US Banks To Test ATMs Which Accept Your Smartphone Instead Of Cards

Dozens of banks in the US are updating their ATMs, or installing new ones, in order to allow customers to withdraw cash without using bank cards. A new cardless system will be rolled out at around 2,000 cash machines across the US, operated by at least 28 banks, including giants like Wells Fargo, Bank of America and Chase. Under the new system, people can order cash on an app on their phone, and then scan a code at the ATM to receive their money, all without inserting a card or entering a PIN. The developers of the system insist that smartphone technology makes for faster and more secure transactions. More banks are expected to adopt the technology soon.

Sounds a bit sketchy...

[Frosty+Piss]

I'm not really technically competent to make a valid argument against this, but my "gut" says... No! Maybe I'm just an ignorant Luddite that longs for my black rotary phone, but my uneducated imagination flows over with ideas and visions of how wrong this could go. My new ATM card has a chip, I'll stick with that for the time being.

Re:Sounds a bit sketchy...

I'm betting it's that the banks see some sort of additional revenue stream from doing this. Maybe they think they'll get higher overdraft fees by making withdraws easier to screw up? Without the phone maybe liability lies with customer not bank, since without a PIN the customer has less of a case to claim it wasn't them who made the withdrawal?

Re:Sounds a bit sketchy...

[unrtst]

Agreed. If the summary is to be believed, then it would be possible to:
* use app to order up cash and show the QR code
* take a pic of it with another phone (or screenshot and send it, or print it, etc)
* have someone else go pick up that cash

That almost sounds convenient, but it also means anyone that can scan that QR code from any of the many cameras that are everywhere, could re-generate the QR code and go snag your cash. It would also be a way to steal cash from someone, whether by force or by using their phone while they're in the bathroom or something. No need for a pin... not a feature I want enabled for my account, thank you.

Re:Sounds a bit sketchy...

[TapeCutter]

Many people in poor nations do not have access to banking facilities but they do have a mobile phone. Paying for things via your phone (as opposed to a card) is the normal way of doing business for a large chunk of the world's population.

Re:Sounds a bit sketchy...

I'm betting it's that the banks see some sort of additional revenue stream from doing this. Maybe they think they'll get higher overdraft fees by making withdraws easier to screw up? Without the phone maybe liability lies with customer not bank, since without a PIN the customer has less of a case to claim it wasn't them who made the withdrawal?

As a former Bank of America customer and employee, trust me they do not need any smart phone app or extra functionality to get higher overdraft fees. Let me tell you what Bank of America does to some people.. They regularly withdraw a percent of your account, play it in the stock market and make money on it and then put it back.. and if you are unlucky enough to try to withdraw from your account while they are doing this, you get an overdraft fee.. and they will add up before it shows up in the ledger that they host on your account on their website (IE the numbers they show there are not accurate and when you confront them on it, they say as much.) No matter how much you confront them on it, you can end up in a situation where they will charge overdraft and add them up until you get overdraft fees being charged from overdraft fees being charged and they will not own up to it no matter how dead to rights you have them on it. They figure they can victimize lower income customers, because it is not like they are going to be able to afford a lawyer to sue them.

I even tried to call the local news media and get them to do a story on it and apparently Bank of America has the news stations paid off too, as apparently they do this to a lot of people.

I eventually went into a location with my bank card and a pair of scissors, cut up my card on their desk and left a binding document that they owe me $900.00 that they heisted out of my account and that I have no intent to pay the fraudulent overdraft fees remaining on my account. They have made no attempt to collect on the remaining fees because they know they are in the wrong (and probably know I called the news media.) Bank of America are a bunch of crooks, do not waste your time or money doing business with them!

Re:Sounds a bit sketchy...

[modecx]

Sketchy? Mark my words, this will all end in tears.

Re:Sounds a bit sketchy...

[s.petry]

And those same poor people have money for a smart phone how exactly? Me thinks you are confusing "cash" with credit cards and tech gadgets. Sorry, but it's not safer than a credit card. It's the same as a credit card, while having dependency on some type of connectivity for the Cell.

Re:Sounds a bit sketchy...

could re-generate the QR code and go snag your cash. It would also be a way to steal cash from someone, whether by force or by using their phone while they're in the bathroom or something. No need for a pin... not a feature I want enabled for my account, thank you.

The problem that you're describing is called the replay attack and it's one that's easily solved by the addition of a nonce, which is basically a fancy cryptography term for a number or code that is used only once and then never used again. In effect the QR code is good for only one withdrawal, after that it will never be valid again. When this is combined with public key cryptography and one way hashing the QR code becomes both impossible to re-use or to forge.

Re:Sounds a bit sketchy...

This sounds like you fundamentally didn't understand how the "money market" account you had worked.

I'm not going to defend BoA here, but many people simply don't understand the difference between a savings account, checking account, and other "higher interest" accounts. Paypal is another example of a "money market" account. Never use a money-market account as anything other than a store of value, because you can, and likely will lose money if you repeatedly put money in it and take it out before any calculations can be performed on it.

The poster above describes a Money Market account that they were using as a checking account. It's also likely that BoA didn't go after the poster for the overdraft charges because it's easier to write off customer dissatisfaction claims than it is to sell it to a collections agency.

