Woman using ATM machine with smartphone
Courtesy of Fifth Third Bank

It’s only a matter of time before we’ll all be leaving home without our wallets.

Last year, Fifth Third and Chase became some of the latest banks to allow card-free ATM access. PNC added the technology at select terminals. And 3,500 credit unions were given the chance to turn members into cardless ATM users, too, through the CO-OP Financial Services network.

When combined with mobile wallets, cardless ATMs could make carrying plastic cards almost unnecessary. They already make withdrawing cash faster and more convenient. But recent incidents remind us that no solution is completely foolproof. Card-free ATMs still leave consumers somewhat vulnerable to hackers and thieves.

“The security aspect hasn’t been fully thought through,” says Mike Byrnes, a product marketing manager at Entrust Datacard.

A safer way to grab cash?

Using cardless ATMs is considered to be safer than using a physical debit card to withdraw cash. They eliminate the risk of lost or stolen cards and remove the threat of card skimming, the biggest type of fraud associated with ATMs, says Thiago Musa, a security specialist who formerly led the delivery threat intelligence team at Trustwave.

But scammers have gotten more clever.

Not long after Fifth Third Bank started offering card-free ATM access, fraudsters reportedly stole more than $106,000 through a phishing scam. Customers who thought they had received a text message from Fifth Third were tricked into visiting a fake website that looked like it was run by the bank. Thinking they needed to unlock their accounts, victims provided personal information that was stolen and used to initiate cardless ATM transactions.

“Unfortunately, it is possible to commit fraud with respect to many bank products,” said a spokesperson for Fifth Third Bank. “Cardless ATM access is a relatively new service. Just as we experience a low level of fraud with card access to ATMs, we have experienced some fraud associated with cardless ATM access.”

The bank spokesperson added that customers should watch out for suspicious phishing attempts. Fifth Third never sends out texts, emails or voice messages asking for sensitive information like passwords, Social Security numbers or account numbers.

Other security concerns

Account takeover attacks have also been an issue for banks rolling out cardless ATMs. In a widely reported incident involving Chase Bank, a woman discovered that thieves had stolen her username and password, added a phone number to her account and used a cardless ATM to withdraw money they transferred from her savings account to her checking account.

“The fraudster can add their own phone number to a specific bank account and authenticate as being that person,” Musa says. “So I think there are challenges, but if well and correctly implemented, the cardless ATMs can be more secure than regular ATMs.”

Not all banks have taken the right steps to protect cardless ATM users from becoming victims of fraud. Beyond just offering cardless ATMs, financial institutions have to make sure there’s a good security authentication solution in place, says Byrnes from Entrust Datacard.

But change isn’t easy. Neither is having to potentially purchase new technology to replace an outdated identity verification system.

“There’s this constant tension within a bank between rolling out better consumer services and balancing that with security and risk management,” Byrnes says.

Onus on the consumer

With cardless ATMs, a lot of concerns center on mobile security, says Ed O’Brien, director of research at ARC Advisory Group. Having the right “digital banking hygiene,” he says, is key.

“The onus is on us to make sure we are in a secure and known network or location and that our mobile devices are up to date,” O’Brien says.

Consumers using cardless ATMs should frequently change banking usernames and passwords. Biometric authentication via a fingerprint scan, for example, should be enabled if it’s available. That along with multi-factor authentication — or the use of multiple methods to verify your identity — should help prevent strangers from getting into your online bank account and making changes.

You can also sign up for security alerts. That way, you get a notification for certain actions, like an updated password or an ATM withdrawal that exceeds a set limit. Pay attention to your bank’s recommendations, and don’t be afraid to speak up if you have questions related to security.

And of course, if you’re planning to use your phone to withdraw cash, make sure it doesn’t die before you get there.

A dead phone shouldn’t leave you in a bad spot, but check with your bank in advance to see what could happen. For example, according to Wells Fargo, if you request a one-time access code through your banking app to use at a cardless ATM, you’ll have 30 minutes to use it before it expires. If your phone dies and you need to stop and charge it, you can request a new code later.

Learn more: