Consumers have been able to withdraw cash from ATMs without using their debit cards for several years, a convenient option, especially if they don’t have a card with them.
If you have your smartphone with you, then leaving your card or wallet behind is no longer an issue. At some ATMs, you just need your phone to get cash for purchases or tips.
Dan Rosenbaum has been using his Apple Watch to receive cash for more than a year at Chase ATMs because it is more convenient.
“I don’t have to fumble in my wallet for the card or take out my wallet on the street at all to work the door buzzer,” says the New York-based freelance writer.
Even though Wells Fargo requires consumers to tap the withdrawal amount on the ATM, Tim Maliyil, CEO of Las Vegas-based cybersecurity services firm AlertBoot, prefers this cardless option rather than using his debit card.
“I do find this whole process to be as secure as using the card as long as access to your respective phone is secure with a password and biometrics,” he says.
How Do Cardless ATMs Work?
Cardless ATMs operate by using either the bank’s app or another option such as Apple Pay, Google Pay or Samsung Pay. Bank apps will send consumers a numerical code to plug into the ATM or a code you scan on an ATM. Contactless payment providers such as Apple Pay and Google Pay use near-field communication, where you hold your phone close to the ATM and access the bank account you have linked to the app.
Some banks will even allow you to schedule a withdrawal in advance. Chase provides the option through the bank’s mobile app. Consumers can choose the amount before they arrive at the ATM, which can save them time. After scheduling the ATM withdrawal, consumers have 24 hours to get their money in one step after entering their ATM PIN.
Cardless ATM access gives consumers the same options they would have with a physical card – the same types of transactions and the same withdrawal limits.
Where Can You Use Your Phone at an ATM?
Chase, Bank of America, PNC, Wells Fargo and most major banks have provided this option, also called cardless ATMs, for several years. Bank of America launched this service in 2016, while Chase added cardless ATM access in 2018.
Bank of America requires consumers to link their bank accounts to a digital wallet, including Apple Pay, Samsung Pay, Google Pay, Fitbit Pay, Garmin Pay and PayPal.
A report from Research and Markets says the cardless ATM market was valued at $2 billion in 2021 and is estimated to reach $5.2 billion by 2031, growing at a compound annual growth rate of 10.6% from 2022 to 2031.
Consumers who want to use their phone at an ATM may need to do so via the bank’s mobile app since not all banks have touchless options. For example, PNC customers sign into the app and select ATM access. The customer gets an eight-digit, one-time code that is active for a half-hour. At the ATM, the customer chooses the card-free access button on the screen, then follows the prompts to enter the eight-digit code plus the customer’s four-digit debit card PIN.
Chase requires that consumers use the bank’s debit card that has been loaded into an Apple Pay, Google Pay or Samsung Pay mobile wallet. Consumers then tap their phone at a certain spot on the ATM. Some mobile wallets will prompt consumers to authenticate the transaction with a security feature such as a fingerprint, passcode or facial recognition. After the ATM has identified the eligible card, consumers then have to enter their PIN.
You Still Need to Be Careful
While using a bank app eliminates concern about card skimmers, consumers need to be aware that their smartphones can be hacked or their bank accounts can also be breached online. Cybercriminals can change your settings, so avoid clicking on emails that appear to be from your bank if you are suspicious of the sender.
Stealing bank login credentials is one of the most common consumer scams on mobile, says Hank Schless, director of global campaigns at Lookout, a San Francisco-based mobile security provider. Lookout discovered that 2022 had the highest percentage of mobile phishing rates ever, with an average of more than 30% of personal and business users exposed to attacks every quarter.
“When victims tap on a phishing link, they’re brought to a fake login page for that bank and asked to enter their credentials,” he says. “If the victim follows through, the actor behind this campaign could then log into their bank account and steal funds.”
Cybercriminals often will use social engineering through texts, social media and third-party messaging platforms to convince targets they are a legitimate person reaching out, Schless says.
Consumers whose phones are lost or stolen can have their data on the phone wiped remotely. If you suspect your account was breached, change your password immediately. Ensure that you have a passcode on the phone and use two-factor authentication when you log into your mobile app.