While walking her dog one evening in San Francisco, Melinda Hickman suddenly realized two things. She needed to get cash to pay her house cleaner the next morning — and her bank card was back at home in her wallet. Unfazed, Hickman signed in to the Wells Fargo app on her smartphone. After a few taps, the app generated an eight-digit code. At a nearby ATM, she punched in the code and her PIN and was able to withdraw the money.
“It was simple and convenient,” she recalls. And because no swipe was involved, the transaction was more secure than a standard withdrawal.
Convenience and security are two big reasons banks believe consumers will embrace cardless ATM access. Indeed, 2017 is shaping up to be the year cardless ATMs catch on. Since March, when Wells Fargo debuted app-based authentication at all of its 13,000 ATMs in the United States, customers like Hickman have carried out more than 1 million cardless transactions.
Payments-research firm Crone Consulting recently estimated that by fall 2017, 25% of the nation’s 425,000 ATMs would accommodate cardless access. Some examples:
Bank of America plans to have all of its ATMs equipped for cardless access by the end of 2017
Chase tested a pilot version of cardless access last year. Its system suffered some security lapses. This year, having tightened up account access, the bank is trying again with 600 machines in certain Florida, California and Ohio cities.
Smaller banks, including BMO Harris, Bank of Hawaii, Illinois-based Wintrust Financial and Boston-area Salem Five, have been providing this ATM option successfully for the past few years
How cardless ATMs work
During ordinary ATM transactions, you establish your identity with your PIN and the data stored on your card’s magnetic stripe. With cardless withdrawals, your phone takes on that task, which it can do in one of two ways:
App-generated code: Some codes, such as Wells Fargo’s, are numerical. Others, such as those used by BMO Harris and Bank of Hawaii, are two-dimensional bar codes, also known as QR codes. At the ATM, you enter the numerical code or scan the QR code, proving your identity and authenticating your upcoming transaction. In many cases, you'll have to enter your PIN as well.
Near-field communication: This involves tapping your phone against a sensor attached to the ATM. A chip in your phone emits a signal by which the NFC-enabled ATM confirms your identity. (Apple Pay, Android Pay and similar digital wallet apps use NFC.) You then select the virtual debit card info stored in your app or digital wallet, enter your PIN and conduct your transaction.
Capital One uses NFC for its CashTapp system at brick-and-mortar locations in Boston; Chicago; Philadelphia; San Francisco; Austin, Texas; and Richmond, Virginia. Bank of America's cardless ATMs use NFC as well. Wells Fargo has announced it will add NFC capability to all its ATMs this year; more than 40% already have NFC enabled.
Security is the motivation
Why the push for cardless ATMs? Convenience is a big factor, though you do lose the flexibility of being able to use every ATM, as you can with a card. More significantly, app-enabled ATM access lessens the risk of having your card data stolen.
Card data are most commonly pilfered with skimmers, hidden devices that read and store account information when someone swipes a card at an ATM. When those data are combined with PINs that have been recorded with pinhole cameras or fake keypads, fraudsters can create and use counterfeit cards for those accounts.
Skimming accounts for more than 98% of ATM fraud losses, according to security firm TMD Security. The Secret Service estimates that consumers and banks lose $8 billion to skimming each year. In 2016, FICO reported, the number of compromised ATMs and point-of-sale card readers rose by 30%.
Consumers are aware of the danger. In one recent survey, 34% of ATM users in the U.S. said they were “very concerned” about card skimmers. In a different poll, 28% of American cash machine users said they wanted ATM authentication to be more secure.
What you can do to be safer
Cardless access definitely helps, but it's not the only answer. A few crooks have already managed to hack the new system. As reported by computer security expert Brian Krebs, at least some of last year’s Chase account breaches occurred after thieves stole login details for the victims’ accounts, then altered the accounts’ authentication details to gain access.
"Layers of security need to be added to make it harder for the thieves, but users should also practice good identity hygiene,” says Eva Velasquez, president and CEO of the Identity Theft Resource Center in San Diego. The ITRC recommends adding more authentication factors to your app, such as a fingerprint or second passcode; using antivirus software on your phone; and avoiding links in texts from unfamiliar sources.
The goal is to ensure that if you don’t swipe your card, fraudsters can’t swipe your data.