As for the topic, everyone knows that scanning a barcode is a bad idea to transfer money. All one needs to do is swipe the smartphone while it's unlocked, and clean someone out. This is another example of where the biometric and the pin need to be combined to work. A similar issue can be created by having the banking app on the phone hijacked (hello Android phones) and the thief needs merely show the barcode at the ATM to get the money without any confirmation.

As it is, the correct solution really is to cut out middleman, just use credit/debit over NFC or with the EMV chip everywhere you can, and avoid touching gross physical cash.

Re:Sounds a bit sketchy...

[Martin+Blank]

The banking apps I have on my phone don't allow persistent login, and automatically log out after a certain period of time without activity (and it's not very long). Someone would have to swipe the phone while it's logged in and continue performing activity within the app along the way to the ATM for that to work. It's not impossible, but it makes for a targeted attack, which lowers the odds of it happening.

Re:Sounds a bit sketchy...

[ATMAvatar]

I want universal translators and hypospray injectors next!

Jet injectors have existed longer than most people here. Universal translators, on the other hand... are still very much a work in progress.

Re:Sounds a bit sketchy...

[gl4ss]

smartphones are cheap.

atm machines are not.

Re:Sounds a bit sketchy...

[rtb61]

So basically, you give up your wallet and the threat of being mugged for the cash in your wallet for, hmmmm, for log in access to your phone banking account and transfer money or else and what happens after money transferred, how to keep you silent, hmmm, let me think. Yeah, nah, fuck off with the crazy idea of carrying around my bank account with my life being the guarantee of handing over the password and my life being in the balance when it comes to my not complaining about the illegal access to my account. Sure steal my cash, steal my credit card but stealing access to my bank account, that's real risky business. I'm thinking a T-Shirt, "My phone is not, absolutely not, linked to my bank account, please point your gun at the next available auto-teller". Swapping your phone for the ATM where you become an ATM.

Re:Sounds a bit sketchy...

[Martin+Blank]

The phones are cheap, plans are prepaid (and cheap), it's safer than carrying cash, and the mobile networks are ubiquitous. While the US has only recently been getting on board with transferring money by phones, much of Africa has been doing it for years.

Example: A Samsung Note 2 (not the latest and greatest, but still a decent phone) from Jumia Kenya is 550 Kenyan shillings. According to xe.com, that's about US$5.39, based on an exchange rate of about 102 Ksh to the US dollar.

Being poor doesn't mean being disconnected. Poverty hasn't been a barrier to mobile phone use in other parts of the world for many years. Even in Afghanistan, cell phone towers are common even in the remote regions, because they get used.

Re:Sounds a bit sketchy...

[ShanghaiBill]

And those same poor people have money for a smart phone how exactly?

By working and getting paid for it. In much of Africa, you can buy a phone capable of financial transactions for less than $20 new, and less than $5 used. It is considered important enough that most households will buy a cellphone before they buy a TV or refrigerator.

It's the same as a credit card

You cannot use a credit card for peer-to-peer transactions, and a CC is much harder for a poor person to get than a cellphone.

while having dependency on some type of connectivity for the Cell.

You must be an American. In much of the rest of the world, cell coverage is ubiquitous.

Re:Sounds a bit sketchy...

And those same poor people have money for a smart phone how exactly?

There are many millions of "poor" people in Asia and Africa with smart phones who are paying $3 to $5 per month for the same phones and better plans than those offered in the US. The idea that a phone, which can be manufactured for $40, should cost you $80/month for two years, subject to ridiculous throttling/caps/degradation of service, plus enormous fees if you try to switch carriers, is strictly an American concept and frankly I don't understand why you tolerate it. Throughout most of the world there are no contracts, you can buy SIM cards out of vending machines that will work in any phone, and it's all extremely cheap.

Re:Sounds a bit sketchy...

[SNRatio]

1. Lower costs: no need to snail mail new ATM cards every time someone loses one under the car seat. Monthly statements sent to your phone too.

2. Charge extra if you want paper statements or a plastic ATM card

3. Sell all the personal info the app collects to advertisers

Re:Sounds a bit sketchy...

[thegarbz]

And those same poor people have money for a smart phone how exactly?

You do realise that not every smartphone costs $800 and comes with a Designed in the USA logo on it right?
People in China who feed a family of 3 for dinner with less than $2 typically have 2 smartphones between them.

Re:Sounds a bit sketchy...

[KGIII]

Err... If you need to ask a question about banking, I'll do what I can to help you out. There's a lot that I don't know but I'm kind of familiar with it and I'm going to suggest that I'm probably a bit more familiar than you. Don't take that as an insult, you probably program far better than I. There are others here who can give you good information (better than mine) but separating the noise from the signal can be a bit rough.

Umm... They only give you that higher interest rate because they're using your money. Realistically? You wanted a credit union with share and draft accounts. You also need to read the difference between the two. However, a credit union is your best choice (you're likely eligible for at least one and many have shared banking) and probably to spend a few dollars on a financial advisor but you can learn it on your own if you want and take the time to do so. It's complicated but you need only know the basics.

