Major banks are unveiling teller machines across the country that customers can gain access to with their phones. But the technology raises new security issues.
Wallets can be lost, stolen or forgotten, but most people today wouldn’t be caught dead without their phones.
Banks understand, and are grabbing on to that trend. Customers who don’t want to fumble around in their wallet for their A.T.M. card — or who have misplaced it for the umpteenth time — will soon be able to unlock cash dispensers’ coffers by using their phone.
JPMorgan Chase, which has more A.T.M.s in the United States — 18,000 — than any other bank, has activated this technology on a few hundred machines in four test cities, including Miami and San Francisco. Six thousand more are already upgraded and ready to go.
Bank of America and Wells Fargo plan to introduce cardless options to all their machines by the end of the year. And while swiping an A.T.M. card may not exactly seem onerous, bankers think going card-free will be a hit with consumers.
“It’s about having the choice,” said Jonathan Velline, Wells Fargo’s head of A.T.M. and branch banking. “If you’ve lost your card or left home without your wallet, chances are you still have your smartphone in your hand.”
But of course, any new financial technology brings with it new security holes.
For decades banks have battled “skimming,” in which criminals sabotage A.T.M.s to steal the information off a card and use it to clear out people’s accounts. The replacement of magnetic stripe cards with chip cards significantly reduced that problem, but mobile access brings in new worries.
One Chase customer recently had $2,900 stolen from her account through the bank’s new cardless system — which she had never used. A thief got her online banking user name and password, installed Chase’s mobile app on his or her phone, and used it to withdraw cash. Unlike most cardless systems, Chase’s does not require customers to enter their four-digit PIN at the cash machine.
Chase refunded the customer’s lost money and immediately made security changes. “We’ve put safeguards in place to protect our customers,” said Michael Fusco, a Chase spokesman. The bank’s system still does not require PINs, but Chase is confident it can now detect and prevent similar attacks, he said.
Other banks have fared better, and say their fraud rates on mobile A.T.M. transactions are significantly lower than those for traditional card-swipe withdrawals.
Wintrust Financial, which operates community banks in Illinois and Wisconsin, added cardless access to all its 250 cash machines nearly three years ago. Thanks to multiple layers of security, there has been no fraud so far, said Thomas P. Ormseth, a senior vice president at the bank. (“Knock on wood,” he added.)
How the mobile systems work varies from bank to bank — and sometimes, even within one bank.
Most of the major banks are using a technology called near-field communications (known as N.F.C.), which enables devices to exchange information wirelessly over short distances. Modern smartphones usually contain an N.F.C. chip, which is used for many mobile payment systems, including Apple Pay and Android Pay.
At Bank of America, customers with compatible phones and a digital wallet app can tap their phone on the cash machine’s wireless pad to authenticate their identity. From there, customers enter their personal identification numbers and carry out transactions in the usual way.
Wells Fargo is also testing N.F.C. and adding the hardware it requires to all of its cash machines. But in the meantime, it has a simpler approach: one-time access codes. Customers can log in to Wells Fargo’s mobile app and request one, which is good for 30 minutes. At the 900 Wells Fargo A.T.M.s that are set up to accept the codes so far, the customer types in the code and then their PIN to withdraw cash.
Mobile A.T.M. transactions are usually at least a little bit faster than traditional ones, banks say — sometimes significantly so. Wintrust’s system, which lets customers set up their withdrawal in advance on their phone and simply scan a QR (quick response) code when they get to the machine to get their cash, cut its average transaction time to about 10 seconds from 45, Mr. Ormseth said. Around 17 percent of the bank’s customers have used the technology at least once.
Some banks have gone further and let customers ditch even their phones. With biometrics, a unique body part is enough to unlock cash.
At Banco Bradesco, one of Brazil’s largest banks, customers can gain access to an A.T.M. by tapping their palm on a scanner, which reads the pattern of their veins. (The system handled more than 700 million transactions without any reported fraud, according to Fujitsu, which built the technology.) Banks in Japan, India and elsewhere have used fingerprints for authentication.
Citibank experimented two years ago with an iris-scanning A.T.M., showing off a prototype at a trade show. The reaction was everything the bank had hoped for: “People’s jaws dropped,” said Mark Gilder, Citibank’s director of A.T.M. distribution in the United States. “They thought it was magical. You just had to look at the machine, and money would come out.”
Then reality set in. A compromised bank card can be reissued. If a hacker figures out how to imitate someone’s eyeball — which has been done in laboratory settings — it can’t be replaced. For that and other reasons, Citibank shelved its iris scanner, for now.
It is also taking a wait-and-see approach to cardless A.T.M.s.
“We want to be ready when people no longer carry cards and leave their wallets at home, but that timeline is developing more slowly than perhaps we thought it would a few years ago,” Mr. Gilder said.
This year, though, could be a tipping point.
About 2.5 percent of the 425,000 A.T.M.s in the country are currently set up for cardless access, according to an estimate from Crone Consulting, which researches the payments industry. By the fall, it expects that number to rise to 25 percent.
As with mobile wallets, technical hurdles may hamper customer enthusiasm. People will generally need to install their bank’s mobile app on their phone, and each major bank is setting up access for only its own customers. So, for example, a Chase customer will not be able to pop into a Bank of America branch and withdraw money using a mobile phone.
That is likely to change eventually. In the early days of A.T.M.s, networks were independent and isolated; now customers take it for granted that their cards will work at nearly any machine.
The biggest opportunity in cardless access will come as it expands to financial services beyond traditional bank accounts, said Richard Crone of Crone Consulting.
“Think of things that don’t have cards issued against them, like money market accounts or Venmo,” he said. “Unlocking cash access to those accounts would be a really big deal.”
Venmo, the digital payment system of choice for many millennials, is owned by PayPal. Giving PayPal and Venmo customers direct access to their money through A.T.M.s is not currently in the works, but it “isn’t something I would rule out,” said Chris Gardner, the product head for PayPal’s mobile wallet software.
Even if mobile wallets finally take off and phones replace debit and credit cards, there are still times — even for millennials — when only old-fashioned cash will do.