Hacker
Professional
- Messages
- 1,044
- Reaction score
- 824
- Points
- 113
People still continue to insert their cards at ATMs, despite the fact that contactless service has advantages over the usual method. I will try to briefly tell the history of the issue.
In 2017, we began introducing NFC at ATMs. Back then we had a large fleet of ATMs where you couldn’t swipe your card. It was decided to support the unity of user habits, and we began to equip our fleet of ATMs with NFC modules. That is, do not install new ATMs and gradually replace old ones with them as they depreciate, but took almost all existing models and added NFC to them.
From the first days it became clear that user habits take a long time to break and we will have to wait for many more years to gradually lose the habit of wanting to insert a card.
How to use an NFC card at an ATM?
If you can pay contactlessly in a store or cafe, then you can do the same at an ATM. In our case, you need to start the session by attaching a card or device (there is a corresponding prompt on the ATM on the user’s waiting screen) and entering a PIN code, and then the main screen will open, where there will be a context for the current bank client.This screen collects typical operations that the client often does: withdrawing usual amounts of cash, paying for kindergarten or a loan, and so on. Improving the ATM interface is quite an interesting story, and I know that this was important for Habr several years ago. We constantly introduce new features into the interface, anticipating client requests. Moreover, these could be such small details as reducing steps within operations. It's not immediately noticeable, but it significantly improves the user experience.
Now, with contactless service, the card must be applied to the ATM twice: the first time when authorizing, the second time when confirming the operation.
Why do you need confirmation?
If a client logs in but leaves before completing a transaction, a third party will not be able to take any action with his accounts. In order to confirm the operation, you need to attach the card or gadget again.How many ATMs have NFC?
We have the widest network of ATMs in Russia - about 71 thousand devices, 95% of which are equipped with NFC.All new cards issued by SberBank are contactless.
Is it possible to hold a watch or phone to the ATM, as when paying?
Yes. If you issued a separate certificate for your NFC chip (that is, you linked the card and the NFC chip) and can pay with it in a store, the same applies to an ATM. You don’t have to take the card with you at all: all operations, including cash withdrawals and deposits at ATMs, can be done using your smartphone.Do I need to enter a PIN code when using NFC?
Yes.From the point of view of the ATM software, NFC authentication is no different from authentication by inserting a card. Architecturally, for an ATM, the card reader is a “black box” that provides authentication data. When modifying ATMs and creating new ones, we expand the capabilities of the card reader. In simple terms, this can be described as connecting another input device with a small integration device. That is, the card reader ultimately receives the same data as when reading the card chip. All operations that require a PIN code when you insert a card also require a PIN code when you insert it.
How does NFC work in ATMs?
The first bank cards were simply “rolled” by imprinters, which is why they have three-dimensional numbers. This payment system still operates as a backup system in some US stores in case of power outages. It is similar to writing a bank check from a checkbook, which was once very common in the West, but almost never caught on in the USSR and Russia. The level of security was ensured by monitoring contracts with the bank and the police.The next stage of evolution is the magnetic stripe of the card, which essentially contains a fairly simple method of protection. There are still terminals and ATMs in the world that only read the magnetic stripe. By the way, it can be considered a skimmer, but more on that later.
After the stripe came the chips (this is what the bank card is authorized through now). You see approximately similar chips on SIM cards. This is a full-fledged computer without a clock generator (it comes with power from the mother device). The main function of the chip is to contain an internal storage where a certificate is located that allows one-time keys to be generated. When you tap or insert a card at SberBank ATMs, you work with a chip, not a magnetic stripe.
So what about skimmers?
Fraudsters can install a reader next to the card reader. Sber uses anti-skimming equipment, which is designed taking into account various scenarios used by scammers to deceive clients. Additionally, other technical methods are used, including ATM self-testing, notifications about the correct appearance, panels that make it difficult to install external devices, and so on. For example, the card enters the device slowly, as oscillatory movements are made to prevent data from being read from the magnetic stripe. This is done on all our ATMs, but this does not mean that this is done on all ATMs of all banks. Therefore, a universal recipe: if possible, use NFC.Why we recommend using NFC
The NFC module uses the EMV standard. EMV (Europay + MasterCard + VISA) is an international standard for transactions using bank cards with a chip. This standard was originally developed jointly by Europay, MasterCard and VISA to improve the security of financial transactions. The EMV standard defines the physical, electronic and information interaction between a bank card and a payment terminal for financial transactions. During a contactless session, algorithms similar to a contact session are used, the only differences being in the method of transmitting information. For example, if a connection is lost in the middle of a transaction, the kernel has a Recovery functionality, which guarantees high reliability of operations.
So, get into the habit of tapping your card at the ATM. As I said above, our technologies equally protect the client who inserts the card and the client who applies it. But contactless technology has a significant advantage: you definitely won’t forget the card in the device.
How many people forget their card at an ATM?
More than it seems. This is not something out of the ordinary, but a standard feature of an ATM. The forgotten card will be returned to the ATM, then you will need to re-issue it or, if this happened at the bank office, go with your passport to an employee so that he can get it from the ATM.With the use of NFC over the course of a year (from October 2019 to October 2020), the number of cards left at an ATM was reduced by more than half.
And the PIN code - is it transmitted securely?
This has nothing to do with NFC, but I will still say that the keyboard on which you enter the PIN code encrypts it. Encryption ensures that the entered PIN code will not appear anywhere. In this case, the operation itself is encrypted with keys, and no information is stored in the ATM. Instead, it goes through secure communication channels directly to the bank and is then verified for authenticity. Everything happens in real time. It is important to note here that this information is not stored anywhere and is inaccessible even to bank employees.What do bank clients themselves say?
We conducted a survey. The results are:- A lot of customers simply do not know about NFC technology and where it is used. In particular, that their card already supports NFC.
- Those who know about NFC, but do not use it anywhere, are accustomed to inserting a card and do not plan to change much in the typical way of working with an ATM. “I’m used to it,” “It’s more convenient for me.”
- Customers prefer to perform fewer actions, so they actively use NFC to pay for purchases, but for some reason they do not use it at ATMs. While contactless service is safe both from the point of view of hygiene and protection from viruses, and the safety of your data - this way you won’t forget the card in the device. “I didn’t know I had a contactless card” was a common answer.
I’ll say it again: it’s better to attach a card/gadget, because it’s at least more convenient and safer.
How common is NFC technology in Europe?
Not very wide. Russia is a leading country in terms of IT level in banking. That is, what we have will be in Europe in a year or two. Here's a recent post about trends during the pandemic.I have a question…
Ask in the comments, but please note that ATMs are a topic with very strict restrictions on what I can cover due to security requirements, so answers will be slow and may not answer every question.
Last edited by a moderator:
