Subscriber login

News
What you need to know for 06/22/2017

Banks shift from plastic to phones at ATMs

Banks shift from plastic to phones at ATMs

Any new financial technology brings with it new security holes
Banks shift from plastic to phones at ATMs
A customer uses her smartphone and an ATM to do banking transactions at the Bank of America Tower in Manhattan on Jan. 27, 2017.
Photographer: James Estrin/The New York Times

Wallets can be lost, stolen or forgotten, but most people today would not be caught dead without their phones.

Banks understand, and are grabbing on to that trend. Customers who do not want to fumble around in their wallet for their ATM card — or who have misplaced it for the umpteenth time — will soon be able to unlock cash dispensers’ coffers by using their phone.

JPMorgan Chase, which has more ATMs in the United States — 18,000 — than any other bank, has activated this technology on a few hundred machines in four test cities, including Miami and San Francisco. Six thousand more are upgraded and ready to go.

Bank of America and Wells Fargo plan to introduce cardless options to all their machines by the end of the year. And while swiping an ATM card may not exactly seem onerous, bankers think going card-free will be a hit with consumers.

“It’s about having the choice,” said Jonathan Velline, Wells Fargo’s head of ATM and branch banking. “If you’ve lost your card or left home without your wallet, chances are you still have your smartphone in your hand.”

But of course, any new financial technology brings with it new security holes.

For decades banks have battled “skimming,” in which criminals sabotage ATMs to steal the information off a card and use it to clear out people’s accounts. The replacement of magnetic stripe cards with chip cards significantly reduced that problem, but mobile access brings in new worries.

One Chase customer recently had $2,900 stolen from her account through the bank’s new cardless system — which she had never used. A thief got her online banking user name and password, installed Chase’s mobile app on his or her phone, and used it to withdraw cash. Unlike most cardless systems, Chase’s does not require customers to enter their four-digit PIN at the cash machine.

Chase refunded the customer’s lost money and immediately made security changes. “We’ve put safeguards in place to protect our customers,” said Michael Fusco, a Chase spokesman. The bank’s system still does not require PINs, but Chase is confident it can detect and prevent similar attacks, he said.

Other banks have fared better, and say their fraud rates on mobile ATM transactions are significantly lower than those for traditional card-swipe withdrawals.

Wintrust Financial, which operates community banks in Illinois and Wisconsin, added cardless access to all its 250 cash machines nearly three years ago. Thanks to multiple layers of security, there has been no fraud so far, said Thomas P. Ormseth, a senior vice president at the bank. (“Knock on wood,” he added.)

How the mobile systems work varies from bank to bank — and sometimes, even within one bank.

Most of the major banks are using a technology called near-field communications (known as NFC), which enables devices to exchange information wirelessly over short distances. Modern smartphones usually contain an NFC chip, which is used for many mobile payment systems, including Apple Pay and Android Pay.

At Bank of America, customers with compatible phones and a digital wallet app can tap their phone on the cash machine’s wireless pad to authenticate their identity. From there, customers enter their personal identification numbers and carry out transactions in the usual way.

Wells Fargo is also testing NFC and adding the hardware it requires to all of its cash machines. But in the meantime, it has a simpler approach: one-time access codes. Customers can log in to Wells Fargo’s mobile app and request one, which is good for 30 minutes. At the 900 Wells Fargo ATMs that are set up to accept the codes so far, the customer types in the code and then their PIN to withdraw cash.

Mobile ATM transactions are usually at least a little bit faster than traditional ones, banks say — sometimes significantly so. Wintrust’s system, which lets customers set up their withdrawal in advance on their phone and simply scan a QR (quick response) code when they get to the machine to get their cash, cut its average transaction time to about 10 seconds from 45, Ormseth said. Around 17 percent of the bank’s customers have used the technology at least once.

Some banks have gone further and let customers ditch even their phones. With biometrics, a unique body part is enough to unlock cash.

At Banco Bradesco, one of Brazil’s largest banks, customers can gain access to an ATM by tapping their palm on a scanner, which reads the pattern of their veins. (The system handled more than 700 million transactions without any reported fraud, according to Fujitsu, which built the technology.) Banks in Japan, India and elsewhere have used fingerprints for authentication.

Citibank experimented two years ago with an iris-scanning ATM, showing off a prototype at a trade show. The reaction was everything the bank had hoped for: “People’s jaws dropped,” said Mark Gilder, Citibank’s director of ATM distribution in the United States. “They thought it was magical. You just had to look at the machine, and money would come out.”

Then reality set in. A compromised bank card can be reissued. If a hacker figures out how to imitate someone’s eyeball — which has been done in laboratory settings — it cannot be replaced. For that and other reasons, Citibank shelved its iris scanner, for now.

It is also taking a wait-and-see approach to cardless ATMs.

“We want to be ready when people no longer carry cards and leave their wallets at home, but that timeline is developing more slowly than perhaps we thought it would a few years ago,” Gilder said.

This year, though, could be a tipping point.

About 2.5 percent of the 425,000 ATMs in the country are set up for cardless access, according to an estimate from Crone Consulting, which researches the payments industry. By the fall, it expects that number to rise to 25 percent.

As with mobile wallets, technical hurdles may hamper customer enthusiasm. People will generally need to install their bank’s mobile app on their phone, and each major bank is setting up access for only its own customers. So, for example, a Chase customer will not be able to pop into a Bank of America branch and withdraw money using a mobile phone.

That is likely to change eventually. In the early days of ATMs, networks were independent and isolated; now customers take it for granted that their cards will work at nearly any machine.

The biggest opportunity in cardless access will come as it expands to financial services beyond traditional bank accounts, said Richard Crone of Crone Consulting.

“Think of things that don’t have cards issued against them, like money market accounts or Venmo,” he said. “Unlocking cash access to those accounts would be a really big deal.”

Venmo, the digital payment system of choice for many millennials, is owned by PayPal. Giving PayPal and Venmo customers direct access to their money through ATMs is not in the works, but it “isn’t something I would rule out,” said Chris Gardner, product head for PayPal’s mobile wallet software.

Even if mobile wallets finally take off and phones replace debit and credit cards, there are still times — even for millennials — when only old-fashioned cash will do.

View Comments
Hide Comments
0 premium 1 premium 2 premium 3 premium 4 premium 5 premium 6 premium 7 premium article articles remaining SUBSCRIBE TODAY

You have reached your monthly premium content limit.

Continue to enjoy Daily Gazette premium content by becoming a subscriber.
Already a subscriber? Log In