Security risk in cardless ATMs? The customer
When Fifth Third released its first wave of cardless ATMs earlier this year, scammers were ready.
Exactly 125 customers at Fifth Third Bank who used the new machines were snared in an SMS phishing attack that netted thieves more than $100,00 over several months.
“We have developed a variety of ways to mitigate fraud risk and we’re always finding new approaches, but it’s impossible to completely eliminate fraud, particularly when information is provided to criminals through phishing,” said a spokesman for the bank, which rolled out the cardless ATM service this March.
Swindled customers responded to text messages asking for personal information such as usernames and passwords. The scammers used that information to add another mobile phone number to their account so that they could access the bank customers’ accounts through those cardless ATMs.
The criminals were eventually apprehended, but it once again demonstrated the vulnerability of mobile banking from these type of scams.
Banks are able to determine if the mobile device of an account is co-located with the ATM, but when scammers add mobile phones to these accounts, it makes identifying the scammer more difficult.
“We need better security long before it gets to that point,” said Al Pascual, head of fraud and security at Javelin Strategy & Research. “If you add a new mobile phone, an alert should go to all other devices on that account.”
New types of fraud in response to new functionality should no longer be a surprise, he said.
“When banks offer a new way to move money, it’s a clarion call for criminals to punch giant holes through it,” Pascual said.
He also recommended that users should be restricted in how much they can pull out with a new mobile phone number and suggested banks consider adding more steps to verify a users identity when adding a new mobile phone number.
Others argue that two-factor authentication wouldn't have helped in this case, pointing instead to biometric authentication as the solution.
“The SMS-based phishing attack has been around for a long time,” said Ron Shevlin, director of research at Cornerstone Advisors. “The challenge now is that as more and more features and functions come out with the mobile device that are based on password based credentials or even some combination of password and phone number, those things can be easily captured.”
Typically when payments are made more convenient, scammers look to infiltrate those payments systems through online or mobile routes. In 2017, a Chase customer lost almost $3,000 from a fraudulent cardless ATM transaction.
But banks also can’t fix their customers’ mistakes.
“How long have we been using mobile banking?” Shevlin said. “If the education efforts to get people to not give out information through emails and text messages hasn’t worked to date, more education isn’t the answer.”
Mike Byrnes, senior product marketing manager at Entrust Datacard, says that many of the issues with mobile and online banking could be solved by giving one mobile phone a strong digital identity. Users could register that phone with the bank, and the bank could identify that user by calling them and having the user take a photo of their drivers license and a selfie.
Once that authentication process is complete, users could then use that phone in place of a card at ATMs, for mobile banking, online banking, for the call center and even in the branch. To use cardless ATMs with a mobile phone that’s been registered as having a strong digital identity, banks could send an SMS directly to the mobile app or have the user scan a QR code on the ATM.
“We believe banks need to implement security controls that are easy for the user but protect them from mistakes and relying on outdated credentials,” Byrnes said. “We need to move away from usernames and passwords and provide better controls.”