Consumers’ Trust of Cardless ATMs Will Not Happen Without Strong Mobile Device Security

One key to improving cardless ATM acceptance among consumers is to build trust and comfort by ensuring that best-in-class security measures are in place. Given the right security and layers of defense, the cardless ATM process can be secure.

• By Michael Lynch
• Apr 16, 2018

Using a variety of different approaches, several major financial institutions now offer cardless ATM capabilities that allow consumers to withdraw cash using mobile devices instead of their debit card. Using contactless technology or QR codes, banks are now offering an improved experience by removing the authentication step requiring the consumer to insert their debit card to identify themselves and replacing it with the mobile device and mobile banking application.

Cardless ATMs are a way to improve convenience by eliminating the need for consumers to carry their cards. And with respect to security, these banks have reduced the need to replace lost or stolen cards, and have eliminated the potential for skimming, which is the use of a device to read debit card information at the physical ATM and commit fraud against consumer accounts.

Currently, consumer demand for cardless ATMs is relatively low. For its ATM Future Trends 2017 report, ATM Marketplace surveyed U.S. consumers about the top three services they'd most like to see available at the ATM. Only 14 percent selected cardless ATM access.

One key to improving cardless ATM acceptance among consumers is to build trust and comfort by ensuring that best-in-class security measures are in place. Given the right security and layers of defense, the cardless ATM process can be secure.

For example, one ATM process might be the following. A consumer will set up the ATM withdrawal in advance and now have the capability to withdraw the cash within 24 hours. Arriving at the ATM, the consumer interfaces with a contactless reader with their digital wallet which has their debit card enabled. The wallet may require biometric to access the card, which is a good best practice. If the consumer has initiated an ATM transaction already, they will be prompted on screen to complete their withdrawal. During the process, as another authentication factor, the consumer is asked to enter their pin.

This example shows the proper use of multifactor authentication which will help mitigate fraud. The mobile device acts as “something you have,” as does the tokenized card in your digital wallet. The biometric acts as “something you are”, identifying the authorized user. The pin is a third authentication factor, as it is “something you know”.

Since the mobile device is taking on an increasingly high-profile role in facilitating financial transactions of all types, organizations must focus on the device itself as the central component of security. A truly comprehensive mobile security strategy must consider the risk of the mobile device and ensure the environment where the mobile banking application is operating is secure.

A device intelligence solution that uses the mobile device as a permanent identifier is critical to establishing trust in the user who is being authenticated. Such solutions also use many different device attributes to uncover and analyze risk factors to establish the first layer of trust for cardless ATM access.

Organizations should use risk detection capabilities that detect evidence of malware, malicious and corrupted applications, emulators, GPS spoofers, device spoofers, key loggers, SMS forwarders and other fraud tools used by criminals to hijack accounts and defraud customers.

It is critical to verify the device does not pose a fraud risk in order to use it as a factor in multifactor authentication, as well as to trust the biometric identification. Biometric access is a much stronger authentication layer than the outdated username and password system. However, if a device has spyware to capture account information, the biometric is not a deterrent for fraud because the cyber criminals are still able to steal the account information.

Once device trust has been established, financial institutions can confidently allow good customers to transact with minimal friction. At the same time, they can better identify devices with high-risk indicators so they can be challenged or denied outright. In cases of a known fraud case, permanently identifying a device allows an organization to negative list it and block further access.

Cardless ATMs represent the latest wave in mobile payments evolution. The technology offers increased convenience for consumers, and cost-savings and enhanced efficiency for financial institutions. But for it to gain adoption, financial institutions must ensure that they are providing customers a secure experience.

Employing security best practices in the cardless ATM process can have a profound effect on the proliferation of cardless ATM technology and will go a long way toward creating consumer acceptance and trust.