There should be like financial lessons for geeks. It should cover retirement savings, investment strategies, basic accounting, the types of accounts and ways to manage, store, and invest your assets. It should cover various states of liquidity and risk. It should even cover handing a ledger and some simple portfolio managements for a broad overlook.

Re:Sounds a bit sketchy...

[invictusvoyd]

On an app!!! On their Android phones !!! on an app !!

_____________________
This aint fishy . It's a seafood platter

Re:Sounds a bit sketchy...

[AK+Marc]

All one needs to do is swipe the smartphone while it's unlocked, and clean someone out.

In practice, the only time someone has it unlocked is while they are using it. And you'd need to be in the bank app for it to matter. So the crook would have to be wandering public, looking for people using a banking app, then swipe the phone, and get to an ATM before the robbed person could call their bank.

Possible, but unlikely. When it's easier to make $500 making a table from scrap wood than to steal it with your method, you can expect that the number of thefts of that manner would be low.

Re:Sounds a bit sketchy...

[invictusvoyd]

Skimmers love old unmanaged ATM's , compromised POS, senior citizens and of course credit cards.

Re:Sounds a bit sketchy...

[AK+Marc]

A smartphone in India is cheaper than my bank card (my bank theoretically charges $20 for the card, and you can get a smartphone in India for $5).

You are confusing your incorrect bias for reality.

Re:Sounds a bit sketchy...

[OolimPhon]

In practice, the only time someone has it unlocked is while they are using it. And you'd need to be in the bank app for it to matter. So the crook would have to be wandering public, looking for people using a banking app, then swipe the phone, and get to an ATM before the robbed person could call their bank.

You just said it yourself. All the crook has to do is stand near an ATM and wait for somebody with a smartphone to use it.

Re:Sounds a bit sketchy...

[dave420]

There you go again assuming if you don't know of something it must not exist. The perfect storm of ignorance and hubris.

Re:Sounds a bit sketchy...

[Firethorn]

You just said it yourself. All the crook has to do is stand near an ATM and wait for somebody with a smartphone to use it.

Or, you know, hold a gun or a knife to them and make them withdraw the max they can for you. You know, the traditional method.

Or attach a skimmer to the reader, so the inserted card goes through your reader before entering the machine, and you have a camera placed to catch the pin. Like what happens in eastern europe all the time.

Re:Sounds a bit sketchy...

[AmiMoJo]

How is that worse than just standing by an ATM and snatching cash or waiting for the user to enter their pin and mugging them?

Re:Sounds a bit sketchy...

[houghi]

However, we are talking about banks in the US, not about some poor nation.

To me it seems it is there to make people spend easier and thus more. That will mean more credit is used and that means people will pay more interest and the bank makes more money.

Re:Sounds a bit sketchy...

[Chris+Mattern]

It can also be noted that they are kept affordable by air time being prepaid, often a minute a time, and many of these applications are written to optimize their use of that time.

Re:Sounds a bit sketchy...

[Anne+Thwacks]

Your bank are scum sucking cunts

All banks are SSC - it is the nature of the universe. There are probably references to the fact in Shakespeare's plays.

Re:Sounds a bit sketchy...

[luis_a_espinal]

And those same poor people have money for a smart phone how exactly? Me thinks you are confusing "cash" with credit cards and tech gadgets. Sorry, but it's not safer than a credit card. It's the same as a credit card, while having dependency on some type of connectivity for the Cell.

Me thinks traveling to a couple of countries will help you understand the answer to that question.

Re:Sounds a bit sketchy...

[luis_a_espinal]

And your job is being outsourced to them.

Your job maybe. This is the thing. If your job can be commoditized, you are a commodity, and you will be outsourced. So the key is to always be on top of that shit and not let yourself be commoditized. Offshoring is not a new thing. It is just an extension of outsourcing.

And guess what? Outsourcing is not a new thing either. I've seen it in action for the last 25 years. So I don't get why people keep sounding the alarm as if that shit was new. It's like people that complain their jobs went to China... 15-20 years ago. I'm like, well, wtf have you been doing since then to adapt?

Adaptation sucks. I know. I've lost my jobs several times, a lot of times because of outsourcing, directly or indirectly. Being unemployed sucks. But you adapt your game, your skills, even yourself and move to something else.

To say our jobs are going to be outsourced is like saying 2+2=4. So what? This is not news. People worth a damn in this field will find a way to find a way out of it.

Re:Sounds a bit sketchy...

[luis_a_espinal]

And those same poor people have money for a smart phone how exactly?

You do realise that not every smartphone costs $800 and comes with a Designed in the USA logo on it right? People in China who feed a family of 3 for dinner with less than $2 typically have 2 smartphones between them.

Word.

People are ignorant, horribly ignorant, when it comes to things like this. I remember I asked a friend of mine from grad school to get me a copy of Knuth's books in India. I paid like a fifth of what I would have paid if I had bought them in the US. Pricing is "zonified" (if there is such a word.) The same shit that we have to pay $100 we can pay a fraction of it in another country without any loss in quality.

Re:Sounds a bit sketchy...

