Hacking Cardless ATMs via Text Message

on 10:38 AM

Thieves are combining SMS-based phishing attacks with new “cardless” ATMs to rapidly convert phished bank account credentials into cash. Recent arrests in Ohio shed light on how this scam works.

A cardless ATM allows cardholders to withdraw cash using nothing more than their mobile phones. But this also creates an avenue of fraud for bad guys, who leverage phished or stolen account credentials to add a new phone number to the customer’s account and then use that added device to siphon cash from hijacked accounts at cardless ATMs.

In May 2018, Fifth Third Bank started receiving complaints from cardholders receiving text messages that claimed to be from the bank, warning that their accounts had been locked. The text messages contained a link to unlock accounts but led customers to a website that mimicked Fifth Third's site. The cardholder was then prompted to enter account credentials — including usernames, passwords, one-time passcodes and PIN numbers — to unlock their accounts. The crooks then used the phished data to make withdrawals at cardless ATMs.

In a different scam, involving Chase Bank, thieves didn’t even need to know the ATM PIN; they used use a phone number and mobile device they controlled, associated it with the cardholder's Chase account simply by supplying her username and password.

Meanwhile, Mastercard cardholder polling says that 78% of consumers would rather use a cardless ATM solution than carry a physical card.

Read the story in details at Krebs On Security.

0 comments: