Phishing attack allows attackers to steal user’s credentials
By now I am sure we have all seen the commercials of people walking up to their ATMs and taking cash out without physically touching the ATM machine. It is a feature known as “Cardless ATM banking” and has been adopted and used by several banking and financial institutions who boast about the faster transaction times (about 15 seconds from start to finish). Cardless ATM allows banking customers to withdraw money from their accounts without using their actual debit cards. The process is completed using their mobile phone and banking application. The process is simple:
Install and use the bank’s mobile app on your smartphone. Input your withdrawal amount.
The app generates a QR code that is readable by the ATM’s QR Scanner
Put your phone to the scanner and the ATM verifies your QR code
You get your cash
Here is a quick video demonstration from the CreditCards.com YouTube channel
While the banks are claiming that this feature is convenient and secure, that is not entirely true. It is true that this feature makes transactions more convenient. It is also stated that the feature secures your debit card information being stored on your phone or the risk of the possibility of the physical debit card getting stuck or destroyed. However, this feature is far from secure from malicious attackers. It has been reported that hackers (the bad kind…) have successfully leveraged attacks aimed at exploiting the cardless ATM feature by stealing users’ account information via a phishing campaign.
How the Attack Works
Most people would think that an attack like this would require a lot of time and skill to execute successfully. However, it is not fairly difficult to pull off.
First, the attacker sets up a fake site mirroring the victim’s banking site
The attacker then sends a SMS or email message to the unsuspecting user pretending to be the bank and informing the victim that their account has been locked. The message also provides a link to the website they created to enter all their credentials in order to “unlock” their account.
Next, the attacker then uses the victim’s credentials to gain access and make changes to the victim’s bank account that will enable them to use the mobile application.
Finally, the attacker walks up to ATM machine with the banking app installed on their phone with the victim’s account and withdraws money.
In 2018,Krebs on Securityreported that 125 Fifth Third bank customers’ credentials were compromised in a scam where attackers stole $68,000.00 from ATMs in several states in a span of less than two weeks.
What Can You Do to Prevent This and Be More Secure?
Although aMastercard pollfrom August of 2018 states that 78% of consumers would rather use Cardless ATM than a physical card, my suggestion to my loved ones would be to avoid using this feature.
If you get a text message or email or even a phone call from someone claiming to be your bank asking for you to disclose your account information. DO NOT RESPOND!!! Never click links from text messages or emails.
If you do get a phone call, hang up and call your bank or financial institution directly using the phone number on the back of your bank card.