[Charcharodon]

Last time I checked most of the rest of the world is a festering shit hole, so you think the best solution is to do it how they do? That is pure genius.

Re:Sounds a bit sketchy...

[Charcharodon]

You obviously never had a phone in Europe, the rates and phone prices are even worse than the US.

Re:Sounds a bit sketchy...

[Martin+Blank]

There are targeted attacks where people are told to withdraw some amount of money from the bank or their loved ones suffer the consequences.

Two cases here from 2015:
http://legacy.wbir.com/story/n...
http://www.mansfieldnewsjourna...

And here's one from 1992:
http://www.deseretnews.com/art...

Using an ATM card isn't any safer, with robberies involving forced ATM withdrawals happening frequently. Fraudulent activity is covered by banking regulations and FDIC insurance.

Re:Sounds a bit sketchy...

[Charcharodon]

Goes a bit back farther than that. Studying globalism in an Economic class. The first round of "globalism" end 12,000 years ago when the last continent was colonized by early man. There have been 5 or so major periods or so since then. We are currently in the middle of one of these transformations. They speculate the next one will be off world. LEO or with another planet. Companies are relocating to Mars to avoid paying taxes and robotic orbital mining in the asteroid belt is destroying the middle class!

Re:Sounds a bit sketchy...

[unrtst]

I'm not referring to re-use or forgeries. I'm talking about theft.

Re:Sounds a bit sketchy...

[edtice1559]

If somebody threatens me with violence unless I pay them money, I want the means of paying them to be as easy as possible. Times are changing but when I was younger, I was taught always to have some amount of money $20-$40 available. If somebody robs you, throw the money in their direction and run. They'll pick it up and you'll get away.

Re:Sounds a bit sketchy...

[LinuxIsGarbage]

You are there already - or at least most people are. When I turned on my smartphone the first time, it wanted a credit card number. This ostensibly so I can purchase "apps". Most people accept that, because they get themselves some nice $1 apps/games - no big expense.

I refused. As in "do that later" and never following up.

There are some cheapo apps I would like too. But I will NOT have my phone linked to a credit card. First, there are these "in-app purchases" they try to trick you into at every opportunity. I refuse to take part in that show. Then, there is rtb61 robbery scenario: someone mug me for my phone, simply to "buy" the mafia's $999 "app" and get some kickback? That is possible already, with the credit card link.

I'll happily buy some cheap apps the day I can use the credit card and not have the phone remember it. Similiar to how I use the credit card for web purchases - the browser/pc/os do not remember the number. I enter it everytime, someone stealing my PC would not get it. And "in-game" purchases won't happen from a PC/game with no idea of my payment details.

Can't you get both Apple iTunes and Google Play store gift cards from a brick and mortar store, paid with cash, to then use to buy apps?

Re:Sounds a bit sketchy...

[mjwx]

Many people in poor nations do not have access to banking facilities but they do have a mobile phone. Paying for things via your phone (as opposed to a card) is the normal way of doing business for a large chunk of the world's population.

Hi, it sounds like you've never been to a developing nation. Would you like some help?

You see, in developing nations people use these small pieces of paper or polymer with numbers on them to trade for goods and services. They do this because adding banks into the mix creates extra costs that must be passed onto the consumer. Seeing as they dont have much money to begin with, they opt not to use the bank.

It'll be the same with phones. You dont need any infrastructure to deal in cash, you'll need infrastructure to deal with phones.

Re:Sounds a bit sketchy...

[mjwx]

By working and getting paid for it. In much of Africa, you can buy a phone capable of financial transactions for less than $20 new, and less than $5 used

This is for a basic Nokia rip off (not a genuine Nokia, that costs money). A smart phone will cost upwards of US$75 for a cheap Chinese model.

You cannot use a credit card for peer-to-peer transactions, and a CC is much harder for a poor person to get than a cellphone.

You cant use a phone for peer-to-peer transactions either. You will need, at the very least, significant back end infrastructure that can handle thousands of real time transactions a second. This isn't easy or cheap to do, this means the people doing it (erm... the banks) will want to make money off it. As this will increase costs, it will not be an attractive option for the African on a budget.

Those not on a budget will get a CC as it's a status symbol along with the 35 yr old Merc.

You must be an American. In much of the rest of the world, cell coverage is ubiquitous.

You must not have been to the rest of the world as you've not no idea how spotty and unreliable mobile coverage is in developing nations.

In the Philippines, I cant even get reliable coverage for the entirety of the NLEX (Northern Luzon EXpressway) which is 84 KM's of road through a relatively well to do part of the PI, let alone out in Leyte or Samar. Hell, sometimes I can walk from one end of my hotel room to the other and cross tower's 3 times... Internet outages for days are not uncommon (I had this happen after Typhoon Hagupit/Ruby rolled through in 2014). Compared to the African nations you're alluding to, the Phils is positively developed.

If you think instant, on demand internet access is commonplace in the developing world, you've clearly never been there.

Re:Sounds a bit sketchy...

[Charcharodon]

Lived in UK and Germany. Visited Cyprus, Albania, Greece, France, Ireland, Italy, and Norway. The cell phone prices and the service, as well as regular phone and internet service in each of those countries sucked goat cock.

