Slashdot Mirror

← Back to Stories (view on slashdot.org)

Wells Fargo: All ATMs Will Take Phone Codes, Not Just Cards (go.com)

Posted by BeauHD on from the sign-of-the-times dept.

Given the prevalence of smartphones nowadays, Wells Fargo has announced plans to upgrade all 13,000 of its ATMs next week to allow customers to access their money using their cellphones instead of traditional bank cards. Wells Fargo would be the first to upgrade all of its ATMs with the feature across the United States. ABC News reports: To access their money, customers would get unique eight-digit codes from their Wells Fargo smartphone app, and enter the code into the ATM along with their PIN number. The machines will still accept debit cards as well. One limitation of the one-time code, though, is that it won't work on the secure doors that many branches have for non-business hours that require a customer to swipe an ATM or debit card to gain entry. Wells Fargo said those secure doors are found at a small percentage of branches, mostly in major metropolitan areas like New York City or Chicago. Wells said it plans to roll out another upgrade to its ATMs later this year, which will allow customers to access the ATMs by holding their smartphones up to a reader on the machine, instead of entering the eight-digit code. It would be similar to using Apple Pay or Samsung Pay, the bank said.

71 comments

  1. Wells Fargo by DogDude · · Score: 4, Insightful

    I wouldn't trust Wells Fargo any further than I could throw any of their crooked executives. Even if my credit unions offered this, I wouldn't link my cell phone to my banking info. That seems like an extremely bad idea.

    --
    I don't respond to AC's.
    1. Re:Wells Fargo by Anonymous Coward · · Score: 2, Insightful

      I wouldn't trust Wells Fargo any further than I could throw any of their crooked executives. Even if my credit unions offered this, I wouldn't link my cell phone to my banking info. That seems like an extremely bad idea.

      It will probably also require a $9.99 monthly 'service charge', and automatically deduct a $1.99 "teller fee" each time you use it.

    2. Re:Wells Fargo by Anonymous Coward · · Score: 0

      Wells Fargo is in the past. My bank doesn't even have ATMs because my phone IS the ATM.

      A customer at Well Fargo actually has to go down to the bank to deposit checks. For me, it's a simple matter of snapping a picture of the checks with my phone.

    3. Re:Wells Fargo by Anonymous Coward · · Score: 0

      Your phone prints out cash? That's a nice feature!

    4. Re:Wells Fargo by R3d+M3rcury · · Score: 1

      A customer at Well Fargo actually has to go down to the bank to deposit checks. For me, it's a simple matter of snapping a picture of the checks with my phone.

      The Wells Fargo app has that, too.

    5. Re: Wells Fargo by nehumanuscrede · · Score: 2

      Right there with you man.

      There is exactly zero chance I will put anything from my bank accounts within reach of a Smartphone. Ever. For any reason.

      I will not login to a banking site with one and will never trust the banking apps nor the overall security of the phone to ever even consider it.

    6. Re: Wells Fargo by Anonymous Coward · · Score: 0

      Starting next month Wells Fargo will be charging 10$ per month on checking account users unless they have an active credit line of 5k or more open.

    7. Re:Wells Fargo by Anonymous Coward · · Score: 0

      E*TRADE Bank? That's one of the 2 banks I have - the other being Wells

      Reason I added Wells: there were a couple of instances where I needed to get a cashiers check for my first rental at a new place, and E*TRADE just didn't do that. They offered to wire the money, but the rental office didn't have that arrangement. So I added a Wells Fargo account, and use that for such things.

      The other thing - some people here talked about the dangers of having a banking app on your phone: if the phone gets lost, or worse yet, stolen, you are SOL. Once I had the Wells account, I stopped banking on my phone. If I need to deposit any check, I go to the nearest branch and do it - most secure that way. So if I need to deposit or withdraw cash through E*TRADE, I do it via Wells. Why do I keep that account open? Just in case any potential employer gives me stocks via E*TRADE: that bank is convenient for THAT purpose

    8. Re:Wells Fargo by mjwx · · Score: 1

      I wouldn't trust Wells Fargo any further than I could throw any of their crooked executives. Even if my credit unions offered this, I wouldn't link my cell phone to my banking info. That seems like an extremely bad idea.

      Banks in Australia have been offering this for years. You get a code sent to your phone and just plug that into an ATM to get $50.

