Personal Finance

Cardless ATMs are clever, but you still may get ripped off

Key Points
  • Wells Fargo installed cardless ATMs in 13,000 locations earlier this year.
  • A major challenge for banks is educating consumers on protecting their information.
Bank of America entering the cardless ATM competition

At some major banks, you no longer need to have your debit card in hand to use the ATM. But that won't necessarily protect you from fraudsters.

Several financial institutions have introduced smart ATMs to their branches in recent months. The cardless ATM sends a code to the consumer's phone via the bank's mobile app. By entering that code at the ATM, the customer can access his or her bank accounts.

Wells Fargo set up 13,000 cardless ATMs this year. "We place significant efforts to ensure our online and mobile channels are secure, and we are continuously enhancing our controls," Lauren Terreros, associate vice president of corporate communications at Wells Fargo, said about the bank's smart ATM efforts.

JPMorgan Chase also said it's testing cardless ATMs in 600 locations with plans to roll them out more widely next year. Bank of America is also reportedly following with its own cardless program.

Experts say the move to smart ATMs makes sense as consumers use digital wallets that let them pay via their phone. And by taking cards out of the equation, banks effectively take away the risk of skimming — where thieves use devices to capture debit card information at ATMs, to make fraudulent cash withdrawals.

No matter what system is used to identify people, there'll always be a flaw.
Ryan O'Leary
vice president of WhiteHat Security

But a move to mobile introduces new threats that could be more challenging to tackle, said Ryan O'Leary, vice president of WhiteHat Security, a provider for securing web applications.

"No matter what system is used to identify people, there'll always be a flaw," he said. "When taking away skimming, you now have an issue with people gaining access to your account or device through finding your username and password.

"The threat has shifted from [magnetic stripes] to the mobile device itself," O'Leary said.

Bank customers may also have difficulty proving fraud.

"It might be a lot more difficult to get your money back because you're trying to prove something that [banks] thought was bulletproof," O'Leary said.

Protecting yourself comes down to being aware of security threats. Take steps to keep your data safe (see infographic below).

A Wells Fargo ATM featuring the “Use an Access Code” button.
Source: Business Wire

Here are three more moves to keep banking details on your phone secure:

1. Install anti-malware

Android phones are particularly vulnerable to mass malware problems, said Rob Ragan, managing security associate at Bishop Fox, a security consultant service. With people using phones and computers interchangeably, installing anti-malware provides the "first-line of defense" for your device.

2. Use trustworthy apps

Be cautious about which payment or money management apps you trust with your banking information. Spend time researching, looking at reviews, and reading their privacy and security policies to spot any potential vulnerabilities, said Gary Davis, chief consumer security evangelist at McAfee, the computer security software provider.

Avoid downloading apps from sources outside of official mobile app stores such as Google Play or the ITunes App Store, said Paul Stephens, director of policy and advocacy at the Privacy Rights Clearinghouse, a nonprofit corporation focused on consumer information and consumer advocacy. Leaving those channels could make users vulnerable to security breaches.

3. Consider biometric authentication

Many apps already utilize two-factor authentication, but if your device is already compromised, two-factor authentication can easily be bypassed, Stephens said. Take advantage of mobile verification features that use your fingerprint, or less commonly, a scan of your iris or facial features.