2017’s First Fraud Trend? Cardless ATM Fraud

That didn’t take long.  The fraudster’s found a loophole in yet another banking service which was designed to provide customers easier access to their money through ATM machines.

The service works like this, you request a one-time pin number sent to your mobile phone.  You tap your phone and enter the PIN number on the ATM machine and you get up to $3,000 dollars.

mobile-cash-at-atm

No card needed.  Sounds good, right?

Well it is, but the service is now being targeted by criminals that see an easy way to drain customers bank accounts without them even knowing.  The worst part of all of this is that UK banks had this service years ago but pulled it because it targeted mercilessly by fraudsters.

Brian Krebs Reported Cardless ATM Fraud This Week.

Brian Krebs reported this an alarming trend of Cardless ATM Fraud at Chase Banks this week.  Considering the banks only rolled out the fancy new ATM’s less than a year ago, that certainly didn’t take fraudsters long to figure out how to bypass controls.

The story broke because San Francisco resident Kristina Markula found out her Chase App and account were locked while she was vacationing in Cancun Mexico.

When she returned home she received a letter that she needed to head to the nearest Chase branch and present 2 forms of id, which she did.

As it turns out, fraudsters had broken into her online banking account using her username and password.  They added a new mobile device and changed her email address so she would not get any of the alerts or notices.

After the fraudsters added the new mobile device, they headed to one of the new ATM machines in Florida and requested one-time PIN number be sent to that phone.  Using that PIN they were able to siphon off $2,900 from her account.

Chase Fraud Department picked up on the strange sequence of events and quickly blocked her card.

To Make Matters Worse

It was bad enough that the fraudsters stole her money.  But what made it worse was that Chase’s Fraud Investigators originally denied her claim.  The fraudsters had done such a good job of making it look legitimate that Chase Bank thought she had taken the money and refused to pay.

Chase apparently believed that she had logged in to her account, requested the new phone be added and then traveled all the way to Florida to take out the money.

What a nightmare.

The matter was escalated and Chase realized that they had made a mistake. Her money was returned but it pointed to the fact that this particular type of fraud is painful for both consumers and banks alike.

Cat and Mouse Game

This type of fraud is actually not new.  UK banks experienced this fraud years ago when they tried to roll out something similar.  You can read about the RBS NatWest experience 5 years ago when they had to pull the service due to fraud attempts – NatWest Suspends Get Cash.

What probably gets Chase Fraud Executives wringing their hands is that the bank just completed the rollout of Chip cards which was supposed to make it hard for fraudsters to use customers accounts without the legitimate card in their possession.

While it us understandable that Chase wants to provide customers convenience, providing a service like this erodes the value of Chip Cards since fraudsters can still get cash out of the ATM by using a couple of pieces of stolen information (username and password) to drain a customer’s account.

FICO Reports ATM Fraud is Spiking

A new FICO study has discovered that the number of compromised ATMs in the U.S. skyrocketed 546% from 2014 to 2015.  You can read the report here – FICO study on ATM Fraud.

FICO also reported that ATM compromises were taking place over fewer days. The average duration of an ATM compromise fell from 36 days in 2014 to 14 days in 2015. The average number of cards affected by a compromise was cut in half.

Criminals are taking a quick-hit approach to ATM theft and card fraud,” said TJ Horan, vice president of fraud solutions at FICO. “They are moving faster to make it harder for banks to react and shut down the compromises. They are targeting non-bank ATMs, which are more vulnerable — in 2015, non-bank ATMs accounted for 60 percent of all compromises, up from 39 percent in 2014.

One thing is for certain, ATM fraud is not slowing down.  In fact with the limited use of CHIP readers at ATM machine, coupled with these new convenient banking services we can expect another big increase in ATM fraud in 2017.

Frank McKenna is the Chief Fraud Strategist for PointPredictive and a Fraud Consultant based in San Diego California