      I agree that tying your bank account to your phone is a phenomenally stupid idea, people seem to be doing it in droves. Until the cost of fraud outweighs the profit, nothing is going to change.

      --
      Calling someone a "hater" only means you can not rationally rebut their argument.
    9. Re:Wells Fargo by Anonymous Coward · · Score: 0

      I wouldn't trust Wells Fargo any further than I could throw any of their crooked executives. Even if my credit unions offered this, I wouldn't link my cell phone to my banking info. That seems like an extremely bad idea.

      I'm curious why you'd assume two-factor authentication was a bad idea, extreme or otherwise?

      I don't mean specifically with Wells Fargo, but you mention even if your credit unions offered two-factor you would feel the same way.

      Yes having your TOTP token in the form of dedicated hardware that has tamper-proof features, such as the old school RSA fobs, would be most ideal. Being hardware those come with an additional expense, but many would agree it can be worth it as you are paying mainly for the tamper-proof features more than anything else.

      But even with the insecurities inherent in a software form of a TOTP "client", this as a second factor on top of your existing authentication credentials is still one more thing an attacker would need to deal with in order to authenticate and identify themselves as you.

      Take the Google Authenticator software for example. It is a pure 100% RFC 6238 and RFC 4226 complaint client compatible with many open and closed source authentication backends (including PAM for Linux) that provides one more layer for an attacker to need to compromise.
      This on top of any existing authentication layers you already have now.

      Granted I have no clue what protocols and implementations of time based one time tokens Wells Fargo has chosen to use, and I am right there with you in assuming the worst (home rolled) before being proven otherwise, but simply as a concept I don't see why anyone could have any problems with it.

      It's like adding one additional lock to your front door.
      No matter what the added security of that new lock, it doesn't lessen the overall security of your door since all your original lock(s) are still there too.
      Even if the new lock adds zero security, that only makes it a useless annoyance, but still does not weaken your security at all. In fact in that case it would be exactly the same as before without.
      So any amount of security above zero is an overall improvement.

      Given you have no specific details, and even specifically mention yet non-existent implementations (by referencing your own credit unions), why do you say the concept of an additional auth factor is a bad idea?

    10. Re:Wells Fargo by Gussington · · Score: 1

      I wouldn't trust Wells Fargo any further than I could throw any of their crooked executives. Even if my credit unions offered this, I wouldn't link my cell phone to my banking info. That seems like an extremely bad idea.

      We've had this for years. Why are US banks stuck in the 20th century?

    11. Re:Wells Fargo by Anonymous Coward · · Score: 0

      Even better, my phone doesn't require the extra middle step of getting paper to represent my money. I can pay for things directly with my phone. I can also issue checks and have them mailed on my behalf from my phone, all without having to pick up a pen, envelope or stamp.

  2. As someone that's been waiting over 5 years for... by Anonymous Coward · · Score: 2, Informative

    an ATM card, this is just crap. They can't get working ATM cards to their customers, like myself that has had an account for just over forty years, so why add technology and complexity before fixing their basic problems?

  3. Card Skimmers? by irrational_design · · Score: 2

    This sounds like a solution to the card skimmer problem.

    1. Re:Card Skimmers? by TWX · · Score: 4, Informative

      If they wanted to solve the card-skimmer problem then they'd install circuitry to detect a skimmer placed on the cardslot and they'd show a picture on the ATM screen of what the cardslot should look like. They could even go so far as to make a device that slips out through the cardslot and damages or destroys card skimmers, deploying it between however many uses of the ATM, or they could use a system that retracts the card reader and cardslot into the housing of the machine between uses and allows for automatic inspection and confiscation of skimmer mechanisms.

      There are plenty of ways to solve the skimmer problem without resorting to using cell phones and pushing the security responsibility to the accountholder, but they all require effort and money.

      --
      Do not look into laser with remaining eye.
    2. Re:Card Skimmers? by SpeZek · · Score: 1

      What's to stop the skimmers from installing a screen + buttons over the regular screen, capturing your code, and then using the underlying machine to then access your account?

