02
Nov 18

SMS Phishing + Cardless ATM = Profit

Thieves are combining SMS-based phishing attacks with new “cardless” ATMs to rapidly convert phished bank account credentials into cash. Recent arrests in Ohio shed light on how this scam works.

A number of financial institutions are now offering cardless ATM transactions that allow customers to withdraw cash using nothing more than their mobile phones. But this also creates an avenue of fraud for bad guys, who can leverage phished or stolen account credentials to add a new phone number to the customer’s account and then use that added device to siphon cash from hijacked accounts at cardless ATMs.

Image: Mastercard.us

In May 2018, Cincinnati, Ohio-based financial institution Fifth Third Bank began hearing complaints from customers who were receiving text messages on their phones that claimed to be from the bank, warning recipients that their accounts had been locked.

The text messages contained a link to unlock their accounts and led customers to a Web site that mimicked the legitimate Fifth Third site. That phishing site prompted visitors to enter their account credentials — including usernames, passwords, one-time passcodes and PIN numbers — to unlock their accounts.

All told, that scam netted credentials for approximately 125 Fifth Third customers — most of them in or around the Cincinnati area. The crooks then used the phished data to withdraw $68,000 from 17 ATMs in Illinois, Michigan, and Ohio in less than two weeks using Fifth Third’s cardless ATM function.

According to court documents, the SMS phishing and fraudulent withdrawals at cardless ATMs continued through October 2018, earning the scammers an additional $40,000. That is, until the bank zeroed in on four individuals suspected of perpetrating the crime spree. Shortly thereafter, four men were arrested in connection with the crimes.

One of them, identified as Ciprian-Raducu Antoche-Grecu, was apprehended in a Cincinnati suburb while standing at the same Fifth Third ATM where he was previously observed conducting fraudulent activity, investigators allege.

In January 2017, KrebsOnSecurity told the story of a California woman who saw nearly $3,000 drained from her account via a cardless ATM operated by Chase Bank. In that incident, the thieves didn’t even need to know her ATM PIN; the thieves were able to use a phone number and mobile device they controlled and associate it with her Chase account simply by supplying her username and password.

A graphic from Mastercard touting the potential benefits of cardless ATM transactions.

As the January 2017 story illustrates, cardless ATM scams aren’t new, but they are becoming more prevalent as more banks turn to cardless ATM technology as a convenience for customers. This time last year, cardless ATMs were offered mainly by the big banks, and then only at some of their ATMs. Now, many smaller regional and local banks have upgraded their cash machines to enable the new technology.

Card giant Mastercard says its polling (PDF) suggests that 78 percent of consumers would rather use a cardless ATM solution than carry a physical card. I would wager that most U.S. cardholders still haven’t even heard of cardless ATMs, let alone could say whether or not their bank offers such transactions.  Curious whether your bank supports cardless transactions? A quick online search for your bank’s name and the term “cardless ATM” should provide some clues.

In the meantime, remember never to respond to requests for personal or financial information sent via email, text message or over the phone. Phone-based phishing attacks are getting way more clever and are even snaring technology experts, as last month’s story shows. When in doubt, contact your financial institution directly either in person or by phone using the number on the back of your card.

Tags: , ,

53 comments

  1. Im looking new methods, anyone can recomend good business forums? Like carding?
    I was omerta member but no luck there.
    Back in the days use to be more money in all type of carding business now not much work on catding field of work.

  2. The Sunshine State

    Wouldn’t using 2FA on your phone work with ATM access to stop this abuse? Without the 2FA code criminals would not be able to access a users account in the manner suggested in this article.

    • Not necessarily:

      “the thieves were able to use a phone number and mobile device they controlled and associate it with her Chase account simply by supplying her username and password.”

      Seems like they already account access so it was just a matter of exfiltrating the money.

    • Mike (Yes, another Mike)

      Good idea but criminals know how to phish 2FA authentication codes from people. Where the article references “one-time passcodes” that’s a 2FA code.

      In the cases where they’ve phished account credentials criminals add their own phones and can add their own 2FA too.

    • If the 2FA is SMS then 2FA would not work.

