There’s one sort of two-factor authentication (2FA) that almost all of us know very well, and use all the time.
That’s the 2FA at an ATM when you withdraw money.
The procedure is pretty much unchanged from the 1980s, when cashpoints first caught on.
You insert your card, which is something you have, and you type in your PIN, which is something you know, and then you can withdraw money.
As we know only too well, however, ATM cards can be skimmed, meaning that someone copies the data off your magnetic stripe and writes it onto another card that will work in place of yours.
In a way, that means that cash withdrawals are really only 1FA, protected by your PIN, because there may be multiple copies of your card floating around.
So, you may have wondered, especially if you’re a regular internet banker, why the ATM doesn’t add a stronger sort of second factor, for example by SMSing your phone a code that you type in after your PIN.
That would be great, wouldn’t it?
Heck, you wouldn’t even need to bother with your card, which would also reduce the chance of it being skimmed by a hidden magstripe reader at the ATM itself!
According to reports, US banks are starting to try out just such a system, starting with 2000 new “cardless” cash machines.
In fact, they’re going one step further, and getting rid of the PIN as well.
Well, sort of: there will be a PIN or password in the process, but you won’t type it in on the keypad at the ATM, where a crook could have hidden a tiny video camera to record the keys that you press.
How it works
As far as we can tell, the process will work like this:
- You open an app on your phone and request a withdrawal.
- Your financial institution replies with an authorisation, presumably in the form of a QR code.
- You “show” the authorisation code to a scanner on the ATM, and out comes the cash.
It’s an interesting idea, and we’ve already mentioned three benefits, namely: your card can’t get skimmed at the ATM; your PIN can’t get recorded by any hidden cameras; and the authorisation code is a one-time deal, so it can’t be re-used.
We assume you’ll be able to prepare your transaction a short while in advance, for example in a well-lit coffee shop close to the ATM, and then turn up and withdraw your money really quickly and without having to concentrate on the ATM’s user interface, for a much better sense of physical security.
(The banks in this trial are claiming 10 seconds per withdrawal, instead of 30 to 40 seconds with a conventional card-and-PIN withdrawal.)
Is it safe?
But there are some downsides to the idea, too.
Firstly, you’ll almost certainly be relying on a dedicated mobile app that approves irreversible financial transactions. (Once you do the withdrawal, there’s no way for either party to cancel the transaction: it’s not just “like cash”, it is cash.)
As we’ve seen in recent years, mobile apps have had a chequered history when it comes to security, especially when it comes to detecting an imposter in the chain of events, for example by not detecting that the app had connected to a fake version of the bank’s official site.
Secondly, given that mobile phones aren’t immune to malware, there’s a risk that a crook could subvert a transaction as you carried it out. (Imagine malware that could snap a screenshot of the QR code just before you used it, for a waiting crook to deploy at a nearby ATM.)
Thirdly, there’s an interesting new angle for muggers: ATMs will become places where potential victims not only get their mobile phones out, but also unlock them ready for use.
In other words, as well as hitting you up for the cash you’re withdrawing, they could end up with your phone, unlocked and ready to use for free calls or to sell on to a data thief.
What about you?
How will Americans take to this new sort of phone banking?
Would you use it if one of these 2000 new ATMs were in your neck of the woods?
LEARN MORE ABOUT 2FA
(Audio player above not working? Download MP3, listen on Soundcloud or access via iTunes.)
saxonrau
If they displayed the code on the lock screen as for boarding cards then you wouldn’t need to unlock the phone – that’s more secure because, let’s face it, you’re going to unlock the phone anyway at the ATM. As for security – it would make sense to only authorise a specific ATM, perhaps with a location code like parking apps use. Or I would have thought that using NFC would be simpler and more secure though, rather than a QR code. And you could use your NFC-enabled wearable if you own one…
Downsides? Well, I always (ALWAYS) want a receipt slip and I suspect I wouldn’t get one. I also wonder what happens if you request a sum and your designated machine doesn’t have enough? Presumably it would tell you when you book your withdrawal and suggest an ATM that does? I’m not even sure if that IS a down side, come to think of it…
Tony
Companies seem to focus mobile apps mainly on IOS or Android, what about those who use other devices…or don’t use ‘Smart’ phones at all?
Paul Ducklin
Use one of the other 9,998,000 ATMs, I suppose :-)
Sandra
Good enough if you happen to be near one of those. I would hope these machines would have both options. Some may be surprised to know that not everyone has an app-enabled phone or any phone at all.
John Knops
Exactly so. What if you don’t own a mobile phone, like me? Besides we have always had a system that didn’t need a card or a pin or a phone. It’s called a bank teller(ess). Although I must admit ATMs come in very handy when you’re travelling and don’t want to walk about with that enticing wad of cash in your pocket made up of 5 different currencies. If we are so concerned with ATM security, what about credit cards? They have the same, identical to the user, 2FA system.
Paul Ducklin
In most of the world except for the USA, you don’t swipe your card any more to make a purchase, so the card is a bit less clonable. (The magstripe doesn’t go near a reader during the transaction because ,in most PoS devices, just the chip part of the card is inserted and the rest of the card sticks out the end of the device.)
Ironically, having lived only in Chip and PIN countries over the past few years, every ATM I’ve used has required me to put the card into a slot where it is sucked in fully and then processed. Even if the ATM ends up reading the chip and not the stripe (I don’t know what happens inside the ATM mechanism), the ATM card reader itself is an ideal location for a skimmer.
The other huge difference between “why the concern over ATM security” considering that credit card security is similar or even weaker is “who pays.” Most ATMs contain cash that belongs to the bank, so if there’s a disputed transaction and you end up getting your money back, the bank carries the cost. In the case of a disputed credit card transaction, the bank doesn’t lose out, because the merchant wears the cost.
Mahhn
1. My phone broke/got lost/was stolen while on vacation, I can’t call home, can’t get cash for a cab even.
2. One of those thousand of hacked apps on iTunes/GooglePlay took over my banking info and drained my account.
3. like you said, they stole my phone while banking and now all is lost….
I like to carry cash, at least that’s all they will get, and CC fraud is MUCH more common than muggings. If you get mugged and they take your cards, you can most likely cancel them before real damage is done, since you know it….
I can hear the opposing – “but I want my miles/reward for purchasing” as if that makes up for the CC fees lol.
LonerVamp
+1 to this. What if my phone’s charge goes down? I don’t want to have to rely on yet another thing to be able to get money in an emergency/need, nor worry further that my phone has been compromised.
Larry Marker
I like saxonrau’s suggestion of putting the code on the lock screen and designating the specific ATM that will be used. If it worked that way, I’d probably use it. Otherwise not.
Dave Potts
Never have been able to understand why you couldn’t use your fingerprint as the second factor. It certainly is more secure than a PIN. Of course I guess a crook could cut off your finger.
Paul Ducklin
IIRC, Diebold is looking at an ATM that doesn’t have a keyboard or touch-screen at all – you show it the code and then use some biometric ID like retina or fingerprint.
LonerVamp
I’d prefer to touch a public ATM as little as possible…
Rocas
Ditto
ed horst
Also think people who work with their hands – dirt, cuts, scars, burns, etc. How would that affect matching vs. fingerprint on file.
mccart
hacked