Phishing attack allows attackers to steal user’s credentials

By now I am sure we have all seen the commercials of people walking up to their ATMs and taking cash out without physically touching the ATM machine. It is a feature known as “Cardless ATM banking” and has been adopted and used by several banking and financial institutions who boast about the faster transaction times (about 15 seconds from start to finish). Cardless ATM allows banking customers to withdraw money from their accounts without using their actual debit cards. The process is completed using their mobile phone and banking application. The process is simple:

  1. Install and use the bank’s mobile app on your smartphone. Input your withdrawal amount.
  2. The app generates a QR code that is readable by the ATM’s QR Scanner
  3. Put your phone to the scanner and the ATM verifies your QR code
  4. You get your cash

Here is a quick video demonstration from the CreditCards.com YouTube channel

While the banks are claiming that this feature is convenient and secure, that is not entirely true. It is true that this feature makes transactions more convenient. It is also stated that the feature secures your debit card information being stored on your phone or the risk of the possibility of the physical debit card getting stuck or destroyed. However, this feature is far from secure from malicious attackers. It has been reported that hackers (the bad kind…) have successfully leveraged attacks aimed at exploiting the cardless ATM feature by stealing users’ account information via a phishing campaign.

How the Attack Works

Most people would think that an attack like this would require a lot of time and skill to execute successfully. However, it is not fairly difficult to pull off.

  1. First, the attacker sets up a fake site mirroring the victim’s banking site
  2. The attacker then sends a SMS or email message to the unsuspecting user pretending to be the bank and informing the victim that their account has been locked. The message also provides a link to the website they created to enter all their credentials in order to “unlock” their account.
  3. Next, the attacker then uses the victim’s credentials to gain access and make changes to the victim’s bank account that will enable them to use the mobile application.
  4. Finally, the attacker walks up to ATM machine with the banking app installed on their phone with the victim’s account and withdraws money.
  5. Find the next victim and Wash, Rinse, Repeat

Has This Really Happened?

  • In 2018, Krebs on Security reported that 125 Fifth Third bank customers’ credentials were compromised in a scam where attackers stole $68,000.00 from ATMs in several states in a span of less than two weeks.

What Can You Do to Prevent This and Be More Secure?

  • Although a Mastercard poll from August of 2018 states that 78% of consumers would rather use Cardless ATM than a physical card, my suggestion to my loved ones would be to avoid using this feature.
  • If you get a text message or email or even a phone call from someone claiming to be your bank asking for you to disclose your account information. DO NOT RESPOND!!! Never click links from text messages or emails.
  • If you do get a phone call, hang up and call your bank or financial institution directly using the phone number on the back of your bank card.

Views: 97

Join the Discussion ...

You need to be a member of CISO Platform to join the discussion!

Join CISO Platform

© 2019   Created by CISO Platform.   Powered by

Badges  |  Report an Issue  |  Privacy Policy  |  Terms of Service