This is a guest post by Michael Lynch, Chief Strategy Officer at InAuth.
In 2017, many of the largest US banks began rolling out new cardless ATM capabilities. And that trend continues in 2018 with Fifth Third Bancorp, a financial services company headquartered in Cincinnati, Ohio launching its cardless ATM process in March. Banks desire to create better customer experiences by increasing convenience, and one such opportunity is the cardless ATM experience, where customers are able to withdraw money from an ATM using a mobile app to initiate the transaction.
There are very different approaches that banks have taken for cardless ATMs transactions. For Fifth Third’s Cardless ATM process, customers sign into Fifth Third’s mobile banking app, choose the account, and click the new Cardless ATM icon. Then at the ATM they scan the barcode using the mobile app, enter a PIN at the prompt and the ATM dispenses the cash. Another process involves a customer loading debit card details into an existing smartphone mobile wallet (i.e. Apple Pay, Google Pay and Samsung Pay) and then using the near-field communications (NFC) technology built in to the mobile device at the ATM in conjunction with a biometric and a PIN. Other financial institutions are employing a process where codes are sent to recipients for ATM withdrawals. Customers can use this service to send money to a friend or family member with relative ease, as the code recipient can retrieve money from an ATM by entering a code from the text message.
The ATM channel has been a successful area for fraud in the past. For example, fraudsters have often used a technique known as skimming, which is the use of a physical device that fits over the existing card reader to scan and store your card information. Fraudsters may be highly motivated to find a way to continue to commit fraud on this channel. In fact, cardless ATM fraud was seen as early as 2012 in the early launches of cardless ATM products, and again in 2017 as larger US banks launched their capabilities.
Financial institutions must deploy a multi-layered security strategy in order to mitigate cardless ATM fraud. They can no longer rely on vulnerable username and passcode protocols, as well as one-time passcodes which can also be easily intercepted and exploited by fraudsters. And they need to mitigate against vulnerabilities such as Crimeware, which is malware devised to capture account information for future fraud attempts.
Security solutions such a multi-factor authentication (MFA)-based approach, and device and transaction risk assessments, including authenticating the device being used to conduct the transaction should be utilized.
Financial institutions should consider protecting both the point origin and the point of access (the mobile device) with mobile fraud detection with real time decisioning, biometrics and a permanent device identifier.
Real-time decisioning is a critical part of a cardless ATM process. It involves the detection of many different types of risks inherent in access to ATM transactions. Part of that real-time decisioning should include behavioral analysis which, for example, ensures the device is one typically associated with the customer, the ATM transaction activity is typical for this customer, and that the location makes sense for this particular customer. There are many other combinations of rules that a financial institution can employ to gain insight into whether this is likely the true customer.
Many financial institutions have added biometric identification to their authentication flows as a more secure way to establish the identity of their customers. This is a vast improvement over the often compromised username and password dependent techniques. Biometrics are quickly becoming the preferred method of authentication among consumers themselves, who view it as more convenient and more secure way to establish their identities. Adding a biometric for mobile application access, for example to originate the ATM transaction, creates a better customer experience and lessens the risk for account takeover due to compromised credentials.
A mobile security strategy must also secure the device on which cardless ATM access is being requested and initiated. Organizations should also utilize fraud and risk detection capabilities that identify evidence of malware, malicious/tampered applications, key loggers, SMS forwarders, or other fraud tools used by criminals to defraud customers and hijack their account.
A permanent device identifier is a way to identify a device using its unique attributes in order to establish the first layer of trust by fulfilling the “something you have” factor in a multifactor solution. Establishing a device as trusted provides financial institutions with the confidence they need to allow good customers to transact with the least amount of friction, while at the same time, allowing institutions to consider an unknown device for a particular customer to be higher risk and potentially challenged with another authentication step, or denied if other high risk indicators are present. The biometric, which is “something you are” paired with the typical device for the customer, provides two reliable factors in the multifactor authentication approach.
In order to deploy a secure cardless ATM experience, organizations should include solutions to authenticate both the users and the device being used to initiate access to cardless ATMs, along with real time risk rule capabilities using device, location, and customer behavior data. Using a multilayered security strategy will help create a secure and convenient customer experience.
About the author
Michael Lynch is Chief Strategy Officer at InAuth, with responsibility for developing and leading the company’s new products strategy, marketing, and developing key partnerships.
DISCLAIMER: BiometricUpdate.com blogs are submitted content. The views expressed in this blog are that of the author, and don’t necessarily reflect the views of BiometricUpdate.com.