Should ATMs finally adopt multi-factor authentication for security?

The recent hacking incidents involving ATMs have highlighted the need for industry to step up security for those teller machines, considering that the threat landscape including advanced persistent threats continue to expand its scope.

The most recent victim of ATM hacks could not assert enough how enhanced security is badly needed for the system, such as the thousands of Japanese ATMs which earlier this month lost $12.7 million to thieves who used counterfeit credit cards that abused stolen data from a South African bank’s legitimate cards.

Existing protection measures and risks for cardholders

In the United States, credit and debit cardholders have varied protections under the law against fraudulent charges. For example, if you are a credit card owner in the U.S. and your card was used in unwarranted transactions, you will not shoulder the charges made on your card if it is proven that a thief actually perpetrated the fraudulent transaction.

However, there is an exception that comes with it. If a card is used physically for purchases, the credit card owner will be responsible for as much as $50 of the transaction.

In the case of debit cards, the card owner must immediately report unauthorized charges or losses before the thief uses the card for fraudulent transactions in order to avoid shouldering the charges made through the card.

If in case the card owner reports a particular incident involving his or her card days after a transaction has been made, the charges he or she could bear may reach as high as $500 from $50, or even higher if it will take two months before an ATM fraud is reported to card issuers or authorities.

MasterCard and Visa are the two most widely used debit cards in the United States and in the entire world. The companies have different policies when it comes to evaluating whether a debit cardholder will be liable for the charges made on his or her card.

For instance, MasterCard implements a zero liability rule if a card owner, whose credit or debit card has been used fraudulently, maintains a clean record and has not reported fraud in the previous year. Also, the card holder must have practiced caution in handling a MasterCard card and the fraudulent transaction did not require a PIN. Otherwise, MasterCard will consider the charges, although fraudulent, as a result of negligence on the part of the card owner. The zero liability policy is not applicable to business and prepaid cards, however.

For Visa cards, a zero liability policy – which eliminates the $50 due and the two-day reporting requirement – is only possible to card holders in the United States alone, except for business cards and transactions involving ATMs and PIN.

Read also: The most popular PIN numbers to avoid

Multi-factor authentication could prevent ATM fraud

Time and again, ATMs have been proven weak in the face of threats. The vulnerabilities being targeted by ATM hackers lie in the magnetic stripe cards, a decades-old system that is susceptible to many spoofing attempts. In ATM fraud activities, the liability often is on the merchants rather than the card issuing companies themselves as in the past.

The payments industry has consequently moved toward smart chip-based cards. But due to diverse reasons, many territories and organizations struggle to adopt the smart chip-based payment system that is more secure than the magnetic stripe cards. As a result, the security of ATMs continue to be compromised.

Asia is probably the most laggard in terms of smart chip-based card adoption and in many Asian countries such as China, India, and Japan, the switch to that kind of payment system will likely take place next year.

But there are, nonetheless, other types of fraud that ATMs have been experiencing such as card-not-present fraud and cross-border fraud, which increase the risk for financial transactions made with these machines.

There is also an inherent problem with shifting the smart chip-based cards such as backwards compatibility with legacy magnetic stripe cards that some card users might be required to use. In order to address this problem, security experts suggest implementing a second factor, in which a confirmation code will be sent to a mobile device for further authentication.

Nowadays, you can no longer feel safe that your card data is safe because attackers are already selling a treasure trove of card information on the dark market. Fortunately, however, those pieces of information will not work unless a second factor is required, which will only be the case if a multi-factor authentication is finally implemented.

We can see that the scheme is proven to be effective among websites that already use a second factor verification. The significance of a two-factor authentication could not be emphasized enough, especially for protecting online accounts involving finances.

Luckily for some customers, there are some banks that already offer a two-step verification method such as Ally, Charles Schwab, Bank of America, Citibank, Chase, Discover, HSBC, and Capital One. Perhaps, one way to force other banks to follow suit is to not use their service as long as they do not implement multi-factor authentication.