      This idea IMO is stupid in the extreme. Let’s take away layers of security ( weak though they might be, physical card neededing a PIN, etc) to assist the lazy in being stolen from?

      Poor form, werent banks created for a safe place to store items and money? Don’t we PAY for this…this is their brillaint idea.

      Uggh more victems that are EASIER to steal from? Forget it.

      • banks sure are safe places to store money.

        if your money is stolen from an account, all you have to do is call customer support telling them you have been scammed with a list of all the bad transactions and often within minutes your money will be returned to you.

        this works with stolen ATMs, phishing,…anything really.

        so yeah…banks are safe.

        • yeah, except for wire transfers

          • The difference between a wire and an ATM withdrawal is the person/entity authorizing the wire/ATM transaction. Generally with ATM withdrawals the bank was hacked and authorized the withdrawal and is therefore held liable. With the wires, generally speaking, some threat actor has hacked, compromised, and gained access to an email account and initiated a wire using the victims account. So generally speaking, with the Email compromise wire fraud scheme the bank was not hacked, the email account was and therefore the bank in not liable. At least that is how it has been treated up until this point.

            I’m not saying I agree with this, just saying this is typically how the banks look at these incidents.

  3. Another reason that I do not and will not have an ATM card associated with any of my accounts. Convenience is not everything.

    • You have 0 liability for any fraud so you are really inconveniencing yourself for no reason…

      • Yeah, but you have the loss of use of the money until you get it back, plus YOU (not the bank) face any consequences for any bounced financial transactions. And, you’re wholly liable if you don’t notice the fraud within their specified time window.

        That’s why I don’t have an ATM card OR a debit card. If something happens, it’s Someone Else’s Money.

      • This only true with credit cards….not bank cards. Bank cards have more rules that make you responsible if you get phished.

  4. It would – but determined criminals will ATO the carrier and get a SIM or social engineer the customer for the OTP in real time. They do that now with other services. it’s a speed bump only

  5. One thing to help in all these situations is to force the financial companies to send mandatory email and text alerts whenever a persons account is changed in any way, passwords, phone numbers etc… At least the person gets notification and can act quickly if they see a bogus change. I realize its after the fact, but its how I stopped a hacker trying to drain my bank account not long ago.

    • ALWAYS use that option, EVERYWHERE. Saved our bacon when our contact info at one of our bank card holders had been changed INTERNALLY to an out-of-state address. Got an email indicating change of phone #, immediately logged in and saw the address change too, but they hadn’t changed the “alerts” addresses. My husband understood it to indicate that, unlike for me where all my profile info was one form on one page when filled out, internally it was segregated, so the perp accessed the first internal location that would have allowed additional cards to be sent to another location, seemingly unaware that I would receive immediate notification.

  6. Need cash? Write a check to cash and see a teller, forget the ATM or phone.
    Most banks are open late and half day on Saturday.

  7. Cardless not for me – in fact, the more physical
    operations I have to use the better. TWO-STAGE
    Verification for all cash transactions at least. If one
    had to wait for a few more seconds at the ATM to receive an Etac sms – who cares?

    As for the poster who will never use an ATM card on any account – he should adopt the topping up of that account just before leaving home – that way he could never lose more than the minimu $500 (?) to maintain that account.

    • Consumers don’t lose anything, except for the stolen money for a few hours (or whenever it’s reported.) Mild inconvenience in my opinion.

      I try not to be afraid of technology, just be diligent about security. Chase has enabled NFC cardless transactions on most of their ATM’s, so that’s a physical device, second factor plus PIN. Probably the best balance between security and convenience at the moment.

  8. Banks need to advance their security options. I use a FIDO key for my gmail accounts and when I asked my bank if they could support U2F they said the do not have that option.

    I can add additional protection to my email but not to my bank account? Banks should be the leading edge of security, not the afterthought.

    • 15 years back my bank offered me a card reader for small businesses and wanted additional money if I wanted the pro version that supports encryption. A few days later the ATM forgot to ask le for my pin but gave me my money nonetheless. Things have improved since then. But I guess if Bank-Grade security started like this…

    • Any loss due to theft is covered by theft and bank policies. You literally have nothing to lose, other than inconvenience while the theft is investigated. So what are you whining about?