    3. Re:Card Skimmers? by Rick+Schumann · · Score: 2

      Two ways they could solve the 'card skimmer' problem:
      1. Train bank employees that service the ATM to look for and recognize card skimmers. I'm surprised if they don't already do this. ATMs have to be reloaded with money, have jams cleared, etc, on a regular basis. If bank employees aren't routinely looking for these, then there's something seriously wrong with their procedures.
      2. Install software on the ATM itself that scans Bluetooth for card skimmers, and SHUT DOWN if it detects one. I can't see it being too difficult to create software that would do this. Law Enforcement must have boxes full of the things, determine what devices they show up as, what protocol they use for transfer of captured data, and write a program that looks for the device and verifies it's a card skimmer. It finds one, it tells the ATM to shut itself down until a bank employee and police can come by to remove the thing.

    4. Re:Card Skimmers? by Highdude702 · · Score: 1

      then i make hardware and software to make the skimmer look like a phone, now nobody with a phone can use that atm machine. they can and will easily skim information. they need to find a new secure way, and cell phones isnt the way.

    5. Re:Card Skimmers? by TWX · · Score: 2

      Bank employees aren't usually the ones servicing the ATMs, there are crews that drive around and do that, usually with names like BRINKS on the side of the truck. As far as I am aware, the local bank employees have no access into the ATMs.

      You probably wouldn't want your average teller to have access to the ATM anyway, tellers make terrible money compared to the standards to which they're held. They have all of the downsides of having to maintain some of the highest standards of grooming of any workplace (arguably to the point of "preening") but they make less than your average computer PC desktop support tech.

      --
      Do not look into laser with remaining eye.
    6. Re:Card Skimmers? by KingMotley · · Score: 1

      It is a one time use code, so they can have it all they want after I'm done.

    7. Re:Card Skimmers? by cdrudge · · Score: 1

      Train bank employees that service the ATM to look for and recognize card skimmers...

      ATMs are refilled at most daily? How many cards can a skimmer get if they install it right after an ATM is reloaded. A busy location may be dozens and the skimmer could easily be pulled off prior to the next reload time if it's a normal routine.

      Also most of the credit union locations I'm a member of have an ATM mounted on the side of the building. All the reloading is done from the inside of the bank. No employee would need to look at the outside on a regular basis.

      Install software on the ATM itself that scans Bluetooth for card skimmers, and SHUT DOWN if it detects one.

      This implies the skimmer uses bluetooth. It could just as easily use a non-standard wireless protocol or even not wireless at all. It could just record the stripe data for retrieval later via a cable.

    8. Re:Card Skimmers? by Rick+Schumann · · Score: 2

      You and another commentor in this thread are ignorning the point: Banks SHOULD have someone auditing their ATM machines, daily, if not several times daily, to ensure there are no unauthorized devices attached to their ATM machines. There is no excuse for not doing it. If Brinks or some other company is who is serving the machines then THEY need to be trained to do this, plain and simple. Laziness is not an excuse, it's part of the problem.

  4. Re: As someone that's been waiting over 5 years fo by Anonymous Coward · · Score: 1

    They bought-out Wachovia in 2008, and I still have several friends that don't have working ATM cards yet, including myself. Taking almost nine years is just ridiculous.

  5. Re: As someone that's been waiting over 5 years f by Anonymous Coward · · Score: 4, Informative

    To be fair, the purchase wasn't finalized until Oct 15, 2011 so we've only been waiting on working ATM cards for a little over five years.

  6. Secure Doors by xaosflux · · Score: 5, Interesting

    Almost all of the "secure door" readers are actually very dumb, and will let basically any card with any kind of account number on the mag stripe open the door. I've opened them with gift cards and rewards cards. The doors are not normally networked to any sort of identification system. They are usually tied to a motion sensor and will not not open if someone is still in the enclosure, and will record the stripe data that is presented to them.

    1. Re:Secure Doors by Anonymous Coward · · Score: 2, Interesting

      I can confirm this. I've even used my NYC metro-card to open a door.

    2. Re:Secure Doors by Anonymous Coward · · Score: 0

      So they're great for installing skimmers in them?

    3. Re:Secure Doors by Anonymous Coward · · Score: 1

      I used to work IT at a bank. I usually used my library card to open the doors.

    4. Re:Secure Doors by R3d+M3rcury · · Score: 1

      Agreed. My Student ID or pretty much anything with a magstripe worked fine.

