Woman at ATM

Card-Free ATMs Ready as EMV Rollout Remain Uneven

Woman at ATMThree major banks, JPMorgan Chase, Bank of America, and Wells Fargo, are looking to roll out contactless bank machines in an effort to eliminate losses related to skimming fraud as well as move towards a more cohesive mobile payment strategy. Contactless banking with a mobile phone uses the same NFC technology that’s used in tap-and-go bank and credit cards. Customers would be able to use their mobile phone to communicate with the bank machine and then use a PIN to verify the transaction.

Skimming has become an increasingly common and lucrative tactic for scammers, who have spent a great deal of time creating devices that either piggy back on or outright replace legitimate point-of-sale terminals. While retailers have started to catch on thanks to several high profile cases (either malware installed on machines or devices attached to existing ones), other companies like banks, convenience stores and hotels are seeing a surge in these sorts of scams. For ATMs in particular, skimming is the most common attack. ATMs are mostly unattended, making them easy targets for hackers to tamper compared to the individual POS machines a merchant uses and that, in theory, are more carefully watched.

The EMV transition is another technology being deployed to fight fraud and in particular to fight skimming technology. The mag-stripe on credit and debit cards was the backbone of pre-EMV authentication but was easily captured by compromised POS machines. Skimmed cards could either be used on websites or stamped onto physical cards and used in stores. The new EMV cards are much harder to crack, so long as the full chip-and-pin system is used. EMV cards were mandated by issuers, with merchants that use POS machines on the hook for their implementation and usage as part of the EMV liability shift last October. However, ATMs and self-service gas machines don’t face the shift until October 2017. That’s nearly two years of continued vulnerability for these mostly untended machines, and for customers as result.

Ongoing vulnerabilities due to implementation delays and inconsistent use is sadly par for the course when it comes to EMV adoption. Many merchants are choosing not to move to the new terminals until older, non EMV-models need replacing. Software upgrades that require much more technical code are not yet available for all models of firmware. In some cases, even when merchants have up-to-date software and firmware, they want to shift the burden of teaching the customer how the new technology works to someone else in order to avoid slower lines at checkout. On top of that, the US is at a unique disadvantage: while other countries have already adopted EMV, weathered its bumps and move on now to adopting contactless payments, the US market is basically implementing both at the same time.

Patchy adoption rates and customer confusion only serve the interests of fraudsters. They will leverage inconsistencies, exploit vulnerabilities, and wedge their way into consumer pockets. And with contactless banking and payments, that might not even be a metaphor. A photo taken in Russia went viral this week, showing a man with a cordless payment card reader on the bus. Many believe he was using the device to virtually pick-pocket other riders with NFC-enabled cards. Most card issuers, in order to speed up the transaction, allow automatic authorization for a purchase with only a tap, no PIN number required, under a certain threshold. Security experts have tested this strategy, and proved it can work.

We’re basically at the same place we were before EMV and contactless payments – a security measure that involves having an object and knowing a piece of information. The skimmers built by fraudsters are increasingly complex and sophisticated – it’s only a matter of time before that same ingenuity is used to break into or cover over contactless payment technology in ATMs. This kind of physical, two-factor authentication is a slightly better version of regular mag-stripe cards, but so long as merchants don’t implement the technology consistently and shy away from educating consumers, our security issues remain mostly unchanged.