Latest Account Takeover Scheme Targets Cardless ATM Withdrawals

Posted May 9, 2018

Latest Account Takeover Scheme Targets Cardless ATM Withdrawals

When banks started rolling out cardless ATM withdrawals, the idea was to bring a whole new level of convenience and security to increasingly mobile consumers. But according to a recent industry report, ATM debit card fraud has jumped 10 percent during the past year, thanks in part to a mobile twist on account takeover (ATO) schemes.

For those not yet familiar with it, cardless ATM withdrawal enables customers to use the bank’s mobile app to send a request for a one-time access code, which is typically active for about 30 minutes. Once at the ATM, the customer just needs to enter the access code and the debit card PIN to withdraw cash.

Pretty cool, right? Now, there’s no need to carry around an ATM card everywhere you go. And the theft risk from debit cards that double as credit cards is eliminated. Unfortunately, cardless ATM withdrawals do harbor a threat of their own, one that’s akin to locking the front door while leaving the back window wide open.

Fast Money Gets Faster

It may come as a surprise that there was a time when consumers looked on suspiciously as banks rolled out new-fangled devices called “Automated Teller Machines.” Needless to say, we got over it.

As convenient as they are for customers, ATMs were a gift to thieves as well. Crooks would attempt to rob people as they withdrew cash. But over time, inventive swindlers developed an easier approach: skimming. Here, scammers use tiny cameras and secret card-reading devices affixed to ATMs to steal debit card info and PINs from customers—making off with $2.7 billion per year, according to a card fraud study by LexisNexis Risk Solutions.

Cardless ATM withdrawal technology obviously quashes this activity. Which is great. But as cybercrime site KrebsonSecurity points out in an article titled “Stolen Passwords Fuel Cardless ATM Fraud”, it also “creates an avenue for thieves to quickly and quietly convert stolen customer bank account usernames and passwords into cold hard cash.”

Here’s how: During a successful account takeover attack, fraudsters can add their own phone to an account, enabling them to request cardless ATM access codes themselves. From there, they can turn the nearest ATM into their own personal piggy bank. Plus, while typical daily maximums for ATM transactions range between $300 and $600, cardless withdrawals can be as high as $3,000.

Customers may also find it tough to dispute these withdrawals since they appear to place the victim at the scene of the crime.

Fighting ‘Withdrawal’ Symptoms

So far at least, a bulletproof solution to cardless ATM fraud has been elusive.

On their own, the biometrics capabilities in newer smartphones aren’t enough. Crooks can associate their own biometric with a hijacked account just as easily as the legitimate owners can.

Some banks have started requiring customers to scan a dynamically generated QR code on the ATM screen to place them in the city in which they live, in hopes of fending off fraudsters requesting access codes from other cities or countries.

But that may not do the trick for customers in major cities, which are invariably home to plenty of local cyberthieves. Besides, what happens when an account has multiple owners—a married couple, for instance—and one is traveling on business and in need of cash?

While biometrics and QR codes may be part of a more comprehensive solution, by themselves, they focus on the symptoms of cardless ATM fraud, instead of the true problem: account takeovers attacks, which are up 182 percent during the past year.

So, what can banks do to protect ATM users?

Starve the ATO, Save the ATM

At ThreatMetrix, we’ve been working successfully with banks and financial institutions to put an end to account takeovers that, among other dangers, can lead to cardless ATM fraud.

Through our digital identity solutions, banks have the ability to instantly spot fraudulent login attempts made by crooks using stolen credentials, enabling the vast majority of legitimate logins to speed through.

What if a fraudster somehow succeeds at gaining access to an account? Digital identity solutions cross-reference dynamic, real-time data from multiple sources and assess risks based on hundreds of dynamic data elements. These risks can include an attempt to add a new phone to an account.

What’s more, even if a thief succeeds in adding a new phone, digital identity solutions would typically analyze any new ATM access code request relative to normative user behaviors and locations, whether the user’s identity or device has been involved with fraudulent transactions, and much more – all without causing friction for legitimate users.

Not that there aren’t a host of other threats to ATM users stemming from cyberattacks, of course. But at a time when ATM fraud can score a criminal $30,000 to $50,000 before being apprehended, this particular form of account takeover attack is enough to have us all hoping that banks take a prudent approach to both account security and modern convenience.

To learn more about how digital identity-based solutions can help in the fight against account takeover and other forms of fraud, check out exclusive Case Studies for banks and financial services.

ThreatMetrix Team

ThreatMetrix Team

close btn