Password Theft Fuels ATM Fraud

Financial institutions are rolling out cardless ATM transactions in which customers can use their mobile phones to withdraw money, but Krebs on Security found that that feature can be hacked, with the bad guys quickly and quietly taking stolen bank account usernames and passwords and getting cash out of ATMs with them.

According to the report, even worse, it may be hard for customers to dispute the cardless ATM withdrawals because the victim is seemingly at the scene where the crime happened.

Krebs on Security highlighted a story of a victim who was scammed out of $2,900 from her account after someone stole her username and password, added a new mobile phone number to her account and then moved money from the savings to the checking account to steal from the ATM. The report noted some banks in the U.S., including Chase, have rolled out this technology that dispenses cash without an ATM card. In the case of Chase, customers who have already associated a Chase account with the smartphone will tell the app how much money to withdraw then the app creates a unique seven-digit code that has to be entered into the Chase ATM. If the code is right, the machine spits out the cash, and the customer isn’t required to input his or her ATM card PIN. While Chase initially declined to help the victim in the case highlighted by Krebs on Security, after Krebs contacted Chase, the situation was corrected.

Chase spokesman Mike Fusco said a further investigation revealed the victim had been one of a group of people that were victimized by a half-dozen scammers who were busted employing the same scam to clean out Chase Bank accounts. “This small pilot we ran allowed a limited number of customers to access cash at Chase ATMs without a card. During the pilot, we detected some fraudulent activity where a group of people were able to go online and change the customer’s information and get the one-time access code, and we immediately notified the authorities,” Fusco said in the report. The spokesman noted Chase made changes to the pilot so that it can better detect fraudulent transactions. It also lowered the withdrawal limit for cardless ATM withdrawals.