The New York Times has announced that several of the biggest banks in the U.S., including JPMorgan Chase, Bank of America, and Wells Fargo, are giving people a new way to get cash from an ATM, using their smartphone. Instead of inserting a card, entering a PIN, and making selections from a keypad or touchscreen, you just tap your NFC-enabled smartphone or your contactless bank card to the machine to start the transaction.
Contactless transactions save time, shaving the process down to about 10 seconds. That’s quite a bit faster than traditional magstripe and chip cards, which typically need between 45 seconds and a minute. Considering that more people now choose an ATM over a teller, saving time at the machine can make a real difference in terms of customer satisfaction.
Contactless as a strategy for fraud prevention
Perhaps even more important than speed and convenience, though, is the fact that the contactless process is more secure, especially since magstripe cards have shown to be a popular target of skimming, a growing type of fraud. With skimming, a fake card slot, mounted on the ATM, steals your credentials and lets scammers use your information to make unauthorized withdrawals and purchases. The FICO Card Alert Service, a Silicon Valley-based data analytics firm that also supplies fraud-protection for card transactions, reports that its fraud-tracking service recorded a 546 percent increase in ATM skimming attacks from 2014 to 2015 (FICO, 2016).
Using a smartphone at the ATM eliminates the card, so there’s no skimming, and eliminates the need to physically enter your PIN onto a keypad. The PIN code is encrypted in the phone and authenticated by the ATM using cryptographic authentication. Not having to type a PIN code is more convenient, but it also takes away the opportunity for a hidden camera or even someone standing nearby to record the numeric sequence you’ve entered.
The standard combination of technologies used in today’s smartphones, with contactless NFC supported by an embedded Secure Element (eSE) for cryptographic authentication, has already proven itself as a safe, trustworthy approach for contactless ATMs. In Spain, for example, contactless ATMs that work with NFC-enabled smartphones have been available since 2011, and the format is considered a success.
In the U.S., though, some banks are adding an extra layer of security to contactless ATMs by customizing their transactions. On the Wells Fargo system, for example, you receive a temporary numeric code, good for 30 minutes, which you type in at the machine. Other systems have you pre-schedule your withdrawal and then send you a one-time QR Code that displays on your smartphone screen. Still other banks are taking advantage of Apple’s Touch ID, which scans fingerprints, and using it as a biometric for multi-layer authentication.
Added security mechanisms like randomly generated numbers, QR Codes, and Touch ID scans can increase trust, but because they involve proprietary systems, they limit interoperability. For the time being, the current rollouts of contactless ATMs are not interoperable – each bank offers their own solution – so you can only use the setup at your own bank’s ATMs. Today’s consumers have grown used to being able to use their debit cards at just about any ATM machine, anywhere they go, even if there’s an added fee. Over time, it’s likely that demand for interoperability, and the convenience it brings, will make it harder for the proprietary formats to endure.
As part of the trend toward standardization, interoperability, and heightened security, NXP recently announced the PN80T, a next-generation device for mobile security that combines NFC with an eSE. PN80T delivers more robust NFC performance in an electronic device, comparable to that of a contactless smartcard. The eSE in the PN80T is certified EAL 6+, the highest Common Criteria level of any eSE on the market. The PN80T also offers room to grow, from a security standpoint, and will give smartphones a way to stay ahead of hackers, as the market continues the transition to eWallets.
Not an overnight change
Introducing smartphone-driven ATMs is a positive sign for eWallets, but it probably won’t make traditional debit cards obsolete any time soon. People can be slow to change, especially when it comes to financial transactions, so the transition away from card-based ATMs is likely to be a more long-term proposition. On the other hand, contactless ATM transactions could help push many of us closer to the point where we leave the plastic at home and additionally increase the use of eWallet applications at the POS.
The tipping point for eWallets?
The NFC-based smartphone process uses the same contactless infrastructure for smartcards, which are used throughout the world by millions of people for things like tap-and-go payments, with plastic bank cards, as well as public transportation and building access.
NFC is also the same contactless technology used by smartphones for eWallet applications such as Apple Pay and Android Pay. As more people begin using their smartphones at ATMs, they’re more likely to consider using one of the Pay formats in stores.
NXP’s NFC Technology Hub
PN80T press release