CONTINUE TO SITE »
or wait 15 seconds

Article

Can smartphones solve ATM skimming?

... or do they have their own particular vulnerabilities that might present a new avenue for hackers?

December 10, 2015

Damien Hugoo, director of product management, Easy Solutions

ATM skimming remains a big business for organized crime rings. According to a recent article in ATM Marketplace, card skimming accounted for more than $2 billion in losses.

One new approach that banks are exploring to mitigate this particular vector of fraud is the notion of using smartphones as a second factor of authentication since most people always have their phone with them.

But the question remains: Can smartphones solve the growing problem of skimming or do they have their own particular vulnerabilities that might present a new avenue for hackers?

Perhaps the biggest problem is perception. Consumers remain largely unaware of the issue of card skimming and even those who are mindful of the risk don't believe they are liable for potential losses.

Thus if banks are truly interested in using mobile phones as a primary form of authentication for ATMs, they will need to sell their customers on a better, more secure user experience. And that will surely be a tough sell as a typical fast withdrawal currently takes between 15–20 seconds — it's hard to imagine that a mobile phone that requires some form of two-factor authentication or a QR code scan will be faster or easier than entering a four-digit PIN.

Security and mitigation of losses from skimming ultimately will be what banks care about most. And we would argue that the risk profiles between the two are not all that different. Because mobile devices are more prone to be lost or stolen, a compromised phone linked to a bank account potentially can be used as a gateway to access cash from an ATM.

Banks that are keen on implementing a cardless ATM solution will need to strengthen or review their enrollment process as attackers can register fraudulently for mobile banking as a different user, giving them the ability to steal cash.

Even with biometric measures such as Apple's TouchID fingerprint authentication, an attacker can simply register their phone with different user credentials since TouchID serves only as a local validation of the fingerprint (the ATM or bank is not validating a fingerprint, just the phone itself).

Another disadvantage of the mobile phone as a card replacement is the use of QR codes, instead of the more flexible NFC, HCE or Bluetooth standards.

When mobile-ATM solutions were initially designed by vendors three years ago, NFC was not supported by Apple. Consequently, vendors decided not to invest in NFC and opted instead for QR codes, which are plagued with a variety of user experience issues.

No doubt, if vendors had to make a decision today on which technology to use, they would never choose QR codes. Thus we are forced to use QR codes instead of a superior user experience with NFC or Bluetooth to establish a handshake between the phone and an ATM.

But that is just one issue with QR codes. Authentication via a unique QR code (which signals the ATM to dispense cash) is conducted via an encrypted connection to the cloud. If the cloud itself is compromised, then a thief could potentially withdraw cash from every ATM supporting the mobile solution. The compromised phone now serves as an open front door to the entire ATM network — a vulnerability that simply does not exist with ATM cards.

Of course, no solution is completely secured, which is why we at Easy Solutions advocate for implementing a layered security approach — the only true way to mitigate the risk of fraud.

 If mobile phones eventually do become a proxy for getting cash, banks will need to be more vigilant about monitoring the behavior of customer phones, which represents a serious privacy concern.

Starting with encryption and keys unique to each phone app instance would make it much more difficult to hack, since the phone at the ATM would require the same key as the phone with the app. This is much more difficult to obtain via malware.

Of course ATMs are operated not as cost reduction tools, but as profit centers for banks and independent owners. In this context, new technologies are less likely to be introduced until the old technology is depreciated.

With EMV technology upgrades to complete before the pending liability shifts by MasterCard and Visa, it will be a while before deployers make a complete shift to cardless ATMs.

Damien Hugoo is a technology professional with 10 years of experience in creating, building and deploying digital software products for the financial services industry. He serves as director of product management at Easy Solutions, where he plays a key role in the creation of innovative and comprehensive fraud prevention and detection solutions.

This article originally appeared at banking.com.

illustration istock

Related Media

Security
Examining biggest ATM security issues and 4 strategies to prevent them
Security
Banking privacy: 5 benefits for banks, customers
Security
Protecting an ATM's hardware, software by slowing down criminals
On-Demand Webinar
A Masterclass in ATM Security: Global Best Practices and Trends
Presented by Diebold Nixdorf
Recent Posts
Bank of England softens tone on stablecoins, say they should be regulated
Ross, Pennsylvania Chase ATM set ablaze for alleged anti-government protest
America First Credit Union to open 8 branches in Arizona
4 strategies for Independent ATM Deployers
Bank of America to provide $12M for Hurricane Helene recovery


©2025 Networld Media Group, LLC. All rights reserved.
b'S1-NEW'