When banks introduced cardless ATM withdrawals, the new technology was praised as ‘the next big thing.’ Customers could withdraw cash from the bank’s ATM using only a mobile banking app instead of the standard plastic debit card. The new technology boosted convenience, facilitated ATM use in developing countries, and considerably improved security through the use of multiple verifications. Misplaced or forgotten cards were no longer a roadblock for customers, saving time spent retracing steps or retrieving a card.
To withdraw cash from cardless ATMs, customers signed into the bank’s mobile banking app, chose the account from which to withdraw money and clicked on the cardless ATM icon. When the verification code appeared on an ATM screen, they had to scan it, enter their PIN code and the cash was dispensed.
Despite vigorous efforts to strike the right balance between account security and consumer convenience, new technologies stimulate hacker creativity. Cardless ATM seemed like a great innovation and a way to improve user experience but turned out to be a new revenue stream for hackers.
Alarmed customers received text messages from their bank warning notifying them of locked accounts. These seemingly legitimate messages from the bank were a smishing attack. Unsuspecting customers were urged “to unlock” their accounts by entering their login details on a bank’s website, which is, in fact, a fake site posted by attackers. In 2017 alone, ATM debit card fraud increased by 10% partly due to a rise in account takeover attacks enabled by smishing.
Smishing, a malicious text or social media message, tricks victims into disclosing financial credentials by prompting them to open links to fake bank login pages and provide their personal login credentials, one-time passcodes, and PINs.
Scammers then use the obtained bank account details to login into the victim’s account and add their phone number to the account. They can then request and receive cardless ATM access codes, enter them at the nearest ATM, and withdraw cash.
Biometrics and QR codes deployed by banks add another layer of security but don’t prevent all account takeover attacks. To avoid such scams, you should be aware of the different methods attackers use to obtain your information. Most financial institutions will not ask for personal information via SMS or text message:
Learn more: What are phishing, smishing and vishing?