ATM skimming remains a big business for organized crime rings. According to a recent article in ATMMarketplace.com, card skimming accounted for more than $2 billion in losses. One new approach that banks are exploring to mitigate this particular vector of fraud, is the notion of using smartphones as a second factor of authentication since most people always have their phone with them. But the question remains: can smartphones solve the growing problem of skimming or do they have their own particular vulnerabilities that might present a new avenue for hackers?
Perhaps the biggest problem is perception. Consumers remain largely unaware around the issue of card skimming and even those who are mindful of the risk, don’t believe they are liable for potential losses. Thus if banks are truly interested in using mobile phones as a primary form of authentication for ATMs, they will need to sell their customers on a better, more secure user experience. And that will surely be a tough sell as a typical fast withdrawal currently takes between 15-20 seconds – it’s hard to imagine that a mobile phone that requires some form of two-factor authentication or a Quick Response (QR) scan will be faster or easier than entering a four digit PIN code.
Security and mitigating losses from skimming ultimately will be what banks care about most. And we would argue that the risk profile between the two are not all that different. Because mobile devices are more prone to be lost or stolen, a compromised phone linked to a bank account can potentially be used as a gateway to access cash from an ATM.
As such, banks who are keen on implementing a card-less ATM solution will need to strengthen or review their enrollment process as attackers can register to mobile banking as a different user, providing them with the ability to steal cash (see a good example of how Apple Pay is exploited for fraud here). Even with biometric measures like Apple’s TouchID fingerprint authentication, an attacker can simply register their phone with another user credentials since TouchID serves only as a local validation of the fingerprint (the ATM or bank is not validating a fingerprint, just the phone itself).
Another disadvantage of using mobile phones as a card replacement is the use of QR codes, instead of the more flexible NFC, HCE or Bluetooth standards. When the solution was initially designed by vendors three years ago, NFC was not being supported by Apple. Consequently, vendors decided not to invest in NFC and opted instead for QR codes, which are plagued with a variety of user experience issues. No doubt, if they had to make a decision today on which technology to use, they would never choose QR codes. Thus we are forced to use QR codes instead of a superior UX with NFC or Bluetooth to establish a handshake between the phone and an ATM.
But that is just one issue with QR codes. The authentication mechanism that occurs when scanning a unique QR code which signals to the ATM to dispense cash, is conducted via an encrypted connection to the cloud. If the cloud itself is compromised, then a thief could potentially withdraw cash from every ATM supporting it. The compromised phone now serves as an open front door to the entire ATM network – a vulnerability that simply does not exist with existing ATM cards.
Of course, no solution is completely secured which is why we, at Easy Solutions advocate for implementing a layered security approach, as it remains the only true way to mitigate the risk of fraud. If mobile phones eventually do become a proxy for getting cash, banks will need to be more vigilant about monitoring the behavior of customer phones, which represents a serious privacy concern. Starting with encryption and keys unique to each phone app instance, this would be much more difficult to hack as the phone at the ATM would require the same key as the phone with the app – this is significantly more complex to obtain via malware.
Of course ATMs are operated not as cost reduction tools, but as profit centers for banks and independent owners. In this context, new technologies are less likely to be introduced until the old technology is depreciated. With XP retirement on the horizon and EMV technology requiring upgrade within the last 30 months for all ATMs, it will be a while before we see a complete shift to cardless ATMs. Rather, banks will most likely try to combine those upgrades so they can realize a greater return on their existing infrastructure investment.
To learn more on how to avoid ATM skimming, click here.