With the advent of cardless ATM transactions on mobile phones, criminals have found a new way to steal your money.
As large financial institutions begin to allow customers to withdraw cash with their phones, criminals can now use stolen account information to access hijacked accounts and steal cash, according to Krebs on Security, an internet security news and information site.
Recent incidents in Cincinnati underscore how the scam works. FBI agents recently made several arrests in the city and are looking for other "yet unknown co-conspirators," according to WCPO in Cincinnati.
The arrests came after Cincinnati, OH.-based Fifth Third Bank began getting customer complaints about text messages claiming that their accounts were locked, according to the report. When customers clicked on a link to unlock their accounts, it took them to a fake website that asked for sensitive credentials such as passwords. This is a classic phishing scam where victims are prompted for information such as usernames, passwords, one-time passcodes and PIN numbers.
The bank contacted the FBI after losing $68,000 from 17 ATMs in Illinois, Michigan and Ohio, according to WCPO.
In one case, a man made 19 withdrawals totaling more than $9,000. The same man allegedly made other withdrawals. He had a total of $14,000 in cash at the time of his arrest.
Ultimately, the scam succeeded in stealing personal information from over 120 customers and losses at Fifth Third Bank totaled $106,000, according to court records cited in the WCPO report.
On November 7, a grand jury indicted four men who participated in the cardless ATM scheme, WCPO said.
Though many customers have likely never heard of cardless ATM transactions, that could change as it becomes more popular, giving criminals new opportunities. In January 2017, a California woman lost $3,000 via a cardless ATM operated by Chase Bank, KrebsOnSecurity added.
“In that incident, the thieves didn’t even need to know her ATM PIN,” KrebsOnSecurity wrote. They were able to use the phone number and mobile device they controlled and associate it with the woman’s Chase account using her username and password.
“This time last year, cardless ATMs were offered mainly by the big banks, and then only at some of their ATMs. Now, many smaller regional and local banks have upgraded their cash machines to enable the new technology,” KrebsOnSecurity added in the post.
The internet security website cites a Mastercard poll that claims 78 percent of consumers when asked, would rather use a cardless ATM than carry a physical card.