What You Should Know About Cardless ATM FraudPeople around the world are increasingly turning to their mobile phones to pay for everything from rent to restaurant bills, so it was only a matter of time before ATMs caught up. Some banks are installing cardless ATMs that don’t require debit cards to handle cash withdrawals, and while they promise security upgrades that fight some forms of ATM fraud, they also bring new vulnerabilities. Even if you don’t use cardless ATMs yourself, the transactions these machines enable can let thieves quickly convert a significant chunk of your bank balance into cash and take it for themselves with just a few key pieces of information. To help you protect yourself, we’ll explain how cardless ATM fraud works and what you should watch out for, so read on.

What are cardless ATMs?

Even though cardless ATMs are starting to spread, with Wells Fargo alone installing 13,000 of the machines throughout the country in 2017, many people still aren’t familiar with them. Cardless ATMs connect to your bank account using an app instead of your debit card, letting you withdraw cash with just your mobile phone. When you want to make a withdrawal at a cardless ATM, the app will generate some sort of verification key, such as a QR code for the ATM to scan or a numeric code you can punch in. Once you enter that verification key and your PIN, the ATM will process the transaction and dispense your cash. Some banks have their own proprietary apps that work with cardless ATMs, while others connect with popular mobile wallets, such as Google Pay and Apple Pay.

Note only are cardless ATMs supposed to complete transactions faster than traditional ATMs (one card processing company estimates withdrawing from a cardless ATM can take as little as 15 seconds, compared to a typical ATM’s 45 seconds), they also fix some security flaws. Because you aren’t putting a card into the machine, ATM skimmers and shimmers become completely ineffective at harvesting payment data from you. Plus, since cardless ATMs use a mobile app to access your account, any security measures you have on your phone also secure your ATM transactions. Not many ATMs have fingerprint scanners or facial recognition, but those security features are much more common on smartphones.

How does cardless ATM fraud work?

Even though cardless ATMs seem quite secure, there is one attack that fraudsters are using to exploit them: account takeovers. If a hacker manages to gain access to your online bank account, cardless ATMs can make it fairly easy for them to steal thousands of dollars in cash from you. Using your login credentials and your PIN, the criminal can register a mobile phone that they own to your account, and then use that phone to make withdrawals wherever they’re located. Not only can this get around the cardless ATM’s security, it can bypass any security features you may have on your phone as well. To make matters worse, for some reason, withdrawal limits on some cardless ATMs seem to be a lot higher than normal. While typically ATMs will only let you withdraw several hundred dollars per day, some cardless ATMs have withdrawal limits as high as $3,000.

So, how would an account takeover happen? The most common way would probably be via a phishing scam, as demonstrated by a cardless ATM fraud spree that targeted the Cincinnati area earlier this year. Scammers sent malicious text messages to customers of Fifth Third Bank falsely telling them their bank accounts were locked, and that to unlock their accounts they had to follow an included link. The link led to a fake bank website, which asked scam victims for their account credentials and sent that information to the scammers. Using the stolen credentials, the crooks were able to steal $108,000 from about 125 people through cardless ATMs before they were caught.

How can you avoid cardless ATM fraud?

The good thing about cardless ATM fraud is that it doesn’t use any forms of attack that are especially new or complex. Hopefully you already know that you should keep your bank account username, password and PIN secret, and that you should be suspicious of any urgent-sounding email or text messages you receive that ask you to follow a link. If you do receive a message like this, call or email the institution that supposedly sent it using contact information you find on an official website or, in the case of a financial institution, on the back of your bank card. Additionally, even if your mobile phone is secure, take any extra steps you can to secure your online banking accounts, such as adding two-factor authentication to them. You may also want to turn on email alerts for your bank accounts so you receive an email with every ATM transaction. That said, if a clever hacker is already in your account, they may be able to change your registered contact email so you don’t receive any alert messages.

Cardless ATMs may well be more secure than standard ones, but unfortunately, they also shift more of the burden of security onto consumers. To learn more about keeping bad guys out of your life and away from your money, follow our identity theft protection blog.