Thursday, October 10, 2013

Debunking the False Security of Cardless ATMs

According to CNN, FIS financial services is launching a new way for customers to access cash without an ATM card or debit card. This technology has been piloted by three banks in the recent months using a mobile application called “Cardless Cash Access”, and is slated for widespread implementation by mid-2014. They claim it is safer than using an ATM card. First, lets review the process described there to withdraw from an ATM without the use of a card:

  1. Log into an application on your mobile device that interacts with your bank
  2. Place an order for your cash
  3. Upon arrival to the ATM, use the application to scan a code on the ATM to prove you are physically there
  4. The ATM sees that you are there and relinquishes the requested cash

This methodology was reviewed by Mary Monahan of Javelin Strategies & Research, and she labeled it as more secure than traditional ATM cards for the following reasons:

  • Because there is no card, there can be no “card skimming”
  • In the event your phone is stolen, the application still needs additional log-in information and PIN information

A card skimmer is a small hardware device that can be inserted into an ATM to record the information on the ATM card when it is inserted into the machine. Her full analysis of FIS' program, “Cardless Cash Access”, is behind a pay gate; I wasn't about actually pay money for something that should be completely free information. Besides, she's wrong.

Construction of an ATM “card skimmer” is difficult, and placing one is risky to any potential attacker. Retrieving one could be even riskier. I'd argue that this technology is even less safe than online banking. Online banking can be unsafe due to the fact that malware and software viruses can record information on a victim's computer, allowing criminals access to bank accounts; however, the criminals in question have to jump through many hoops to actually turn this online access into cash that they can use. Usually they lose some of the money in the process, and there's a trail leading back to them. To avoid this they use scams to trick yet more victims into withdrawing and depositing the cash for them, usually with something like western union, so that transactions cant be “charged back” or otherwise tracked back to the criminal.

With the advent of mobile malware, I've uncovered a hypothetical way that criminals could cause much more severe damage. Similar to computers, mobile phones can be vulnerable to keylogging attacks. A keylogger is a piece of software that allows an attacker to record the buttons pressed on a keyboard, or in this case, the software keyboard on a smart phone. Smart phone keyloggers already exist, and are nothing new. Also similar to computers, proxy software can be installed on a mobile phone. Proxy software is software that allows a user to use a computer or mobile device to make it look like they are coming from the device the proxy is on, as opposed to their real location.

So what relevance does this have to “Cardless Cash Access”? Its simple, really. An attacker could create a piece of malware that infects a person's smart phone with both a proxy and a keylogger. From there, he could record the information entered into the application. After that, it would be trivial to install the application on his own mobile device, log in, request cash, and scan the ATM code. Suppose for a moment that this didn't work, for whatever reason (like the application being locked on a per-user basis to a particular phone). At this point, the attacker could use a proxy in the malware to impersonate the victim's phone, upload the scanned key to the application from the victim's phone, resulting in the ATM dispensing the cash anyway. Not only does this make it easier for cybercriminals to access the data required without physical intervention, it also makes it easier for a criminal to turn his access directly into cash without using a scam or jumping through the various hoops required while using a skimmer. There is also much less risk involved to the criminal. To hide his or her identity and “cash out”, the criminal only need bring a can of black spray paint to the ATM camera.

I talked with a mobile malware analyst, Matt McDevitt, to get an idea of how easy it would be for a malware author to write such a virus, and to determine the likelihood of such an attack. He responded saying that it would be incredibly easy for a malware author to write and deliver such a virus, and that the likelihood of such a virus being written is extreme. He further went on to say, "another [malicious] provider could come out with a trojanized version of this application". What he means here is that someone could unpack the "Cardless Cash Access" application, backdoor it, and then pack it back up for shipping to unsuspecting users. There is also the risk of a supply chain attack, which is by far more sophisticated, but not impossible. Supply chain attacks are used by some of the world's brightest computer criminals. If the master copy of "Cardless Cash Access" to be distributed to all of the end users were to be compromised, the entire financial grid could become at risk.

I was able to come up with several ideas for making this model more secure, however they all involve more “big brother” type things. For example, a thumbprint scanner at the ATM could work just as well, or using the cellular GPRS data to confirm that the user is actually physically in the same cellular grid that the ATM was located in would be a good start. However, many privacy advocates (including myself) prefer disabling GPRS and dislike giving their thumbprint to machines.

Moving on, there is another feasibility problem with the “Cardless Cash Access” program. Sometimes there are cellular connectivity problems in the areas ATM's are located in. To address this, FIS has proposed an “offline mode” that would allow usage of the application on the phone regardless of connectivity problems. This is nothing but an opening for “replay” attacks in which an attacker could record the data from an “offline mode” transaction and “replay” the data into an ATM, making it dispense the cash.

In conclusion, this cardless ATM methodology removes much of the risk of getting caught from criminals intent on stealing money. While Mary Monahan is quoted as saying, "The phone is becoming a security blanket; the more you can do with it, the better,”; attackers have been using mobile devices as a proverbial malware playground. With mobile malware on the rise, the less control a phone has over your real life, the better.


  1. Perhaps we should consider also the 'FREE WIFI' vector, in which we grant free internet access to users near banks.

  2. I'm not quite sure how Ms. Monahan is qualified to be doing security analysis of hardware or software. Her bio can be found on Javelin's website:,jvs-detail

  3. Note that the Paydiant mobile platform that this uses has received the appSecure certification from viaForensics. Banking through a smartphone (which can include GPS coordinates) can be much safer than through a card-for one thing, most people quickly notice when their phone is missing, and are much less likely to notice a credit card missing, because many people have multiple cards. Additionally, the app is secured by a PIN (yes, mobile keyloggers can get the PIN, but there are actually very few in existence so far-and they require active participation vs. passive as is found online). Obviously any protocol can be broken but the likelihood is much lower. With an app, you can also wipe the phone-and if the phone is protected by a PIN, then two PINs must be broken to use the app. A plastic card cannot be wiped...and for offline merchants, it can't even be blocked.

    1. A plastic card can certainly be wiped. Rub the magstrip with a nickel. I'm not sure what an AppSecure Certification from viaForensics sounds like, but it sounds like some other "HACKER SAFE" certification that is equally worthless. The point of the article was to demonstrate that no one needs to steal your phone to do this, hence, there is no point in arguing that people notice when their phone is missing. Your assertion that two pins must be broken relies on a premise that the attacker has physical access to the device, a premise that this article has nothing to do with.

      In my opinion, it would be by far safer to use a card and verify it from a phone. For example, AMEX has recently introduced a feature which sends users a small question after a purchase like "Did you just purchase something at [store name]?" with a Yes/No/Call AMEX response. This is much safer than relying on a single device in any capacity.

    2. I'd also like to point out that just because you don't know of a keylogger that is passive doesn't mean that one doesn't exist. In fact, you are dealing with programmers, so I'll skip straight to the point: it would be trivial for someone with actual malice to write such a keylogger. Go learn to program, then maybe (just maybe) you'll be qualified to even say this sort of thing.