What's the deal with enhanced ATMs?

Digital transformation Banking
Banking and ATMs
Two developments in ATM technology have made waves in the first few months of this year. Let’s take a look at what banks and hardware vendors have in store for us.

Mobile cash access

Bang on the mobile trend, three large US banks are supplementing their fleets with so-called eATMs. These cash machines require no cards. Instead, users interface with them through a mobile app.

JPMorgan Chase has successfully trialed the new ATMs in 156 branches in New York City, and will now begin deploying them in the rest of the United States. The main advantage of the Chase eATMs is that they will allow a higher withdrawal limit ($3,000) than standard ATMs ($500–$1000). This promises to save in-branch teller costs. Wells Fargo is developing eATMs that will allow customers to withdraw up to $4000 in a single transaction. Bank of America has started deploying eATMs in Silicon Valley, San Francisco, Charlotte, New York, and Boston, with roll-outs following in other cities later in 2016.

eATMs are not entirely novel. Chicago-based BMO Harris (a subsidiary of the Bank of Montreal) having already used smartphone technology at its 750 ATMs for about a year. What’s new is the massive scale of this year’s deployments: Wells Fargo is planning to have mobile capability at 5 000 ATMs – 40 percent of the fleet – by the end of the year.

With their longer, flatter screens, eATMs certainly look innovative and impressive. Yet if they aren’t implemented in a considered way, they won’t offer much in terms of security. If the ATM requires the user to pre-authorize a transaction on their mobile phone and then enter into the machine an SMS OTP that was sent to the same phone, the transaction is only protected by a single factor of authentication (something the user has). If a QR code is displayed on the ATM screen and the user has to scan this with their mobile phone, this act does not constitute a second factor of authentication either.

Two sides to the story

Biometric ATM technology seems to be doing well, with banks scrambling to get in on the state-of-the-art action. KBV Research predicts that the global market for biometric ATMs will be worth $1.96 million by 2022 if it continues to grow at its current rate – a 40 percent increase in value between now and then. The popularity of the biometric ATM can be ascribed to its improved security potential over ordinary ATMs that just require a single factor of authentication: the traditional PIN number (something the user knows). The requirement of biometric identification (something the user is) adds another factor of authentication.

While the idea is certainly futuristic, using biometrics to authenticate ATM transactions doesn’t save the user time, and may even lead to inconvenience. According to Niel Bester, Entersekt’s head of operations, “PINs and passwords are frequently compromised on the Internet, but they work well on security-controlled channels like ATMs and point-of-sale devices. If, under duress or otherwise, a person’s PIN or password is stolen, it can always be updated – but a compromised biometric factor like a fingerprint is much harder to revoke, and cannot necessarily be replaced.” (To find out more about securing remote banking with biometrics, download our white paper here.)

There’s no denying that most banking consumers have their mobile phone with them at all times, making it a very useful instrument for banking activities – in particular as a second factor of authentication. The same goes for a fingerprint or iris. But unless it offers stronger security and greater ease of use, which biometric and eATMs on their own do not, there is no likelihood of the humble chip-and-PIN card being superseded by an alternative at the ATM any time soon.