Cyber crooks exploit cardless ATMs using phishing and social engineering
Cardless ATMs exploited by a combination of phishing and adding new numbers to customers' mobile accounts
Scammers have found a new way to exploit cardless ATMs by hijacking people's mobile phone accounts.
According to KrebsOnSecurity, the fraudsters are using SMS-based phishing attacks to acquire users' credentials, conducting Kevin Mitnick-style social engineering to have new mobile numbers added to phone accounts, and then using that new number to withdraw cash at cardless ATMs.
It comes as the popularity of payment technology, such as Apple Pay, has got people used to tapping their smartphones to pay for goods, rather than tapping-in a four digit security code, while cardless ATMs have been rolled out by a number of banks in the US.
In January 2017, nearly $3,000 was stolen from the account of a California woman through a cardless ATM transaction.
In May 2018, a number of account holders of Cincinnati-based financial institution Fifth Third Bank complained that they had received messages on their mobile phones, warning them that their accounts had been locked by their bank.
The message appeared to have originated from Fifth Third Bank, and instructed customers to click on a link that redirected them to a webpage that mimicked the legitimate Fifth Third Bank website.
The webpage instructed customers to enter their confidential account information, including user names, passwords and even PIN numbers in order to "unlock their account".
Scammers were able to gain access to the private information of about 125 customers using this phishing technique.
The criminals later used the stolen details to make cardless cash withdrawals from ATMs of the Fifth Third Bank. More than $68,000 was stolen in less than two weeks from 17 ATMS in Michigan, Illinois and Ohio using Fifth Third's cardless ATM function.
The activities continued into October 2018, with the criminals still using the SMS phishing and cardless ATMs to make fraudulent withdrawals, earning an additional $40,000.
All these fraud cases are now being investigated by the FBI. The agency has arrested four people for making fraudulent withdrawals from ATMs.
On 10 October, two people were identified by the bank as illegally withdrawing money from ATMs in Cincinnati. One more person was identified, a week later, withdrawing money from an ATM in the Cleveland, Ohio area. All these individuals were arrested by the police.
On 19 October, a fourth scammer was also identified by the bank. He was arrested from a Cincinnati suburb. According to investigators, he was standing at the same ATM where he was previously seen conducting fraudulent activity.
IT security failings are, increasingly, costing CISOs, CIOs and CEOs their jobs.
With business utterly dependent on IT, it's not enough for senior executives to dismiss security as ‘techie stuff'. At Computing's Enterprise Security & Risk Management Live event, hear from the National Crime Agency, ex-hackers and big-business CISOs to learn about how they are tackling cyber security.
For more information, check out the dedicated event website. Attendance is FREE to IT leaders and senior IT pros.