Would you use an ATM that didn’t need a card…*or* a PIN?

There’s one sort of two-factor authentication (2FA) that almost all of us know very well, and use all the time.

That’s the 2FA at an ATM when you withdraw money.

The procedure is pretty much unchanged from the 1980s, when cashpoints first caught on.

You insert your card, which is something you have, and you type in your PIN, which is something you know, and then you can withdraw money.

As we know only too well, however, ATM cards can be skimmed, meaning that someone copies the data off your magnetic stripe and writes it onto another card that will work in place of yours.

In a way, that means that cash withdrawals are really only 1FA, protected by your PIN, because there may be multiple copies of your card floating around.

So, you may have wondered, especially if you’re a regular internet banker, why the ATM doesn’t add a stronger sort of second factor, for example by SMSing your phone a code that you type in after your PIN.

That would be great, wouldn’t it?

Heck, you wouldn’t even need to bother with your card, which would also reduce the chance of it being skimmed by a hidden magstripe reader at the ATM itself!

According to reports, US banks are starting to try out just such a system, starting with 2000 new “cardless” cash machines.

In fact, they’re going one step further, and getting rid of the PIN as well.

Well, sort of: there will be a PIN or password in the process, but you won’t type it in on the keypad at the ATM, where a crook could have hidden a tiny video camera to record the keys that you press.

How it works

As far as we can tell, the process will work like this:

  • You open an app on your phone and request a withdrawal.
  • Your financial institution replies with an authorisation, presumably in the form of a QR code.
  • You “show” the authorisation code to a scanner on the ATM, and out comes the cash.

It’s an interesting idea, and we’ve already mentioned three benefits, namely: your card can’t get skimmed at the ATM; your PIN can’t get recorded by any hidden cameras; and the authorisation code is a one-time deal, so it can’t be re-used.

We assume you’ll be able to prepare your transaction a short while in advance, for example in a well-lit coffee shop close to the ATM, and then turn up and withdraw your money really quickly and without having to concentrate on the ATM’s user interface, for a much better sense of physical security.

(The banks in this trial are claiming 10 seconds per withdrawal, instead of 30 to 40 seconds with a conventional card-and-PIN withdrawal.)

Is it safe?

But there are some downsides to the idea, too.

Firstly, you’ll almost certainly be relying on a dedicated mobile app that approves irreversible financial transactions. (Once you do the withdrawal, there’s no way for either party to cancel the transaction: it’s not just “like cash”, it is cash.)

As we’ve seen in recent years, mobile apps have had a chequered history when it comes to security, especially when it comes to detecting an imposter in the chain of events, for example by not detecting that the app had connected to a fake version of the bank’s official site.

Secondly, given that mobile phones aren’t immune to malware, there’s a risk that a crook could subvert a transaction as you carried it out. (Imagine malware that could snap a screenshot of the QR code just before you used it, for a waiting crook to deploy at a nearby ATM.)

Thirdly, there’s an interesting new angle for muggers: ATMs will become places where potential victims not only get their mobile phones out, but also unlock them ready for use.

In other words, as well as hitting you up for the cash you’re withdrawing, they could end up with your phone, unlocked and ready to use for free calls or to sell on to a data thief.

What about you?

How will Americans take to this new sort of phone banking?

Would you use it if one of these 2000 new ATMs were in your neck of the woods?


(Audio player above not working? Download MP3, listen on Soundcloud or access via iTunes.)