A bank in South Africa recently announced the “breaking news” that a PIN to withdraw cash from an ATM can be sent via SMS to cell phones. Bank cards are not needed in the transaction.
First National Bank (FNB) today announced its latest innovation – a Cash Withdrawal solution using Cellphone Banking. A first in South Africa, Cash Withdrawal will allow FNB Cellphone Banking customers to withdraw cash directly from their FNB transactional account at an FNB ATM without the use of any bank cards.
The bank card is something you have and the PIN you registered with the bank is something you know. Here are some thoughts on how a cell phone compares.
The cell phone is also something you have, but it is better than a card because you probably constantly know its whereabouts. FNB says their customers come into the bank for cash because they have forgotten their wallet at home. Apparently they always have their phone. Imagine a customer walking up to a teller and saying “My name is X and my account is Y but I have forgotten my wallet”; at which point the teller would pick up the phone and dial for X. If the customer’s pocket starts ringing, the teller would continue the transaction. The disadvantage is that phones tend to be fragile and have spotty service. I suspect service will not be an issue at the ATM location because many ATMs are now being deployed with cellular capability instead of POTS (plain old telephone service).
A PIN sent to the phone is something you know. It is better than the card PIN because it can be pushed (to something you have) by the bank and therefore is easily updated. The disadvantage is that phones can end up in multi-user environments yet lack even the most basic multi-user protections. That is probably why the FNB PIN is only valid for 30 seconds. Even if someone were to find an SMS with a PIN on a phone it would very quickly have become invalid. It also is why you might be able to specify that the PIN only be sent by voice (Interactive Voice Response – IVR). I wonder if the bank also revokes used PINs so they are never valid again.
Another disadvantage is, although you don’t have to register a PIN with the bank, you now have to register a phone number with the bank. If they do not secure the process to register a number properly or you do not keep your list of numbers up to date, an attacker can prompt the bank to send them a PIN instead and they could access cash from your account. Phones are easy to clone and tap so an attacker could wait by another ATM for a PIN to be sent. The bulletin also mentions a login to the Cellphone Banking from the phone to request a PIN for cash withdrawal. It begs the question of communication security between the phone and Cellphone Banking interface, as well as protection against account recovery fraud or social engineering. Several new threats may appear because of the login requirement and PIN request, including remote/hidden attacks, compared to the bank card.
Some might get comfort to know that the concept for ATM withdrawals with a cell phone is not new.
In 2001, NCR announced its Freedom concept, demonstrating the use of a mobile phone or personal digital assistant to obtain cash from a futuristic egg shaped ATM. With the Freedom concept, mobile devices would replace the magnetic-stripe cards in a consumer’s pocket.
This system differs from many of the original ideas because the phone does not communicate directly with the ATM but instead replaces the bank card as a factor for authentication. It sounds like a good idea, and less revolutionary than a direct connection, but it also introduces many new risks.