ATM Crime Spreads to Cardless Transactions
The bad news for credit unions and other financial institutions is that ATM fraud has matured beyond skimming. Even so-called cardless ATM transactions, offeredat some locations, are under attack.
Cardless ATMs permit accountholders to withdraw money using just their mobile phones. But, according to KrebsOnSecurity this new technology also created another avenue for thieves.
ATM crime includes ATM skimming, PIN compromise, deposit-related fraud, cash trapping, dispenser jackpotting, transaction reversal fraud, eavesdropping, card data malware, shimming chip card data, and network packet sniffing.
Some sophisticated fraud schemes involve malware that gives hackers completeATM access. For example, bandits using an “Alice” malware can remotely program ATMsto distribute cash at specific timesfor collaboratorstoscoop up.
A recent fraud case involvinga cardless transactions took advantage of a San Francisco resident while on vacation in Mexico. She told KrebsOnSecurity that she tried to view her bank balance using a Chase smartphone app, which blocked her from accessing the account.
Back in the United States, a Chase branch manager told her that someone used her online banking username and password to add a new mobile number and device to the account, and then moved $2,900 from savings to checking. They thief also changed the contact email address. Soon after that mobile device was used to extract $2,900 from her checking account at an ATM in Pembroke Pines, Fla.
A few U.S. financial institutions, including Chase, have installed ATMs capable of dispensing cash using a smart phone associated with the account,instead of a plastic card.Connecting an account to the mobile app only needs the customer to supply an online banking username and password.
According to Krebs, users tell the Chase application how much to withdraw, and the app creates a unique seven-digit code entered at the ATM (some financial institutions offering cardless ATM withdrawals have the app display a QR code, which is scanned by a reader on the ATM).
Most financial institutions limit traditional ATM customers can withdrawper transaction, but some have set cardless transaction limits at much higher amounts.
“All new technologies go through a trial period where security is weighed against consumer convenience. As banks close the doors on counterfeit cards with EMV and tighten up mobile wallet card provisioning, fraudsters will move to account takeover tactics until banks tighten those loopholes as well,”Randy Vanderhoof, director of the U.S. Payments Forum said. “Cardless ATM applications using mobile phones can be secured and will be better in the future, but not before a few bad experiences happen.”
Morey Haber, VP of technology at Phoenix-based security company BeyondTrust, pointed out, cardless ATM transactions has several inherent security flaws as identified by the KrebsOnSecurity article. “What is unclear however, is why the standard security measures for the users account failed at the bank.”
Haber noted, typically, all changes to an account require some form of two-factor authentication via email, phone, or SMS text. “It is unclear why the user never received them and the fraudulent phone number was committed to the account without verification.”
Haber added, “The concept of cardless ATM transactions does represent the future of mobile banking. But the physical presence of a card (with a chip) does provide another layer of security on top of a pin, phone, and one time password. Only one card can physically exist to access an account where in the case of cardless ATM transactions, the entire process can be duplicated on any number of devices that have been registered (legally or not).”