  7. Department of redundancy department by Anonymous Coward · · Score: 0

    into the ATM along with their PIN number

    I always enter my PIN number into the ATM machine....

  8. Bosco by 93+Escort+Wagon · · Score: 1

    One limitation of the one-time code, though, is that it won't work on the secure doors that many branches have for non-business hours that require a customer to swipe an ATM or debit card to gain entry. Wells Fargo said those secure doors are found at a small percentage of branches, mostly in major metropolitan areas like New York City or Chicago.

    George, tell him your code. Shout out your code, man!

    --
    #DeleteChrome
    1. Re:Bosco by freeze128 · · Score: 1

      I was thinking more of the episode of Friends where Chandler was stuck in an ATM vestibule with a model during a blackout. It's ridiculous because the electronic locks should ALWAYS allow egress in the event of a power failure.

    2. Re:Bosco by Highdude702 · · Score: 1

      Youre thinking Hollywood. not NFPA.

  9. They're not the first. by tmshort · · Score: 4, Informative

    Bank of America already offers this

    http://promo.bankofamerica.com...

    1. Re:They're not the first. by ginoledesma · · Score: 2

      I've found this pretty useful. The person ahead of me had their card swallowed for whatever reason (maybe incorrect PIN entered one too many times), so using the contactless method was a relief.

      One limitation I've found is that Bank of America has restricted this to withdrawals only. To deposit cash or checks, you'd have to insert your ATM card still.

  10. Surprised it took So long by Anonymous Coward · · Score: 2, Informative

    In Poland it is available since 2015.

    NÃw probably over 90% of ATMs and 75% of account owners can use the feature.

    It is called BLIK.

    You can albo use ot at majority of stores , largest online Exchange as wellness as at Aliexpress

  11. Commonwealth Bank of Australia has had Cardless ca by feebz · · Score: 2

    Although I can only use my banks ATM for Cardless cash, there are ATMs available almost all the time. It's the only way I will withdraw cash (though there was once a month or 2 ago where I was forced till use card) cant be skimmed. There have been many times where I forgot my wallet but almost never my phone. A most excellent advancement in tech.

  12. Note to muggers by ThatsNotPudding · · Score: 2

    Try not to get too much blood on the victims' phone; it will degrade the signal.

  13. Re:As someone that's been waiting over 5 years for by Anonymous Coward · · Score: 0

    So I have to ask, why haven't you found another bank?

    I've had a working ATM/debit card from my small, local, 3-branch bank for twenty-five years.

  14. This is gonna be funny to watch. by Anonymous Coward · · Score: 0

    Any bets on how many months before this gets shut down?

  15. PIN by Anonymous Coward · · Score: 0

    Means "personal identification number" saying "PIN number" is idiotic.

    1. Re:PIN by Anonymous Coward · · Score: 0

      "Personal" isn't a useful modifier for identification -- how many time are you asked for your group identification number?

    2. Re:PIN by Enigma2175 · · Score: 1

      "Personal" isn't a useful modifier for identification -- how many time are you asked for your group identification number?

      Every time I go to a new doctor or dentist.

      --

      Enigma

  16. LOL wow. by Highdude702 · · Score: 4, Insightful

    So if I have control over your phone, I can tell the app, without you knowing to give me a code. While standing at an atm, and withdraw your money.. HAHA have you guys seen the security on cell phones lately?

    1. Re:LOL wow. by Anonymous Coward · · Score: 1

      Why is this at the bottom of the comments list? For shit's sake /. ....

      For those of you who think that's not possible, malware could just as easily wait for the compromised phone to get near the reader, determine it's a financial transaction, (if it's got root, it could even read the data before it's sent out), and then send the proper (fraudulent) transaction command to the ATM, while presenting the user an on screen error, telling them to try their transaction again. (Ten bucks says people will fall for it. I'll take my money from your now compromised bank account BTW.) Have fun trying to train people not to perform the second transaction, or to check their statements / transaction history first. (You better hope the latter doesn't require the phone's authorization...) Also, I hope your bank doesn't allow setting up automatic payment authorizations via the ATM.

      Of course there's also the idea of making all transactions traceable. What better way to do that, than to require the use of a traceable, always on, always with you device to perform the transaction?

