Hacking Is About to Get a Lot Harder With Cardless ATMs

A few years back, a friend of mine was traveling from New York City to Paris. After landing at Charles de Gaulle Airport, he reached for his wallet, but realized it was no longer in the back of his trouser pocket. He had been pick-pocketed during his metro ride. All of his cash, credit cards, and debit cards were gone.

Were something like this to happen in the near future, my friend would’ve had a much easier time making it through the next 48 hours, so long as he had his smartphone. In just the last few weeks, a number of banks have announced plans for cardless ATMs. Wells Fargo (WFC), J.P. Morgan Chase (JPM), and Bank of America (BAC) are all piloting their own initiatives. The basic idea is that a code will be generated on the banks’ mobile apps that consumers can use to unlock their bank accounts, enabling them to withdraw money from an ATM simply by tapping their device when they’re in front of the ATM.

The smartphone has already established itself as an indispensable device for nearly everyone on the planet, even in some of the most remote and seemingly underdeveloped regions. But with respect to innovations, we are still only scratching the tip of the iceberg. Despite claims that innovation in smartphones may be dying and that the market is becoming flat, there is still plenty of room for innovative, non-trivial design changes and introduction of new features. In the next few versions of our smartphones, there will be integration with augmented reality, flexible and bendable screens, and even wireless audio and wireless battery charging.

Of course, connectivity of this magnitude has already taken shape, from smart cars to smart homes to targeted advertising. Paying for purchases, therefore, needs to be just as seamless as the rest of our lives are becoming. Thanks to the likes of Apple (AAPL) Pay, Android Pay, and Square (SQ), mobile-payments systems are now poised to cause massive disruption. The significant majority, nearly 80%, of Apple Watch users use Apple Pay to pay for both online and in-person purchases. Android has followed suit with its Android Pay system, allowing customers to walk through a physical store and select an item, tap their phone to scan a barcode, and make a purchase without even thinking of waiting in line.

As with any new form of payment technology, though, there’s typically a catch. In mobile banking, the catch is significant when considering the level of security breaches and fraud. Fraud in 2014 caused approximately $32 billion in losses in the U.S. retail industry in 2014. To mitigate this across in-store, online, and mobile payments, payment companies and card issuers started the move from magnetic stripes to chip-based cards. While that did stymie the losses, still, in 2016, it was predicted that there would be about $4 billion in retail fraud in the U.S. And, in the U.K. for example, where chip-based credit cards were introduced a decade ago, online fraud rose 79% in the first three years of introduction of chips-based cards. Similar stories abound in Australia and Canada. So the threat from moving to new payment systems is non-trivial and real, and often inadvertent.

For many banks, though, it turns out that mobile-phone-enabled, cardless ATM transactions have the potential to actually reduce the threat of fraud and security breaches. This is especially true of threats from skimmers, or fraudsters who copy card and ID numbers from the magnetic stripes of the widely used plastic cards in ATM machines.

 

In ATM skimming, scammers use various kinds of electronics to steal the personal information stored on your card, record your PIN number to access your account, and withdraw your cash. First, a fake card reader (known as a skimmer) is placed over the ATM’s real card slot. As an unsuspecting user slides their card into the ATM, they basically end up inadvertently sliding it through the scammer’s counterfeit reader, which then stores your card’s info. To gain access to the bank account on an ATM, the skimmers use tiny cameras hidden on or near the ATMs to get a clear view of the keypad, record the tapping activity on the ATM’s screen, and get the PIN number.

That being said, phishers—malicious hackers interested in identity theft or stealing credit card information—in the past have hacked into unsuspecting smartphone users, often web browsing using a public Wifi, to retrieve sensitive financial or personal information. So the only way a phisher could steal a user’s banking info is if he or she was on a public WiFi when doing cardless ATM banking.

On the whole, cardless ATM banking provides immediacy, security, and accessibility. Next time a family member desperately needs cash in a foreign land or my child has lost her wallet, I know I can bail them out simply by passing on the code from my phone app to them. All they need to do is to find the nearest ATM.

Anindya Ghose is a professor at New York University’s Stern School of Business and author of the forthcoming book, Tap: Unlocking the Mobile Economy.