Barclays is trialling new cash machines that allow customers to make withdrawals via their smartphones.
The facility is limited to Android handsets, which trigger the money’s release via a “contactless” NFC (near-field communication) transmission.
The bank suggests the facility is more secure than slotting in a bank card as it avoids the risk of having the card’s details hijacked by a skimming machine.
But one security expert said there were still risks involved.
Barclays is not the first lender to allow customers to make cardless withdrawals.
Royal Bank of Scotland (RBS) introduced its Get Cash facility four years ago. It allows £130 to be taken out of an ATM by messaging the user a code via their smartphone that must be typed into the terminal.
But Barclays aims to simplify this further by just requiring the account holder to wave the handset near to the bank machine and type their normal Pin code into either one of the two devices.
Alternatively, a payment can be triggered by waving an NFC-enabled card close to the reader and typing in the Pin.
Apple devices cannot participate because the US firm limits the use of iPhones’ NFC chips for its own Apple Pay facility and does not allow third-party apps access.
Barclays is piloting the “contactless cash” service in the north of England at 180 branches ahead of a wider rollout in 2017.
The goal is, in part, to prevent criminals compromising or stealing card details, which typically occurs by one of three methods
- Attaching a skimming device to an ATM to record details from entered cards’ magnetic stripes. The technique is often carried out in conjunction with the use of a miniature camera to record the Pin code being typed in for each one. The details can then be used to create cloned cards, which can be used in overseas ATMs that have yet to be upgraded to chip and pin technology, or to make online purchases via stores that do not require a CVV security code
- Adding an entrapment device to a cash machine’s slot that stops the card being returned. The criminal fools the account owner into re-entering their Pin number. Once the victim leaves, the criminal removes the device, retrieves the card and then uses it with the recorded Pin to withdraw money
- Engaging in distraction fraud, whereby the thief looks over the cardholder’s shoulder to see them enter their Pin and then distracts them or pickpockets their wallet to steal the card
Last year, 92,670 UK accounts were defrauded because of the use of counterfeit cards and a further 152,727 accounts because of lost or stolen cards, according to Financial Fraud Action UK.
In many of the cases, it will have been the banks, rather than the cardholders, that will have borne the loss.
If adoption of the new system becomes widespread, such crime might be reduced. But one banking security expert said new types of theft might take their place.
“There could be malware on your phone, which is recording the Pin as it’s typed in – that would be a new risk,” commented Dr Steven Murdoch, a cybersecurity expert at University College London.
“The malware might also be able to copy your credentials from one phone to another, allowing the other handset to make a withdrawal.
“Barclays probably has defences against that, but those defences are unlikely to be perfect.”
Dr Murdoch noted that RBS had to temporarily halt its Get Cash scheme in October 2012 after it was compromised by a phishing campaign.
But a spokeswoman for Barclays played down the risks posed to its system.
“We have no higher priority than the protection of our customers,” she said.
“Our Mobile Banking app has the British Standard Institute Secure Digital Kitemark, which is subject to independent testing, to make sure customers’ financial and personal details are protected.”