Cardless ATMs Innovate While Preventing Fraud

Dating back to 2012 in the U.K., financial institutions were pioneering cardless ATM products. In 2017, many of the largest U.S. banks followed suit. The trend continues in 2018 with Fifth Third Bank launching its cardless ATM process in March. According to Fifth Third’s Melissa Stevens, Fifth Third’s chief digital officer and head of innovation, design and omnichannel experiences, “Fifth Third is bringing new innovations to customers on a regular basis, and I’m excited that this new feature connects two channels our customers use frequently – our mobile app and Fifth Third ATMs.”

Financial institutions desire to create better consumer experiences and at the same time reduce cost. One area of focus to develop new ways to service consumers is in the ATM channel. As mentioned, a number of major financial institutions are deploying cardless ATM capabilities, allowing consumers to withdraw money from an ATM using a mobile app to initiate the transaction.

Financial institutions are taking a number of different approaches to cardless ATM transactions. One process involves a consumer loading debit card details into an existing smartphone mobile wallet (i.e. Apple Pay, Google Pay or Samsung Pay) and then using the near-field communications (NFC) technology built in to the mobile device at the ATM in conjunction with a PIN.

Another process includes requesting a one-time code via their banking app that the consumer inputs into the ATM to complete their transaction. For Fifth Third’s cardless ATM process, customers sign into Fifth Third’s mobile banking app, choose the account and click the new cardless ATM icon. Then at the ATM they scan the barcode using the mobile app, enter a PIN at the prompt and the ATM dispenses the cash.

Other institutions are employing a process in which codes are sent to recipients for ATM withdrawals. Consumers can use this service to send money to a friend or family member with relative ease, as the code recipient can retrieve money from an ATM by entering a code from the text message.

Cardless ATMs are certainly a way to improve the consumer experience by eliminating the need to carry and replace cards, as well as reduce the cost to the institution to replace them. Cardless ATMs also help reduce skimming, which is the use of a physical device that fits over the existing card reader to scan and store your card information.

ATMs have been a successful area for fraudsters in the past, so they may be highly motivated to find a way to continue to commit fraud on this channel. As with any emerging technology, financial institutions should take caution to not open a security loophole that could increase fraud activity. Cardless ATM fraud was seen as early as 2012 in the early launches of cardless ATM products, and again in 2017 as larger U.S. banks launched their capabilities.

Financial institutions must increase their focus on mobile devices as part of their security strategy. In many cases, the security protocols underlying mobile transactions still unfortunately rely on vulnerable and outdated username and passcode protocols, as well as one-time passcodes that can also be easily intercepted and exploited by fraudsters. And vulnerabilities such as Crimeware, malware devised for financial loss, can also be present on the device and target accountholder information for future fraud attempts.

Security solutions currently exist that can help identify legitimate accountholders using a multi-factor authentication-based approach, and device and transaction risk assessments, including authenticating the device being used to conduct the transaction. When these solutions are implemented along with common-sense operational policies and procedures, the risk of fraudulent cardless ATM access can be greatly mitigated. For example, in one of the cardless ATM fraud cases, an attempt to access the mobile banking application on a device never previously used by that account owner should have triggered a step-up authentication challenge.

Financial institutions should consider security tactics to help combat fraud targeting cardless ATM transactions at the point of origin and point of access (the mobile device), including mobile fraud detection with real-time decisioning, biometrics and a permanent device identifier.

Real-time decisioning is a critical part of a cardless ATM process as it provides the ability to detect many different types of risks inherent in ATM transaction access. Behavioral analysis ensures the device is one typically associated with the consumer, ensures the ATM transaction activity is typical for that person, and that the location makes sense for this particular consumer. There are many other combinations of rules that a financial institution can employ to gain insight into whether this is likely the true accountholder.

Many financial institutions have added biometric identification to their authentication flows as a more secure way to establish the identity of their customers or members. The increasing availability of built-in biometrics capabilities on mobile hardware presents an opportunity to retire outdated username and password methods for confirming a user’s identity. Biometrics are also quickly becoming the preferred method of authentication among consumers themselves, who view it as more convenient and a more secure way to establish their identities. Adding a biometric for mobile application access, for example to originate the ATM transaction, creates a better consumer experience and lessens the risk for account takeover due to compromised credentials.

A mobile security strategy must also secure the device on which cardless ATM access is being requested and initiated. Organizations should also utilize fraud detection capabilities that identify evidence of malware, malicious/tampered applications, key loggers, SMS forwarders or other fraud tools used by criminals to defraud consumers and hijack their accounts.

A permanent device identifier is a way to identify a device using its unique attributes in order to establish the first layer of trust by fulfilling the “something you have” factor in a multifactor solution. Establishing a device as trusted gives financial institutions the confidence they need to allow good customers or members to transact with the least amount of friction; at the same time, it allows institutions to consider an unknown device for a particular consumer to be higher risk and potentially challenged with another authentication step, or denied if other high-risk indicators are present.

Deploying a cardless ATM security strategy should include solutions to authenticate both the users and the device being used to initiate access to cardless ATMs, along with real-time risk rule capabilities using device, location and consumer behavior data. These techniques will help mitigate fraud while creating a simple and convenient consumer experience.

Mike Lynch is Chief Strategy Officer for InAuth. He can be reached at 904-742-4022 or michael.lynch@inauth.com.