Cardless ATM Scams: How to Protect Yourself Against Them

Cardless ATM Scams

To ensure that our money doesn't sit still, banks and financial institutions have embraced technology and have given us numerous ways of moving cash around. They know that convenience plays a major part in the decision-making process which is why they try to make the new means of managing our finances as quick and easy as possible. The fact that some banks give you the chance of withdrawing cash from an ATM without having your debit card with you is illustrative of the trend.

Although they haven't completely caught on, cardless ATMs are becoming more and more common. Some of them make use of NFC (Near-Field Communication) technology while others, like the ones operated by Fifth Third Bank, offer an altogether simpler solution.

If you're a Fifth Third's customer, you go to one of the bank's 2,500 ATMs, you log in to your mobile application, and you choose which of your accounts you'd like to use. Then, you tap the ATM's screen, scan the code that appears, enter your debit card's PIN, and you're ready to start using the machine.

Fifth Third Bank tells us that because it minimizes the chances of having your card skimmed or stolen, using the new system gives you additional security. Scammers have set themselves the task of proving the bank wrong.

Smishing and cardless ATMs make for a nasty combination

In May, just two months after Fifth Third launched the cardless ATM feature, clients started complaining about scammers. Brian Krebs reported that the fraudulent activities continued until October when law enforcement, along with the bank finally managed to track down what they think is the group responsible for the crime. Four men have been arrested in connection with the cunning scheme.

First, victims received a text message saying that their bank accounts had been locked. There was a link in the SMS which gave the account owner a quick and easy way of solving the problem. The link led them to a website that looked identical to Fifth Third's one, and they were asked for quite a few details, including their login credentials, their one-time password, and their debit card PIN. After they entered all the information, they got a message saying that the problem was fixed and that all was back to normal. Later, they would realize that the SMS was fake and that the website they gave their personal details to was controlled by crooks.

Having phished the sensitive data out of the user, the criminals would use it to install Fifth Third's application on their own phone, would walk to the nearest ATM and would withdraw the account owner's money.

According to Krebs, in a matter of less than two weeks, the crooks managed to scam users out of very nearly $70 thousand, and throughout the next five months, their profits increased by a further $40 thousand.

The crooks did indeed get a pretty hefty paycheck, but if the police have the right people, they won't get to enjoy it. Hopefully, whoever is responsible will get what they deserve. In the meantime, we have a couple of lessons to learn.

First of all, and banks should pay particularly close attention to this one, saying that a new authentication mechanism is "more secure" than an old one doesn't mean that scams will simply stop existing. In fact, it's more likely to give birth to new schemes that exploit a particular weakness in the new system. Unfortunately, sometimes, spotting that weaknesses before it's too late is not possible.

And this means that ultimately, it's up to the users to be vigilant and to stay out of trouble. Often, this is harder than it sounds, but it's far from impossible, especially when we're talking about text messages or emails that contain links and pretend to be from your bank.

November 15, 2018