Card-Free ATMs: No More Skimming?Experts Debate Security Merits of New ATMs for U.S. Institutions
By spring, banks and credit unions across the U.S. are expected to start rolling out "card-free" ATMs, offering transactions that experts say will eliminate fraud losses linked to skimming, and at the same time open new doors for mobile payments.
Three of the nation's largest banks, JPMorgan Chase, Bank of America and Wells Fargo, have announced plans to start deploying these new ATMs later this year, allowing their customers to conduct contactless tap-and-go transactions with their mobile smartphones, according to reports by the Los Angeles Times and the Associated Press.
And the National Credit Union Administration this week issued a new report, acknowledging "The reality is smartphones may end up being the way most consumers gain access to ATMs in the future."
Additionally, leading ATM manufacturers NCR Corp. and Diebold Inc. both tell Information Security Media Group that they have been working with global banking institutions to deploy ATMs that incorporate emerging card-free functionality.
"The U.S. market is actually somewhat lagging behind in the use of contactless transactions," says Owen Wild, NCR's global director of security solutions. "Globally, major transportation systems have been using contactless for many years. NFC [near-field communication] mobile transactions are far greater outside of the U.S. But the trend here is starting to change."
In 2014, NCR helped ANZ Australia deploy the first global EMV contactless ATM. And Diebold in October 2015 announced a card-less ATM pilot with Citibank, as well as America First Credit Union and Banco Popular de Puerto Rico.
All of this news comes in the wake of reports that ATM card-skimming attacks have skyrocketed.
In fact, skimming attacks waged against ATMs as well as self-service gas terminals have exploded in U.S. over the past year, as merchants have worked to shore up their physical point-of-sale security with upgrades to accept and process EMV transactions to meet the October 2015 fraud liability shift date set by the card brands (see Alert: ATM Skimming Up in U.S.).
During the first quarter of 2015, skimming at U.S. banking institution ATMs increased 173 percent when compared with the same period in 2014, according to FICO's Card Alert Service. Skimming attacks waged against U.S. ATMs at off-premises locations, such as convenience stores and hotels, also increased, up 317 percent for the same period.
By comparison, however, FICO found that skimming attacks waged against point-of-sale terminals in the U.S. dropped by 81.3 percent from Q1 2014 to Q1 2015.
Wild and financial fraud expert Avivah Litan, an analyst at consultancy Gartner, say card-free ATM transactions won't overshadow or replace the need for EMV upgrades at the ATM and other self-service channels. The fraud liability shift date for EMV at ATMs and self-service gas pumps is not until October 2017.
But the contactless, card-free ATM features will significantly reduce skimming risks posed by lingering magnetic-stripe cards.
What's more, they say, transactions that are EMV compliant, such as those conducted through Apple Pay, will be even more secure.
"The use of EMV and the continued migration to EMV-compliant transactions does not change as a result of the use of the contactless transaction initiation," Wild says. "As you know, the EMV requirements go beyond the use of the 'smart' chip-based card. The value of the encryption of the transaction provides an additional level of security and fraud reduction in the EMV transaction flow."
And Litan says additional layers of security, such as those provided by EMV, are needed. If fraudsters compromise the mobile device's identity-proofing process, which was an early vulnerability in Apple Pay, then the additional layers of security provided by EMV will help shore up the overall security of the transaction, she adds.
"We will see fraudsters be able to commit fraud with ATM smartphone applications by beating the banks' identity proofing processes," Litan says. "The fraudsters will be able to enroll for the ATM app using a stolen identity, just like happened with Apple Pay credit card payments."
Are Consumers Ready for Card-Free?
Contactless mobile ATM transactions rely on NFC technology, which is similar to contactless EMV chip card transactions. So, rather than inserting a card into the ATMs, the user merely taps or holds a mobile smartphone on or near the ATM.
Consumers are eager to move to mobile, and banking institutions want to reap the security benefits card-free transactions provide, NCR's Wild says.
"Based on our own research and validated by independent researches, NCR feels that increasingly consumers will rely on mobile devices for these forms of transactions," Wild says. "As more and more endpoints become enabled with the capabilities for contactless transactions, we will see increased utilization."
And one of the strongest value propositions for contactless-mobile or card-free transactions is the security benefit, he adds.
"As we have discussed, the major vulnerability for cards is the mag-stripe," Wild says. "Having the ability to initiate the transaction without the need for the mag-stripe to be presented into a card reader will significantly reduce the risks of card skimming. Please remember that the skimming risk still exists with the use of chip cards - as there is still a need to dip the card into an ATM, POS or gas pump."
Still financial fraud consultant Mike Urban says consumers might not be so eager to jump on the card-free ATM bandwagon, especially if the option to use a card is still available.
"Consumers are generally lazy, and if they already have their debit card and know their PIN, will they go through the process of setting up and learning how to use an ATM a new way?" Urban asks. "What is the value to them? You could look at the Apple Pay experience, where year-over-year usage is declining."
Codes, Not Cards
In the wake of recent card-free announcements from the big banks, the National Credit Union Administration just this week reported that an unnamed financial technology firm is expected to roll out ATMs that allow consumers to conduct ATM transactions with 11-digit codes and PINs.
How it works: A consumer signs up for the service with his banking institution and is given a code and a corresponding PIN. Once at the ATM, the user enters the code on the ATM screen, rather than inserting a card, and them enters the PIN.
The NCUA notes that these code-based transactions are expected to set the stage for a migration to mobile-based tap-and-go ATM transactions.
"This change could save financial institutions the expense of issuing cards - especially when they have to be replaced when a security breach occurs," the NCUA says. "With no card involved, it becomes more difficult for thieves to utilize skimming devices that capture account information from cards. Service providers are already testing the use of smartphones to access ATMs."
Gartner's Litan says the move to contactless mobile ATM transactions is a victory for consumers and financial institutions.
"Card-free ATM applications are a 'win-win-win' proposition for both banks and consumers, and they help the smartphone manufacturers, by making their phones stickier for consumers, and potentially generating new sales," she says. "The value proposition for banks: Wean consumers away from costly chip cards, and get consumers to pay for their card-form factors (smartphones) and ongoing maintenance. ... After all, it's an age of self-service - and now self-provisioning."
Besides, smartphones provide additional security beyond what EMV chip cards provide, Litan says.
"There are many sensors on smartphone to help with authentication and fraud detection, such as fingerprint readers, cameras, the phone chip itself, the phone's movements, its location, status (on/off), transaction type, such as prepaid or VoIP [voice over IP], etc.," Litan says.
It's also a more convenient experience for consumers, she adds, which gives banks and credit unions an additional way to retain customer wallet-share and loyalty.