Cardless ATMs will improve security of cash withdrawal

A unit of Canada’s Bank of Montreal will launch on Monday its network of cardless ATMs, a technological innovation to improve users’ security.

Recently we have discussed different kinds of attacks against ATM machines, the majority of which were conducted by exploiting hardware skimming.

Black box attacks and malware based attacks are a few sample of methods recently observed by security firms.

On the other side, financial institutions are trying to improve security of their services, the most popular countermeasure is based on the distribution of secure credit and debit cards using microchips to avoid card cloning.

Despite the level of security offered by Chip-and-Pin cards is considered very high, recently a group of researchers has demonstrated the feasibility of pre-play attack against this category of cards.

The Wall Street Journal revealed that the BMO Harris, a unit of Canada’s Bank of Montreal, will launch on Monday its network of cardless ATMs. The new generation of ATM allows bank customers to withdraw cash using their smartphones. BMO Harris is the first bank to offer cardless cash withdrawal technology to its users.

The Mobile Cash service will be available on 750 ATMs across the US, but the Wall Street Journal anticipated that the number of the ATMs will pass to 900 by June. Considering that BMO Harris Bank has more than 1,300 ATMs, the innovation proposed by the bank represents a significant effort to protect its customers.

To withdraw cash users need to sign into a mobile banking app dubbed “Mobile Cash“, hold their smartphones over the QR code on the ATM screen and get the money. According security experts of the banking industry, cardless cash withdrawal technology speeds up transactions and reduce the risk of frauds because no card information is stored on the mobile device.

Resuming, an attacker needs to steal the victim’s mobile device and have to know his password in order to carry on a card fraud.

“This particular program offers a lot of benefits for our customers, both in terms of convenience and security. We think it’s going to be something that our customers just find extremely exciting as they use their mobile phones more and more for financial transactions, and frankly, their everyday lives.”

The process of cash withdrawal, also reported by TheHackerNews, in composed by the following steps:

Download the digital banking app, Mobile Cash.
Sign into the Mobile Cash app
The app will ask you to Enter the amount you want to withdraw
The app will store the info until you get to the ATM
At the ATM, select a “Mobile Cash” option on the ATM screen
A quick response code, or QR code, will appear on the screen. Scan the QR code via your smartphone.
Collect your cash. That’s it.

A further defense mechanism consists is the possibility to remotely delete the app if the device is stolen or lost.

Let’s see how the banking industry will accept the innovation.

Pierluigi Paganini

(Security Affairs – ATMs, banking)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.