Security: The key to consumer acceptance of cardless ATMs

by Mike Lynch, Chief Strategy Officer, InAuth

Many major financial institutions are innovating with cardless ATM capabilities that allow consumers to withdraw cash using mobile devices instead of plastic cards to authenticate themselves and initiate transactions.

Financial institutions view cardless ATMs as a way to improve convenience by eliminating the need for people to carry and replace easily lost or stolen cards, and also to reduce the cost to the institution of continual card replacement.

While cardless ATM technology is not new, its growing acceptance is being facilitated by new innovations in mobile payments technology in general.

Threats to cardless ATM acceptance

Currently, consumer demand for cardless ATMs is relatively low. For its ATM Future Trends 2017 report, ATM Marketplace surveyed U.S. consumers about the top three services they'd most like to see available at the ATM. Only 14 percent selected cardless ATM access.

One key to improving cardless ATM acceptance among consumers is to build trust and comfort by ensuring that best-in-class security measures are in place. As with any emerging technology, early instances of fraud resulting in hard-dollar losses and reputational damage are already occurring as fraudsters rush to exploit security loopholes before they're patched.

In one early instance of cardless ATM fraud, a bank customer was defrauded of $3,000 when cybercriminals gained access to her mobile banking login credentials, which they then used to register a new mobile device for cardless ATM access.

As the mobile device takes on an increasingly high-profile role in facilitating financial transactions of all types, organizations must focus on the device itself as the central component of security.

And while early adopters have taken varying approaches to implementing cardless ATMs, some transactions still unfortunately rely on less secure username and passcode protocols, as well as one-time passcodes, which can easily be intercepted and exploited by fraudsters.

A lack of insight into potential vulnerabilities, pressure to be first to market, and never-ending market demands to decrease costs, improve operational efficiency and enhance customer engagement often clash with the time and expense involved in implementing rigorous security standards and solutions.

However, organizations must ensure that innovations such as cardless ATMs are implemented from the onset with the latest security advances available, in order to mitigate against fraud and, in turn, establish the trust essential to facilitating consumer acceptance.

Without this level of trust, consumer apathy toward cardless ATMs — combined with scrutiny of digital security in the press — threaten to hinder adoption of emerging mobile payments technology.

Improve trust and increase demand for cardless ATMs

Fortunately, robust security solutions currently exist to help authenticate end users. Additionally, devices that use multifactor authentication to transact can also enable a positive user experience.

By implementing these high-tech security solutions in combination with sound operational policies and procedures, financial institutions can mitigate the risk of fraud at cardless ATMs, as well as improve consumer confidence in the technology to increase demand.

For example, a mobile fraud prevention solution with real-time decisioning provides the ability to detect many different types of risks inherent in mobile access to ATM transactions. The ability to thwart attacks on the device before it transacts with the bank helps reduce friction for customers, while still providing superior security.

Real-time decisioning capabilities help eliminate points of friction in the security flow for good consumers, while providing FIs the ability to flag suspicious access attempts for additional scrutiny.

Also, instituting MFA to authenticate users by leveraging advances in mobile biometrics capabilities is a more secure way to establish the identity of their customers.

Built-in mobile biometrics can reduce reliance on username and password protocols — and consumer acceptance of fingerprint biometric identification, for example, is already high.

However, stronger methods for identifying users are not enough on their own for optimizing mobile transaction security. A truly comprehensive mobile security strategy must also consider the security of the device on which the biometric operates.

A solution that establishes a permanent device ID is one way to identify a device using its unique attributes to uncover and analyze risk factors to establish the first layer of trust for cardless ATM access.

Organizations should use risk detection capabilities that detect evidence of malware, malicious and corrupted applications, emulators, GPS spoofers, device spoofers, key loggers, SMS forwarders and other fraud tools used by criminals to hijack accounts and defraud customers.

Once device trust has been established, financial institutions can confidently allow good customers to transact with minimal friction. At the same time, they can better identify devices with high-risk indicators so they can be challenged or denied outright.

Cardless ATMs represent the latest wave in mobile payments evolution. The technology is poised to provide unparalleled convenience for consumers, as well as cost-savings and enhanced efficiency for financial institutions. But for it to gain traction, financial institutions must ensure that they are providing customers a secure experience.

Getting ahead of the security curve now can have a profound effect on the proliferation of cardless ATM technology and will go a long way toward fostering consumer acceptance and trust.

Michael Lynch is chief strategy officer at InAuth (www.inauth.com/), with responsibility for developing and leading the company's new products strategy, and for developing key U.S. and international partnerships. Lynch brings two decades of experience in key roles within financial services, consulting, and Fortune 500 companies, specializing in security and technology leadership.