So eat a dick.

Is apple involved?

[catalina]

Hmm, this might solve any FBI funding problems...

obligatory

Choosing 'that' vs. 'which': http://www.dailywritingtips.co...

no smartphone no cash

[turkeydance]

maybe THAT will stop my wife.

So now if I get mugged...

[swamp_ig]

Not only do I potentially get assaulted, and all my stuff stolen, but they can drain my bank account too? Doesn't this just paint a big target on the back of anyone who carries a smart phone?

I like pay-pass, the way it works in aus is there's a maximum amount per transaction where you can use contactless without a pin. Hopefully it will be the same for this?

Re:So now if I get mugged...

[thegarbz]

but they can drain my bank account too?

How did you reach that conclusion? The article only mentions the interaction between the phone app and the ATM works via barcode. It doesn't say what security is involved on the phone app.

Now how many times have you been able to log into mobile banking recently without using a password, one that is often longer / harder to guess than a 4 digit PIN?

Re:So now if I get mugged...

[edtice1559]

The alternative, of course, would be that you get assaulted, they take your stuff, then beat you dead because you won't give them the money stored on your phone. They won't believe that you don't have the app. I always wanted to get one of those briefcases that you handcuff to your wrist because I thought they are cool. I thought better of it because somebody may commit a brazen act of violence to take it from me and then a deadly one when they realize I don't have anything of value.

Re:So now if I get mugged...

[edtice1559]

Most bank accounts have a daily withdrawal limit. I'd like to think you can report your phone stolen in less than 24 hours. The same way you would an ATM card. What seems reasonable is reentry of the PIN at the ATM. Wave your phone, enter your PIN, withdrawal money. What's the difference between that and an ATM card? Right now I'm carrying at least 10 ATM cards and a half dozen credit cards.

Re:So now if I get mugged...

[thegarbz]

What seems reasonable is reentry of the PIN at the ATM. Wave your phone, enter your PIN, withdrawal money.

Given you need to authenticate yourself to your mobile banking app in the first place in order to setup this money withdrawal what's the benefit of doing it twice?
As other's have pointed out any threat against this form of payment involves someone already having detailed access to banking accounts (assuming they are setting this up the same way as some banks already have).

Cardless cash

[well_in_theory]

A version of this is already widely in use in Australia. Log into bank via smartphone, request amount of cash, receive code. Go to that bank's ATM, request cardless cash, enter code, ???, cash! I no longer carry a wallet, just my smartphone with 3-card slimline case containing my ID/drivers licence, public transport RFID card, and credit card. I'm able to slip a $20 in there too for the few remaining places who either don't take credit or charge a fee to do so.

Re:Cardless cash

[well_in_theory]

Sure, all they need is my fingerprint to access the phone, know which bank I'm with, know that that I'm registered for cardless cash at said bank, my fingerprint again to access the app, and possibly my fingerprint again to request the funds.

But sure, a card and 4 digits is totally more secure.

Re:Cardless cash

[sumdumass]

So your phone and a finger? Not much different from right now I guess.

Re:Cardless cash

[Grishnakh]

I hate to break it to you, but it's not hard for a mugger to get your fingerprint. All they need is a knife....

Re:Cardless cash

[fluffernutter]

You know there are databases of fingerprints being stolen every day, right?

Re:Cardless cash

[well_in_theory]

If I'm suddenly in a position where losing a finger during a mugging is a genuine concern, I'll look into better protecting my hundreds of dollars.

Are there actual documented cases of small-time crooks in a civilized country using fingerprint harvesting off secondary sources to get into a smartphone? Maybe I just live in a country where tinfoil hats aren't so necessary.

Re:Cardless cash

[Nyder]

Sure, all they need is my fingerprint to access the phone, know which bank I'm with, know that that I'm registered for cardless cash at said bank, my fingerprint again to access the app, and possibly my fingerprint again to request the funds.

But sure, a card and 4 digits is totally more secure.

You mean the finger print that is already on the phone because oil leaves the prints on the screen? Not sure how you can think this is safer when finger print scanners have been fooled by pictures.

https://www.google.com/search?...

Re:Cardless cash

[well_in_theory]

I'm still going to guess the $5 wrench (https://xkcd.com/538/) gets used more than whatever is required to fool TouchID in the time it takes me to register that my phone/card is missing and report it as such. I don't *think* I have a network of spies tracking my every move and lifting my prints off of water glasses in order to obtain my hundreds of dollars, but perhaps that's just because they don't *want* me to think that, right?

How do you paranoids ever leave the house?

Re:Cardless cash

That's why you make sure at least two fingers get you into your phone. Or you could use a toe.

For the most part, a PIN is more secure than a fingerprint, but this is owing to the current level of accuracy in fingerprint readers. Like a gelatin (eg gummybear) finger can get into a fingerprint reader because it has just enough depth to look like a real finger, but fingerprint sensors could be improved to actually care about opacity and temperature to secure it better. So cutting a finger off wouldn't work, and a gummyfinger would't be stable enough at body temperature.

