Recently we have discussed different kinds of attacks against ATM machines, the majority of which were conducted by exploiting hardware skimming.
On the other side, financial institutions are trying to improve security of their services, the most popular countermeasure is based on the distribution of secure credit and debit cards using microchips to avoid card cloning.
Despite the level of security offered by Chip-and-Pin cards is considered very high, recently a group of researchers has demonstrated the feasibility of pre-play attack against this category of cards.
The Wall Street Journal revealed that the BMO Harris, a unit of Canada’s Bank of Montreal, will launch on Monday its network of cardless ATMs. The new generation of ATM allows bank customers to withdraw cash using their smartphones. BMO Harris is the first bank to offer cardless cash withdrawal technology to its users.
The Mobile Cash service will be available on 750 ATMs across the US, but the Wall Street Journal anticipated that the number of the ATMs will pass to 900 by June. Considering that BMO Harris Bank has more than 1,300 ATMs, the innovation proposed by the bank represents a significant effort to protect its customers.
To withdraw cash users need to sign into a mobile banking app dubbed “Mobile Cash“, hold their smartphones over the QR code on the ATM screen and get the money. According security experts of the banking industry, cardless cash withdrawal technology speeds up transactions and reduce the risk of frauds because no card information is stored on the mobile device.
Resuming, an attacker needs to steal the victim’s mobile device and have to know his password in order to carry on a card fraud.
“This particular program offers a lot of benefits for our customers, both in terms of convenience and security. We think it’s going to be something that our customers just find extremely exciting as they use their mobile phones more and more for financial transactions, and frankly, their everyday lives.”
The process of cash withdrawal, also reported by TheHackerNews, in composed by the following steps:
A further defense mechanism consists is the possibility to remotely delete the app if the device is stolen or lost.
Let’s see how the banking industry will accept the innovation.
(Security Affairs – ATMs, banking)