Why Your Phone Will Be the Key to ATMs of the Future

In 2015, Citigroup Inc. began testing an ATM that would scan a customer's iris and make four-digit access codes obsolete. Two years on, Citi has quietly shelved the project.

Among the reasons: the cost and complexity of collecting and managing millions of customers' biometric data. A large database of biometric data is also particularly juicy target for hackers.

"If I steal your password, you make a new password," said George Avetisov, chief executive of HYPR Corp., a banking-technology startup. "But how do you make a new fingerprint?"

Perhaps as a response to that issue, banks are taking a different tack on collecting biometric data. They aim to use the information to replace personal-identification numbers and passwords, but are relying on customers to store and safeguard it themselves -- via their own smartphones.

Over the past year, lenders such as Wells Fargo & Co., J.P. Morgan Chase & Co. and Bank of America Corp. have started to roll out new ATMs that can link to customers' mobile devices. Customers will sign in through their phones, potentially using a fingerprint, and then transmit a code to the ATM.

Though this adds a step to the identification process, customers are nonetheless eager to ditch the numerous PINs and passwords needed for transactions. Mobile phones are also one device on which biometrics has worked, as about two billion units globally can use fingerprints, pictures of eyes and faces, and voice recognition, according to HYPR. Those tools are already widely used for signing in to mobile-banking applications.

Citigroup's apps, for example, use voice, face and fingerprint recognition, although the bank has yet to roll out cardless ATMs. As for the iris-reading ATMs, Citigroup has "reasons ranging from logistical to operational" for not pursuing them at this time, a spokesman said.

Other banks have shared similar difficulties with how to approach biometric data. A survey by the U.K.'s University of Oxford and Mastercard Inc. published in June found that while nine out of 10 bankers wanted to take advantage of biometrics, only about a third reported a good experience so far using the technology.

An added complication is that, unlike some other countries, the U.S. doesn't have national identification databases. In countries such as Chile, which does have such a database, banks could tap into it to enable customers to sign into an ATM with a fingerprint. So, banks in the U.S. are on their own to figure out how to record and store customers' biometric markers. That process adds extra steps, complexity and cost.

Meanwhile, the need for next-generation ATMs is urgent. For one, card fraud is rising despite new security measures such as chip-enabled cards. Fair Isaac Corp., a credit-data provider, has said it detected a 70% uptick in compromised cards being used at ATMs and merchants in 2016.

Though ATMs -- introduced 50 years ago -- might seem quaint in the mobile age, their usage remains strong, and banks are still investing in them. Last year, J.P. Morgan, for example, increased the number of ATMs it owns by 4%, even as it closed 3% of its branches. In January, Citigroup nearly doubled the size of its ATM network with a deal to add 30,000 locations at retailers.

In their quest to use smartphones for biometrics, banks are relying on processes that are already well established. A customer using a phone at an ATM would authenticate her identify, using, say, a fingerprint as is the case with Apple Inc.'s iPhone and Apple Pay.

The phone would then create an individual digital token and transmit that to the ATM. That would validate the transaction without revealing any underlying biometric data to the bank.

That means banks wouldn't have to protect treasure troves of genetic templates from hackers. This is because the biometric data would be stored on individual devices, not in a central location.

"With tokens, there's no use in attacking the bank server," said HYPR's Mr. Avetisov. Such digital tokens are already widely used in mobile-payment applications and they are also generated by the chips now embedded in most credit cards.

That approach does shift more of the security burden to the user. People must protect their phone from being imitated or hacked, and will have to be conscious of their phone's security measures. "Think of your phone as becoming like your house keys," Mr. Avetisov said. "But hackers want the biggest payoff and attacking one person is a more difficult and low-profit attack."

David Kuchenski, director of business development for design and new technology at Diebold Nixdorf Inc., which built the eye-reading ATM that Citigroup tested in 2015, said those units were a few years ahead of their time.

"People have gotten so used to biometrics on their phones," he said. "So banks are reutilizing what they learned about biometrics through mobile."

Last year, Wells Fargo was touting the potential for ATMs with biometric readers built into them in its annual investor presentation, among other biometric capabilities. This year, the same presentation featured biometric authentication on a mobile device. A spokeswoman said Wells Fargo has "no current plans" to implement biometrics at its ATMs.

Later this year and in 2018 Wells Fargo will enable customers to tap their phones at ATMs using apps such as Apple Pay and Android Pay, from Alphabet Inc.'s Google, which use a fingerprint for access.

But smartphones may pose a different risk for banks, by empowering tech companies to compete more directly with them, said Lex Sokolin, head of fintech strategy at Autonomous Research. Apple, for example, recently launched a mobile peer-to-peer money-transfer service that competes with banks' apps.

"If Apple and Google continue to gain share in the physical world, they will control authentication," Mr. Sokolin said.

--Emily Glazer contributed to this article.

Write to Telis Demos at telis.demos@wsj.com

(END) Dow Jones Newswires

July 09, 2017 07:14 ET (11:14 GMT)