New York Times
has announced that several of the biggest banks in the U.S., including
Bank of America and
Wells Fargo, are giving people a new way to get cash from an ATM, using their
smartphone. Instead of inserting a card, entering a PIN and making selections
from a keypad or touchscreen, you just tap your NFC-enabled smartphone or your
contactless bank card to the machine to start the transaction.
Contactless transactions save time, shaving the process down to about 10
seconds. That’s quite a bit faster than traditional magstripe and chip
cards, which typically need between 45 seconds and a minute. Considering that
more people now choose an ATM over a teller, saving time at the machine can
make a real difference in terms of customer satisfaction.
Contactless as a strategy for fraud prevention
Perhaps even more important than speed and convenience, though, is the fact
that the contactless process is more secure, especially since magstripe cards
have shown to be a popular target of skimming, a growing type of fraud. With
skimming, a fake card slot, mounted on the ATM, steals your credentials and
lets scammers use your information to make unauthorized withdrawals and
FICO Card Alert Service, a Silicon Valley-based data analytics firm that also supplies
fraud-protection for card transactions, reports that its fraud-tracking
service recorded a 546 percent increase in ATM skimming attacks from 2014 to
2015 (FICO, 2016).
Using a smartphone at the ATM eliminates the card, so there’s no
skimming, and eliminates the need to physically enter your PIN onto a keypad.
The PIN code is encrypted in the phone and authenticated by the ATM using
cryptographic authentication. Not having to type a PIN code is more
convenient, but it also takes away the opportunity for a hidden camera or even
someone standing nearby to record the numeric sequence you’ve entered.
The standard combination of technologies used in today’s smartphones,
with contactless NFC supported by an embedded Secure Element (eSE) for
cryptographic authentication, has already proven itself as a safe, trustworthy
approach for contactless ATMs. In Spain, for example, contactless ATMs that
work with NFC-enabled smartphones have been available since 2011, and the
format is considered a success.
In the U.S., though, some banks are adding an extra layer of security to
contactless ATMs by customizing their transactions. On the Wells Fargo system,
for example, you receive a temporary numeric code, good for 30 minutes, which
you type in at the machine. Other systems have you pre-schedule your
withdrawal and then send you a one-time QR Code that displays on your
smartphone screen. Still other banks are taking advantage of Apple’s
Touch ID, which scans fingerprints, and using it as a biometric for
Added security mechanisms like randomly generated numbers, QR Codes and Touch
ID scans can increase trust, but because they involve proprietary systems,
they limit interoperability. For the time being, the current rollouts of
contactless ATMs are not interoperable – each bank offers their own
solution – so you can only use the setup at your own bank’s
ATMs. Today’s consumers have grown used to being able to use their
debit cards at just about any ATM machine, anywhere they go, even if
there’s an added fee. Over time, it’s likely that demand for
interoperability, and the convenience it brings, will make it harder for the
proprietary formats to endure.
As part of the trend toward standardization, interoperability and heightened
security, NXP recently announced the PN80T, a next-generation device for
mobile security that combines NFC with an eSE. PN80T delivers more robust NFC
performance in an electronic device, comparable to that of a contactless
smart card. The eSE in the PN80T is certified EAL 6+, the highest Common
Criteria level of any eSE on the market. The PN80T also offers room to grow,
from a security standpoint and will give smartphones a way to stay ahead of
hackers, as the market continues the transition to eWallets.
Not an overnight change
Introducing smartphone-driven ATMs is a positive sign for eWallets, but it
probably won’t make traditional debit cards obsolete anytime soon.
People can be slow to change, especially when it comes to financial
transactions, so the transition away from card-based ATMs is likely to be a
more long-term proposition. On the other hand, contactless ATM transactions
could help push many of us closer to the point where we leave the plastic at
home and additionally increase the use of eWallet applications at the POS.
The tipping point for eWallets?
The NFC-based smartphone process uses the same contactless infrastructure for
smartcards, which are used throughout the world by millions of people for
things like tap-and-go payments, with plastic bank cards, as well as public
transportation and building access.
NFC is also the same contactless technology used by smartphones for eWallet
applications such as Apple Pay and Android Pay. As more people begin using
their smartphones at ATMs, they’re more likely to consider using one of
the Pay formats in stores.
NXP’s NFC Technology Hub
PN80T press release