Other biometrics are more fun. Facial recog is pretty much garbage since it can be fooled with a photo, and only works for white people. Iris scans are irrefutable (only an identical twin could fool it, and it would rely on refractive properties, so it can't be copied with a simple photo that doesn't refract light) and DNA tests are still way too slow to be useful. The problems with Iris scanning and DNA scans is that they are way too complicated and expensive and are best used for security (eg border control, bank vaults, military complexes and such) and not for poorly secured consumer applications.

That said, an iris scan may eventually be doable with the "selfie" camera on a camera phone, and if an ATM were to be used to withdraw money, all they would need to do is have the same "selfie" camera at the ATM instead.

But one needs to ask why bother with all this nonsense in the first place. Quit using cash for everything. So what if Visa/MC/Amex knows what you buy, are you ashamed or embarrassed by what you buy? The amount of people who are scared to buy tampons and condoms are afraid of being judged by the person ringing up the order. If you're really afraid of the person in the store, buy that stuff off Amazon.com

Re:Cardless cash

Iris scans are irrefutable

From wikipedia: "Many commercially available iris-recognition systems are easily fooled by presenting a high-quality photograph of a face"

A high-quality photo of someone's iris is not hard to get. Celebrities, which tend to have money, are even used to people pointing big expensive lenses at them all the time. Anyone can pretend to be paparazzi.

And if they have some way of rejecting paper images - well, embed the iris image in a glass eye. A fake head, heated to body temperature is not hard to pull off.

Re:Cardless cash

[slashping]

Celebrities, which tend to have money

Kanye will be glad to hear he's safe.

Re:Cardless cash

[Toshito]

You have to unlock your phone, start the banking app, login into the app*, click on the withdrawal button, choose the amount, get the code, scan the code on the ATM, and get your cash.

Wow! It's so much simpler and faster than inserting my card into the atm, punching my 5 digit PIN, clicking on the 20$ or 40$ (or whatever amount) fast withdrawal button, and getting my cash.

* I don't know how you do that for your bank's app, but mine asks for the 16 digits of my banking card, and a password. It takes a long time to enter...

Market will decide

[justcauseisjustthat]

It's interesting that every vendor tries a slightly different approach to give or get money, it's probably going to take 5-10 yrs for a standard to prevail.
By the time this new standard prevails there will be an approach using quantum encryption using Personal IDs.

Fie

[Iamthecheese]

Combine it with the war on cash. Up next: Anyone not wearing a trackable GPS chip at all times is forbidden from using money.

DO NOT WANT.

[kheldan]

Leave the cardreader in it for those of us who prefer to not waste time with data-leaking, security-hole-ridden so-called 'smartphones'.

Which 28 Banks?

[ohnocitizen]

It's annoying the article doesn't list the banks.

Re:Which 28 Banks?

[Known+Nutter]

Chase is one.

http://www.nbcchicago.com/news...

I'm sure all the rest are right behind them.

Re:Which 28 Banks?

Well, it is an International Business Times story. They probably just noticed this 2-year old news release on the subject, FIS Mobile Wallet Earns Prestigious Frost & Sullivan Customer Value Enhancement Award

This isn't new

[jonwil]

Several banks here in Australia (the Commonwealth for one and I think also Westpac) have had the "get cash via a phone app" option for a while now (where you log onto the online banking app on your phone and get a code that you key into the ATM which will then give you cash without a card). Other banks (like the ANZ) are trialing a NFC solution where you can tap with your compatible NFC phone on a reader on the ATM instead of using your card.

There is no increase security issue with the cash-via-phone-app option as implemented by the Australian banks that have done it since the thief needs to steal your online banking password (and if they have that, they can transfer money via direct transfer to another account they control rather than risk being caught by an ATM camera withdrawing cash using this technology)

In fact the technology makes things more secure in that your account details cant be stolen by a card skimmer attached to the ATM.

Re:Marketing B.S.

[jrumney]

I think when they say "faster", they mean less time spent using the ATM, since a large part of the process can be done before you get there, or while queuing. Of course in reality, what will happen is people will queue up for the machine, then pull out their phone once they get to the front of the queue and start with their transaction, holding the queue up even more.

When did I last visit an ATM?

[93+Escort+Wagon]

I don't think I've pulled cash from a cash machine in at least five years. I hardly use cash, although I do tend to keep an "emergency" $20 in my wallet. But pretty much every store I frequent asks me if I want cash back whenever I shop anyway - no extra trip to the ATM needed.

SQRL?

[Chrontius]

If they're using SQRL, then I don't have any new security concerns.

https://en.wikipedia.org/wiki/...
https://www.grc.com/sqrl/sqrl....

Keep your phone secure, and the authentication scheme is really hard to break.

This is a game of pass the buck.

[kuzb]

Now it won't be their system which is insecure, it'll be your phone. This gives them another layer of defense against their often laughably bad security.

Re:This is a game of pass the buck.

[shawn2772]

Now it won't be their system which is insecure, it'll be your phone. This gives them another layer of defense against their often laughably bad security.

Except that, according to federal law, they're liable for the fraud anyway.

