenticate both users and the device being used to initiate access to cardless ATMs, along with sound operational policies and procedures that keep customer and organizational risk always at the forefront, will help this promising technology usher in a new era in the continuing quest to enhance the customer experience though unparalleled convenience and access. 


Comments: (1)

Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 06 November, 2017, 14:14Be the first to give this comment the thumbs up 0 likes

I've long held that Mobile RDC is the #1 killer app of mobile banking. It now appears that cardless ATM is becoming another killer app. I don't belong to the "cash / cheque is dying" brigade. But, even to me, it seems odd that cash and cheque processing apps are proving so popular. 

Whither mobile wallets and other forms of digital payments that were supposed to kill cash and cheques?

Now hiring