It's time to redesign card technology for ATMs
by Eric de Putter, Managing Partner and Co-founder, Payment Redesign Ltd.
The oldest challenges in the ATM industry are the security of cash inside the machine and the guarantee that the withdrawer is genuine.
Whereas the magnetic stripe has been used for a long time, EMV chip and PIN is now commonplace in the ATM industry for withdrawals in the U.K. and Europe. But the fact that EMV is not truly global as yet means that fraud can continue to take place.
Retail Banking Research reports that nearly 10 percent of all European ATMs are EMV-enabled, but only 60 percent of the ATMs in the rest of the world are.
This means that fraudsters can still copy the magnetic stripe of European cards and withdraw cash at non-EMV ATMs using the legitimate cardholder's stolen PIN.
The European ATM Security Team reports 240 million euros ($261.4 million) in annual skimming-related losses for European issuers, 90 percent or more using the method described above — skimming European cards and using counterfeit cards in non-EMV ATMs.
EMV endorsement in the U.S. has resulted in global liability shifts, allowing card issuers to charge back fraudulent use of skimmed cards, which will reduce Europe's annual skimming losses.
At the same time, the industry needs to be mindful of other attacks and compliance processes.
Scientists at the University of Colorado found that a thermal photo can reveal a PIN up to 45 seconds after card use, simply through the transfer body heat from the finger to the keypad.
Various sources identify card-trapping as another threat. In this attack fraudsters manipulate ATM card readers so that they retain the card and return it to the criminal rather than to the genuine cardholder.
There have been various pilots with NFC and mobile technology, both of which can solve the problems of card skimming and card trapping.
During 2013, an estimated 450 million NFC cards were shipped. Additionally, the current base of 800 million mobile banking users is expected to double within five years, driving the growth of alternative payment technologies.
The benefits from NFC are immediately clear; not having to insert a card means not only faster transactions, but also:
- no opportunity to skim the card's magnetic stripe; and
- no opportunity for card trapping.
Mobile technology offers a set of advantages that go over and above NFC:
- as a smartphone has a screen, memory and on-board communication methods, the ATM user can actually start the transaction while queuing, using stored preferences (i.e., amount, receipt type, and special, disability-related needs); and
- smartphone users can authenticate themselves through the device, via fingerprint or password, making attacks involving PIN interception anywhere between increasingly difficult and totally impossible.
Security and increased convenience
The ATM industry can start to benefit from the banks' drive to implement new technologies. The majority of cards in the U.K. will soon be chip-enabled and the uptake of mobile banking is high.
With the arrival of apps such as Zapp, consumers will become increasingly familiar (and comfortable) with the idea of using a phone for payments.
Both of these technologies —card-based and mobile-based — also offer more convenience and more security for ATM transactions.
The bottom line
In the absence of any concrete sunsetting date for the magnetic stripe on payment cards, the ATM industry would do well to look beyond EMV and assess the suitability of mobile and NFC as security methods.
This is especially true given that both technologies also offer great improvements of the consumer, including the ability to store transaction preferences, and to complete transactions in less time.
Admittedly, there are hurdles along the road. These include the need to change the industry mindset that NFC and mobile are competitors with cash; to position the technologies as genuine security solutions for the ATM industry; to increase the security of the mobile device; and to develop standards for the interaction of smartphones and ATMs.
Eric de Putter is co-founder and managing partner at Payment Redesign Ltd., a boutique consultancy in the payment industry with specialized expertise in associate partner selection and commercial strategy. He is also an executive advisor to Paymint AG, a German company that provides business and technical support for the entire payment value chain. De Putter has spent 20 years in the payments and cards industry and has previously worked at Evry ASA, VocaLink and Visa Europe.