      The cost of implementing newer security tools, like biometrics and keys, far exceeds any costs the bank might suffer from thefts and time spent on customer service in dealing with new technology support. Customers are incompetent with losing their ATM cards and passwords; they absolutely will screw up on using biometrics and keys.

      There is no reason for a bank to adopt new security tools. It’s an unnecessary expense for a problem that affects no one.

      • This is a moronic statement. Bank fraud that these stupid new technologies enable is only going to be detected if you notice it on your statement, or if they go hard and take everything you have..

        You’re saying I should spend half an hour a month reviewing transactions for a problem caused by stupid bank toy technology, just in case their stupid pointless tech allowed my money to be stolen? How about we just stick with cards?

        • No amount of technology can substitute for basic personal responsibility, which includes reconciling your bank statement monthly and reporting discrepancies to your bank.

          Don’t be lazy.

      • Until/Unless consumers see these features as a sufficient differentiator to preferentially bank with FIs that offer those features over those that don’t, in sufficient numbers to justify the expenditure, anyways. Or they start to lose enough to fraud that those costs outweigh the investment costs. Or a combination of both.

  9. Anyone know how I can contact fifth third bank for help? One of their customers mistakenly used my email address for their account. I’ve tried to let them know, but they aren’t listening. Meanwhile I keep getting noticed about them and their account that contact private info I don’t want to know.

    • If they have a local branch near you, your best bet is to walk in and talk to someone in person about your problem. Not to one of the tellers, but to one of the people you sit down with if you were to open an account yourself. They should have better authority/ability to help you out than whoever you’d get on the phone.

      Otherwise a phone call to the bank is probably your best option. You’ll probably have better luck going through the “fraud” menu options instead of general customer service or technical support. Even though this appears to be a mistake rather than malicious identity theft, it could technically be considered (accidental) identity theft, especially considering that it could (maybe?) have implications for your credit record if the account holder were to default or something. The fraud people should definitely have the authority and ability to fix your problem, or know how to connect you to those who do, since it is similar to the actual fraud they deal with every day (although with a different root cause).

    • I had an asshole plaintiff’s lawyer mistakenly send me very confidential documents to my gmail. I graciously pointed out his error, and then he started threatening me with fire and brimstone because of his mistake.

      Umm, okay. I don’t deal well with that sort of stuff, so I not-so-graciously mentioned that I was going to forward the info on to the defendant, along with a note to the plaintiff mentioning how his incompetent lawyer breached privilege.

      To make a long story short, be careful. Many organizations try to shoot the messenger.

      • This happens to me all the time. Banks, telcos, lawyers start sending me personal information by email and when I try to correct it they want my personal information. If they can’t protect their own customer data, I’m definitely not handing anything over.

  10. I’m not sure why Brian didn’t mention anything about 2 factors possibly fueling this scheme: SIM hijacking and the lack of federal laws to hold banks responsible for fraudulent ATM charges. There seems to be an obvious connection, at least to me

    • “…hold banks responsible for fraudulent ATM charges….”. Have you ever heard of Regulation E? Banks are your friend. Quit thinking of them as enemies.

  11. cell phones not secure

    I dont do anything financial related on my cell phone. mobile phones and networks are very insecure.

  12. I use my phone at the BOA atm via NFC using G Pay and never had a problem.

    The problem stems from phishing which a bank never text you asking for your credential yet people fell for it.

  13. I got two almost simultaneous phishing texts yesterday purporting my Wells Fargo account was locked – I don’t bank wit WF, so WTF?

    • You are just on one of the many lists by which scammers get access to an e-mail or cellphone number and broadcast zillions of such messages. If it was sent to your e-mail, forward a copy (with full header information) to the relevant authorities (FTC, APWG, etc), including the real financial institution’s IT security department if there’s a special address they’ve set up for that function; if it was a cellphone SMS, there will be an analogous short-code set up by the carrier to use for reporting spam text messages.