To be precise, for ATM and debit cards (which this would be), your liability varies according to how quickly you report a lost or stolen card. $0 if you report the loss before it's used, $50 if you report the loss within two days after you learn about it, $500 if you report it within 60 days after your statement (containing fraudulent transactions) is sent to you. For a phone-based version, if it turns out to be vulnerable to attacks and you're defrauded as a result of that while the phone is in your possession, the FTC would force the banks to eat all of the fraud because there's no way you could have known to report. If your phone is lost or stolen, the normal reporting rules would apply.

Also, it's rather ridiculous that you think your phone is less secure than a piece of plastic with a magnetic stripe on it. The security of your ATM/debit card, what there is of it, lies entirely in the PIN because copying magnetic stripes is trivial (called "skimming"). And that PIN doesn't provide much security because the classic way to commit ATM/debit card fraud is with a fake ATM or point of sale device which captures your magstripe when you swipe, and your PIN when you enter it.

Your phone does have additional attack vectors because it is a networked device, but mobile phone OSes already have protections in place to mitigate that. iOS has the secure enclave and Android has the hardware-backed keystore[*], both of which allow the phone to carry non-extractable cryptographic credentials which are bound to user authentication (though Android only started providing the authentication binding in Marshmallow, so it'll be a couple of years before it's widespread, but it'll take longer than that to widely deploy new ATMs).

Banks will also apply their normal risk management engines to decide if the transaction is legitimate, and the phone offers a far richer set of data elements they can use, making it harder to convince their systems that a fraudulent transaction isn't legitimate.

Banks clearly are not "passing the buck", because federal law won't let them. No, they're doing this because it really will be more secure, which will save them money by reducing the fraud they have to cover. This is a totally self-interested move on their part, sure, and the goal is to reduce fraud liability, but your cynical interpretation of how that will happen is dead wrong.

Re:Marketing B.S.

[kuzb]

They'll require a PIN still, you'll just need to enter it on your phone. So even if the attacker has access to the software, they'll still have to figure out the PIN which will likely lock the account after too many tries.

No

[s.petry]

In fact the technology makes things more secure in that your account details cant be stolen by a card skimmer attached to the ATM.

Impossible, and a BS justification. Okay, a card skimmer is not a problem, but a MITM attack and screen scraper app are possible on your phone and not on a credit/atm card. You are trading risks, and not in favor of the phone. Safer? Not a chance.

Kind of like everything else that goes 100% on line, it's more risk and prone to problems. But, we all get to pay for increased premiums to pay for damages so who cares right?

Re:No

[Martin+Blank]

It's a different risk profile, but that does not necessarily mean more risk. In this case, the screen scraper app is going to hit far fewer users of the ATM than the card skimmer would, and it would probably be discovered quickly as the codes generated by an authorized user were used elsewhere and the user noticed money missing. Preventing this becomes fairly simple: make the code only work within some specific time and distance of where it was generated. If it has to be used within ten minutes and five miles of being generated, it's much harder to use even if the phone is compromised. If it's not used, it become invalid and has to be regenerated.

Re:No

[stoborrobots]

... a MITM attack and screen scraper app are possible on your phone and not on a credit/atm card. You are trading risks, and not in favor of the phone. Safer? Not a chance.

There's no more exposure than simply having online banking in the first place. If you have online access to your account, then MITM and screen scrapers are already a risk. Adding cardless cash support does not increase that risk appreciably.

Stolen card attacks via ATM are already a risk. Online banking is already a risk.

Most people who use cardless cash in Australia also have an ATM card, however they have the option of using the app if they are without their card for some reason. This does not increase their exposure over someone who already has online banking and an ATM card.

Re:No

[thegarbz]

Impossible, and a BS justification. Okay, a card skimmer is not a problem, but a MITM attack and screen scraper app are possible on your phone and not on a credit/atm card. You are trading risks, and not in favor of the phone. Safer? Not a chance.

I'll happily trade a risk for something I know and I'm in control of compared to something unknown that I can't control.

Want to keep your phone secure? Don't install shady apps.
Want to avoid your card getting skimmed? Don't use ATMs with card skim.... wait what does a card skimmer look like?

While you're at it if you steal my phone you still need my banking password. If you steal my credit card you can go nuts doing online purchases (it has happened to me before), or you can enjoy any number of sub $50 purchases using PayPass. These are risks I'll happily trade.

Re:No

[redback]

You have to chose the specific ATM to generate the code.

Re:No

[Martin+Blank]

That makes it even more secure.

Your phone is your key

[mveloso]

Your phone is your hardware key. With your phone in hand, they can assume (or ensure) that your authorization and identity are mostly guaranteed.

This is essentially what Apple did with ITunes and iPods; the iPod is a hardware key for access to DRM content. I assume it's the same with the iPhone/FairPlay video.

TouchID works on different principles, but the idea is the same: security is (mostly) guaranteed with hardware. Apple can guarantee authorization and identity with TouchID. That makes it a bit more dangerous, because you can accidentally grant authorization to someone. But at least Apple can argue that it was you who did the grant and not person Z.

