Cardless ATM Access – The Next Fraud Frontier

I wrote the other day about hackers stealing your phone number to be able to capture the text messages for password resets.

Here is another reason to be concerned about the security of your phone and phone number.

The banks are walking a tightrope.  Millennials just don’t relate to banks the way their parents do, so banks are trying to make it easier to do business with them – apparently, even at the expense of security.

Kristina Markula told the story of what happened to her.  In November, while in Cancun, she tried to use her Chase app to view her balance, but it would not let her.  When she got back to the states, she called Chase.

They told her to bring two forms of government picture ID and visit a branch office.  THAT doesn’t sound good.

When she got there, she was told that someone used her userid and password to add a new phone to her Chase account and changed the email address for the account.

That deed done, the attacker transferred $2,900 from her savings to her checking account and then went to an ATM and used this new feature, cardless ATM access to withdraw the $2,900.

The attacker knew that the amount, $2,900 was below the $3,000 daily limit.

She closed her account and filed a fraud claim.  The bank, declined to admit it was fraud and give her the money back. She spent way too many hours writing documentation and talking to people on the phone, but still, Chase said it was her problem.

According to Avivah Litan at Gartner, banks would like to get away from cards because they have to be replaced.  Of course, since people use them at stores, gas stations and other places, I don’t think getting rid of them is practical any time soon.

This story ends with some good news, however.

Brian Krebs, the former Washington Post columnist and current cyber security blogger contacted someone at Chase and magically, they refunded Kristina’s money and apologized.  Brian has a pretty impressive journalistic reach and the media relations people at Chase know that.

It is amazing what negative publicity to millions of Brian’s readers and followers can cause a bank to do.

Chase was probably walking on thin ice anyway, at least for consumers.  Federal banking regulations heavily favor the consumer in this case and my guess is that if Kristina had taken this to the feds, Chase would have quickly backed down.  The regulation that covers this is called Reg E.

I tried this cardless ATM at Wells today.  Here is how it worked for me.

  1. I had to have the Wells app installed on my phone.
  2. I logged in to the Wells app and it triggered my two factor authentication.
  3. After I was authenticated, I asked for an Access Code to use in place of my bank card.
  4. The app asked me for my password and said the code was only good for 30 minutes
  5. I went to the ATM, entered the code and it asked for my ATM PIN.
  6. From that point, the transaction worked as normal.

When I went back to the app as I was writing this post and asked for a new code, it did not ask for my password or ATM PIN this time.

In addition, when I set up my account, I added a verbal password so that when I called into a call center there is an extra level of security.

However, Wells, apparently, has decided that if you answer the security questions for the automated call router correctly, that means that you do not want to enable that extra security – at least that is what a supervisor told me.  I don’t think that I said “in those circumstances were you think it is appropriate, ask me for my verbal password”, but that is apparently  the Wells interpretation of my request.  If I don’t want the hassle of the extra security, I can always take it off, so I am not clear what their thinking is here.

While Chase claims this was a pilot program and they did detect fraud, at least in Colorado, they still offer the service of cardless ATM access.

I asked several people at Wells if it was possible to disable this insecure feature and was repeatedly told that was not possible.

What this means is that your phone is, once again, a huge security vulnerability.

Once again, we are at the intersection of security and convenience with a dash of cost thrown in.  Not surprisingly, security loses.

I asked the Wells supervisor to ask someone in media relations to call me back and was repeatedly told that Wells does not have a media relations department – I know this to be false, but that is what I was told anyway.

I am independently reaching out to Wells media relations and will update this post when I hear back from them.

Information for this post came from Brian Krebs.

Leave a Reply

Your email address will not be published.