  14. Interesting article. Good write-up. About the comments, come on add a snark. What could you use for tfa? The card. Oh, and it’s not just Android, but the other systems also. And don’t forget to turn off the NFC. That’s another hacked interface into your phone. Personally, I still use checks. No cards are attached to the money. And, yes, I still use the cashier. Old-fashioned, but if money is needed, at a dinner establishment, movie,or bar, a pay as you go card.
    But, some credit agencies do offer a service that calls you, when the card is used. A very secure pass fail that works. As part of their service, it slows down the filling of the gas tank, but.

  15. It’s troubling that as we approach 2019, organizations are still rolling-out “new and improved” security implementations based on SMS.

    It’s been over two years since NIST “saw the light” as to how SMS really wasn’t a good idea.

    See: https://www.schneier.com/blog/archives/2016/08/nist_is_no_long.html

  16. Re: “… as more banks turn to cardless ATM technology as a convenience for customers … ”

    Another classic line of BS spewed by the financial industry.

    This is nothing more than an attempt to reduce their OWN costs by eliminating the card-based infrastructure.

  17. Greedy banks. Lazy customers.

  18. Smartphones are low security devices, especially Android phones w/o security updates. It is a bad idea in the first place to tie your bank account to a smartphone. I prefer a physical card, where is it much harder to install anything malicious, any time.

  19. I’ve had the cardless ATM feature at my bank in Israel for several years. It’s implemented only by using their mobile app which has been previously registered on my phone. It comes in handy if my kids are out and need some cash, I can tell them to go to an ATM and get the cash for themselves.
    In my case the bank requires me to request the cardless withdrawal using the app and i have to give it a date as a “password” for the ATM withdrawal, and in addition it sends me a one-time code through the app or through SMS which has to be input into the ATM to get the money.

    Of course the weakness here is that the mobile app is “registered” to my phone by receiving an SMS to the phone number on file with my bank.

  20. Povl H. Pedersen

    How come that the US always ends up with such bad 2nd grade solutions ? I live in Denmark and we are many years in front of US.

    In Denmark we really don’t need cash, even beggars accepts MobilePay, and we use it when splitting the bill etc. This is a different solution, and also works on webshops. Enter your phone number, and the money request will be sent to your phone, where you have to approve it.

    We also have the e-dankort, which is likely close to ApplePay/GooglePay. So by having the card on your phone, your can’t be phished. Only hacked. And security of your end user device is something you can take responsibility for.

    We also use lots of contactless. I assume around 75% of all card payments are contactless these day. So skimmers not worth much. And the rest is chip&pin. No magstripe.

    • Most businesses here will accept credit cards, but no chip+pin, just chip… You do still need cash in many places, like vending machines, older taverns/bars, and some smaller shops. Some places like those might take physical credit cards, but only your magnetic strip.

      The security surrounding our payment systems is obviously a gigantic joke, and the credit card companies don’t care. They will reissue a card and refund you on fraudulent credit transactions often without hesitation. Maybe they make enough money on all of the Americans with crippling debt to make up for the money lost on fraud…

  21. In East Africa markets ATM card less withdrawal has been standardised to require: Mobile number, OTP and amount requested. The OTP is sent to customer via email or SMS.

  22. Here is the catch with cardless atm transactions most if not all banks require you enter the ACTUAL pin number and not just some one time pass-code which is why fifth third bank was targeted because at the time they did not require you enter your ACTUAL pin number. Im almost positive most banks require you enter your ACTUAL pin number for cardless atm transactions which enables you to not have your card present but requires the pin number. Lets give a big round of applause for Fifth Third Bank for disservicing their customers by leaving them vulnerable by incorporating weak security measures in the name of convenience unlike most banks. Do not only point the finger at the criminal but ALSO point the finger at those whom made it possible for the criminals to succeed without really having to do much work. Makes you wonder what they are doing with all that money they are making.

  23. I use Apple Pay which is safer than all the other methods available. And have been taught to NOT follow a link from any message but to go directly to the suspected source, such as your bank login and test and see if it’s locked or needs any action.

Leave a comment