Mobile ATM Security under the microscope

By : Owen Wild

December 20, 2015 01:00 PM

Mobile-ATM integration is gathering pace as consumers and banks catch on to the myriad of benefits.


One of the key advantages is the ability to withdraw cash or initiate the ATM transaction without inserting a plastic debit or credit card. With nothing being physically inserted, this greatly reduces the chance of card skimming, PIN theft and other fraud at the ATM.


This represents a huge benefit for financial institutions looking to reduce fraud rates. But the removal of the plastic card from the transaction is not the only security consideration when it comes to mobile-ATM integration.


At present, there seems to be a clear win in terms of security by cutting out skimming, while not opening up another front elsewhere.

“Right now, phone initiated ATM transactions do not appear to present a real source of new fraud,” writes Sarah Grotta, director of Mercator Advisory Group Debit Advisory Service, in a Payments Journal blog.


But this situation is unlikely to last forever. “With time, as usage creeps up, the access to cash may become too enticing for fraudsters to pass up,” adds Ms. Grotta.


Any account or card data that resides on the phone needs to be properly protected, such as through encryption. The contactless transmission method also needs monitoring, as there are potential concerns about fraudsters being able to intercept the data being transmitted.


Apple Pay and other mobile payment schemes don’t hold onto sensitive card data and a similar approach would seem to be the best option for any mobile banking apps that can also be used for ATM withdrawals.


Tokenization, a hot favorite in the payments industry, is a key technology that will aid mobile-ATM integration. Tokens are stored in the secure element of a user’s phone or in a cloud-based HCE software vault.


Banks may also want to consider where the authentication process happens - on the ATM keypad as before or via the phone handset. Biometric technology on devices like the latest iPhones opens up other potential security considerations. For example, is a PIN even needed, or should the biometric part simply enable access to the ATM and PIN keypad?


“Another method for authenticating a cardless transaction is to send the customer an SMS message containing a one-time-use numeric code or voucher number that must be entered on the ATM keypad for transaction authorization,” notes the ATM and Mobile 101 report by ATM Marketplace. A QR code sent to the customer’s phone is another method to authenticate an ATM transaction.


In the case of mobile-ATM integration, we can learn a lot from the payments industry, including how schemes such as Apple Pay have tackled security concerns.

Owen Wild

Security Marketing Director

Other articles by this author

Owen Wild is responsible for marketing strategies for the NCR Security Solutions within NCR’s Financial Solution Portfolio. Over the past 15 years, Owen has held several sales and marketing positions with leading travel and tech cos.