Using your mobile phone to withdraw money at an ATM instead of a traditional card can carry with it some severe risks.
Chase ATMs compromised
Krebs on Security reports that crooks have learned how to compromise cardless ATM transactions by capturing stolen bank accounts usernames and passwords in order to empty your account.
The security firm wrote a blog post sharing the story of San Francisco resident Kristina Markula who had $2,900 taken from her account in an elaborate ruse that centered around a cardless ATM transaction.
According to Krebs, criminals managed to steal her username and password and then add a new mobile phone number to her account.
After adding a new number to the account, the crooks could then transfer money from her savings account to her checking account and do a cardless transaction to drain money out.
For those who aren’t familiar with cardless transactions, they typically work by associating your smartphone with your account via a digital wallet or app. Then when you’re at an ATM, your phone communicates with the ATM and you tell it how much money you want to withdraw.
With Chase in particular, you’re given a seven-digit code that you then enter into the ATM to get your cash. No ATM card or traditional four-digit PIN necessary.
Regular ATM transactions typically have a daily limit of $300 to $600. But with cardless transactions, the limit can be as high as $3,000. That’s how Kristina Markula managed to lose $2,900 in one day to the crooks.
Chase eventually remedied the situation for Kristina Markula and gave her the stolen money back, after prompting by Krebs on Security. The bank has since put changes in place to better detect fraudulent transactions with its cardless ATM customers and lowered the daily withdrawal limit for this kind of transaction.
Chase isn’t the only big bank to offer cardless transactions, according to CNBC. Bank of America does too, in addition to smaller institutions like BMO Harris Bank and Wintrust Financial.