      This "phone as a wallet" (PaaW) thing is getting out of hand. Once this becomes a common enough target to be on a criminal's radar, it's going to end badly. Not just for your wallet, but your own safety as well. That malware research doesn't just benefit the thieves looking to steal your money you know. It also benefits anyone who wants access to your personal data. (Pictures, contacts, email, etc.) Making such devices even more multifunctional only increases their value to criminals.

    2. Re:LOL wow. by Anonymous Coward · · Score: 0

      Instead of seeing it as a negative, see the positive. You could set up an account with a certain amount of money in it, have someone send you Bitcoin, and send them the one time code to access the money! Wow!!!

    3. Re:LOL wow. by Xarius · · Score: 1

      You'd need to pass the app's security too. If you're able to do that then yeah, you're right you can go to an ATM and withdraw the money.

      You can also do anything else you want with the bank account.

      If someone has rooted your phone and has your online banking credentials, this ATM scheme is the least of your problems.

      --
      C17H21NO4
    4. Re:LOL wow. by Anonymous Coward · · Score: 0

      You'd need to pass the app's security too. If you're able to do that then yeah, you're right you can go to an ATM and withdraw the money.

      They should offer a card-reading dongle so that only someone with a valid ATM card can use the app.

    5. Re:LOL wow. by Pubstar · · Score: 1

      Something tells me you're new here.

    6. Re:LOL wow. by Highdude702 · · Score: 1

      Because in this situation the NEGATIVE is far more important than the little bit of positive.

    7. Re:LOL wow. by Highdude702 · · Score: 1

      Once i have as i previously said "control over your phone" Also known as a Root, that apps security answers to me not the other way around.

    8. Re:LOL wow. by Highdude702 · · Score: 1

      I find it hilarious. I'm kind of sad I decided to change my life and go legal completely. I would have a lot more money to build Ryzen pc's with lol. Now is ripe time to learn hacking if you don't already know it.

    9. Re:LOL wow. by Gussington · · Score: 1

      So if I have control over your phone, I can tell the app, without you knowing to give me a code. While standing at an atm, and withdraw your money.. HAHA have you guys seen the security on cell phones lately?

      Phone app needs PIN, Card needs PIN. I'll leave this space below for you to explain how this is any less secure:

    10. Re:LOL wow. by Highdude702 · · Score: 1

      exploit in phone app. no pin needed. have you ever heard of auth bypass?

    11. Re:LOL wow. by Gussington · · Score: 1

      exploit in phone app. no pin needed. have you ever heard of auth bypass?

      The App has it's own PIN, it isn't the phone PIN. And even if you manage to bypass that somehow, you also need your account PIN at the ATM along with the 8 digit code, ie 2FA. You know someone has actually thought about this before you came along...

    12. Re:LOL wow. by Highdude702 · · Score: 1

      2FA isn't as secure as you would think. And you already know people's phone app pin will be the same as the card pin. Comes back to people are lazy. If phone pin can be in any way extracted from the 2FA app(think steam) it's insecure. And chances are it can be extracted with skill.

    13. Re:LOL wow. by Gussington · · Score: 1

      . And chances are it can be extracted with skill.

      Of course with enough skill you can do almost anything. But part of the game is making it not worth the effort.
      We've had this feature here for years without issue. The limit for withdrawal from memory is $200. Why would anyone sufficiently skilled bother risking jail for $200 when they can earn that much in an hour with a legit job?

  17. No phone, no cash? by Zemran · · Score: 2

    As long as the old system continues to work it will be fine but if this is made standard I would have to find a different bank as I am not going to go back to using a smart phone. I rely on my phone too much to endure the ridiculously short battery life on smart phones so I would be forced to choose between my work and the ATM system.

    --
    I love stacking my barbecues in the shed at the end of summer - you can't beat a bit of grill on grill action.
  18. Don't forget Wells Fargo's criminal behavior by Required+Snark · · Score: 2
    Wells Fargo is in a steep decline right now due to it's recent credit card scandal. They were caught pressuring clients to get too many credit cards and even opening fraudulent account without customer's consent. Besides big financial penalties their new credit card applications are down %55.

    So take this with a grain of salt. It is part of a new advertising push to help shore up their image and recover from their self imposed failure. It's not about innovation as much as it is about trying to erase the past.