More BS

[s.petry]

Seriously, stop and use your brain for a while. If the Phone is subject to a screen scraper, and the reader is subject to a similar app (think skimmer) then you have just doubled your points of entry for a bad guy. It does not matter how long the code is good for, because telecommunications is fast for bad guys too. Code must be used in X radius is not a huge restriction in a city. Maybe out in the sticks.

I can't stop the ignorant from thinking that on-line is secure, but I'm not going to fall for the gag and lie to people. Want secure? Use CASH! I do this all the time, and it's amazing how little risk I face for card skimmers. You can use on-line all you want, but I want you to pay for the insurance. Want to pay with your phone, go right ahead. Pay the insurance and be responsible for that too.

Re:More BS

[jonwil]

The system in use by the Commonwealth Bank requires both a unique code (given to you by the app) and also a pin number sent to you via SMS (meaning a thief needs to be able to steal both numbers somehow). Oh and the codes are one-time-use only and expire after 30 minutes so the thief needs to be able to get to a Commonwealth Bank ATM within 30 minutes and hope the legitimate owner of the account hasn't used the code in the mean time.

So for a screen scraper to be useful the hacker would need to specifically write it to look for and steal both the code AND SMS'd pin at the same time. And they would need to have someone stationed right next to a Commonwealth Bank ATM at that point to run the transaction through before the legitimate account holder (who would probably be right next to an ATM at the time they are using the phone app) runs the transaction.

time to stop calling these things "smart phones".

[pezpunk]

seriously, phone calls is like 1% of what people use these things for.

in addition to being a portable gaming system, email device, messaging tool, web browser, photo/video camera, walkman, television, alarm clock, weather forecaster, pinball leveler, and about a million other things, the future of this device is clearly moving in the direction of replacing things like photo ID and credit card. the term "smartphone" does not fit. it's like calling a car a "smart chair".

Re:time to stop calling these things "smart phones

[GuB-42]

At least almost everyone uses their smartphone to make phone calls, among other things.
But when is the last time you've actually seen gloves in a glove box?

Real advantages are as follows:

[gurps_npc]

1) Company doesn't have to make, send, or replace a card

2) You are less likely to misplace your phone - and you will personally pay to replace it.

3) You can begin the transaction before you get to the machine, so if there is a line, in effect, it is faster.

4) I can enter the code on my phone, take a snapshot and email it to you, then you can go to my bank and take the money out of my account. I just made a no fee way to email cash, as long as I have it in the account.

5) If you don't have a debit card, you can't mistakenly use it instead of a credit card, nor will you be tempted to do so on purpose. This negates the vicious attempt by the banks to charge you fees for overdrafting.

Additional authentication

[phorm]

I would accept the phone as an *additional* authentication method, but certainly not as the only one. It shouldn't be hard to tie large purchases to a banking app for authentication. Heck, in a lot of places groundwork for this is partially in-place already:
* Various banks including my own allow you to increase your daily debit/transaction limit to nearly $10k if you call in to pre-authorize it for a set period. You still need the debit card and PIN of course
* My credit card company has periodically put a brief hold on an unusual large transaction, which was followed by a verification phone-call. The last time it happened I had bought gum, gas, and then a big-screen TV (apparently a common pattern for those testing a recently-stolen card). The TV purchase was initially denied, but I got a call then-and-there on my mobile from Visa asking if it was me making the purchase for $X at location Y, then it was approved.

So tie the above into a mobile app. If spending exceeds a daily, hourly, or per-transaction limit, require that it be authorized on the mobile app (with password) before processing further transactions. Your card/PIN would still be required to complete the transaction as well, but this helps prevent somebody from stealing your card and making a bunch of withdrawals/purchases if they stole the card and shoulder-surfed (or had a camera on) your PIN.

Re:Stinky BS

[Martin+Blank]

Ever walk up to a store where there's an armored truck idling outside? The crew is armed, and that's because the trucks are targets, with an attempt against them every so often. You don't see remotely that level of physical security involved with credit card transactions. Look at the marijuana stores in Colorado and Washington that have trouble getting bank accounts and consider the risks involved with all-cash transactions.

Your compromises almost exactly match mine (I wasn't lucky enough to be part of the Target breach, but it did happen with a small restaurant), and my wife was affected by the OPM breach. You can get your money back from credit card fraud, and for most people, the OPM hack was an inconvenience and some free credit monitoring. Security in general does have to get better, but it's still a far cry from the risks associated with carrying cash. Once cash is gone, it's gone. Maybe you get something back if you have insurance, but you're paying for that along the way.

Oh great

[JustAnotherOldGuy]

...another vector for someone to steal my money, meddle with my finances, or break into my bank account.

Nothing could possibly go wrong with this idea. Because, you know, smartphones are SO secure and everything.

DO. NOT. WANT.

Finally!

[JamesHolliberg]

Very good! Finally! It's probably the most discussed topic for any business :) Thank you for the advice. I used to build long-standing relationships with my partners and customers, so money is a crucial point here. My experience shows, that company is doing well being secure with its funds. That's why I cooperate with https://worldcore.eu/Public/Fo... to make money transfers. The system provides p2p no-fees transfers, so it was a great solution for my business. And I can keep the track of all money flows easily, as transfers are accomplished with same day approval. Perfect for enterprenuers!