    --
    Why is Snark Required?
  19. So by Impy+the+Impiuos+Imp · · Score: 2

    So, instead of popping in a card and 4 digit pin, I have to fumble around with an app then punch in a clumsy, 8-digit ramdom code I will have to mentally triple-check?

    Might I suggest "The Inmates Are Running The Asylum"?

    To borrow from the book, bank card + computer = computer

    --
    (-1: Post disagrees with my already-settled worldview) is not a valid mod option.
    1. Re:So by Gussington · · Score: 1

      So, instead of popping in a card and 4 digit pin, I have to fumble around with an app then punch in a clumsy, 8-digit ramdom code I will have to mentally triple-check?

      If it makes you feel better, we've had this in my country for years and the sky didn't fall on anyone's head. It merely offers another way of accessing cash. You can still use your card if you prefer.
      An example of how this is beneficial to some people some time I had this very day today. My teenager daughter broke her phone and needed $100 to get it fixed. Rather than wait for me to get home from work and take her down to the nearest mall to see a phone repair shop, I sent her a code which she could use at the nearest ATM, get the cash and get her phone fixed herself.
      Another time I was at the shops and noticed my wallet wasn't in my pocket (I later found out it fell out of my pocket in the car and was still there). I needed some money so used the app on my phone to generate a code, get cash and carry on.
      So yeah, it might not be for you, but some people find new ways of accessing their money more convenient.

  20. SHORT Wells Fargo stock NOW!! by laurencetux · · Score: 1

    given the combo of WF being crooked and the many hacks on cell phones now a days i would give this about 45 days after 75% of the atms are upgraded before there is a massive breach (and a couple Giga-Bucks go "missing")

    1. Re:SHORT Wells Fargo stock NOW!! by Gussington · · Score: 1

      given the combo of WF being crooked and the many hacks on cell phones now a days i would give this about 45 days after 75% of the atms are upgraded before there is a massive breach (and a couple Giga-Bucks go "missing")

      Panic! Be Afraid! Fear!
      Hate to burst your bubble, this is old tech commonly used in other countries without the catastrophe you anticipate.

    2. Re:SHORT Wells Fargo stock NOW!! by laurencetux · · Score: 1

      yes and even if they literally had access to a set of printed manuals and a Senior Tech they still will muck it up somehow.

      Wells Fargo could not pour sand out of their boots securely even if instructions were printed on the heels of said boots.

      Just ask any Older Winston Salem residents about Wacovia and what they did to the city (and then got bought out to Double Down on the Derp).

  21. Been around in South Africa for almost a decade by NakNak · · Score: 2

    Sometimes we forget how medieval the US banking system is. Then something like this comes around.

    Every major bank in South Africa has offered cardless ATM services for so long I can't even say for sure when the last one came online. But the first seems to have been by 2008 at the latest.

    I use it at least once a month to pay a casual worker who has no bank account. It has also saved my bacon when I forgot my wallet (but not cellphone with banking app) at home. And I've employed it twice when I suspected card skimmers had been attached to the ATM I wanted to use.

    Never had any hassle with it. Never heard of any either.

    1. Re:Been around in South Africa for almost a decade by Gussington · · Score: 1

      Sometimes we forget how medieval the US banking system is. Then something like this comes around.

      These stories are quite frequent here, and generally have the same responses.
      We've also had this for years. I wonder how such an advanced economy like the US can have such backwards banking tech.

  22. Meh.. by Anonymous Coward · · Score: 0

    But they still rely on / require the use of clearXchange to send money to another WF customer, i.e. you cannot transfer funds to another account that is not yours. BOA (and others) allows this.

  23. Wells Fargo ATM swap by emil · · Score: 1

    All the Wells Fargo ATMs in my city were recently swapped with flush card slots. There is no protrusion from the slot, and anything mounted over it would be immediately noticed.

  24. Bank of America started that conversion last year by digitalFlack · · Score: 1

    Since Summer of 2016, I've been using my iPhone Apple Wallet at Bank of America ATMs in the San Francisco/Silicon Valley area and Chicago. January road trip between Buffalo, NY and El Paso Tx, (don't ask) I used it a few times also, but don't remember the cities.

    I don't carry an ATM card anymore, even for back up.

  25. pre-authorized plan? by Anonymous Coward · · Score: 0

    No need to worry. You're probably already signed up anyway. Eventually, someone at WF, or the DoJ, will let you know that the account exists.