At new eATMs, customers can get cash without a card—and so can hackers

Convenience comes with a price; strong passwords are more important than ever

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

More trou­bling evi­dence that banks and retail­ers push con­ve­nience on con­sumers to boost profits—while know­ing­ly mak­ing it eas­i­er for crim­i­nals to steal—arose this week.
Case in point: the ter­ri­bly bun­gled roll­out of new­fan­gled “eATM” cash machines by Chase. Last year, you may recall, Chase promised to upgrade all its ATMs to this fun new technology.

The so-called eATMs use smart­phones instead of deb­it cards to authen­ti­cate users. Smart­phones, indeed, are a very reli­able way to make sure some­one is who they say they are. And con­sumers now are pret­ty used to the smart­phone text two-fac­tor authen­ti­ca­tion game. With chip-enabled ATMs hope­less­ly far off, this new tech­nol­o­gy is seen as upgrade over mag­net­ic-stripe deb­it cards.

Relat­ed info­graph­ic: Fraud­sters hand­i­ly adjust to new EMV chip cards

Chase, Wells Far­go and Bank of Amer­i­ca are all mov­ing to new eATMs. Their pro­mo­tions her­ald how cus­tomers can even use apps to pick the denom­i­na­tions of cash they want with their with­drawals. Plus, it’s sort of cool. Even­tu­al­ly, con­sumers will use “tap-and-pin” to get cash, sim­ply wav­ing their phones near a machine and enter­ing a code to get money. 

Holes in sys­tem emerge

But now comes an exam­ple of Chase turn­ing smart­phone authen­ti­ca­tion into a very dumb sys­tem: The sad fate of San Fran­cis­co res­i­dent and Chase patron Kristi­na Marku­la was dis­closed by inves­tiga­tive blog­ger Bri­an Krebs.
It seems Marku­la had nev­er even heard of eATMs. She had no idea some­one could with­draw cash from her account at an ATM with­out her deb­it card. So there she was, a Cal­i­for­nia res­i­dent trav­el­ing in Mex­i­co, when she spot­ted a $2,900 hole in her bal­ance, cre­at­ed by a with­draw­al from a Chase machine in Florida.

Far worse, when she called Chase to com­plain, the bank denied her dis­pute sev­er­al times. “We con­firmed that the dis­put­ed charges were cor­rect and we will not be mak­ing an adjust­ment to your account,” says a let­ter she received from Chase, accord­ing to Krebs’ site.

There are sev­er­al dis­turb­ing ele­ments to this sto­ry. Crim­i­nals were able to get the bank to send them text mes­sages that unlocked cash at Chase ATMs. With the text mes­sages and lit­tle (noth­ing?) else, the bad guys were raid­ing con­sumers’ bank accounts.

Smart tech, dumb security

This shows how a real­ly sophis­ti­cat­ed authen­ti­ca­tion tech­nol­o­gy was tru­ly dumb­ed down by Chase for this tri­al. As Krebs describes it, it seems only a text mes­sage was required to dis­pense cash. So much for fan­cy mul­ti-data-point authentication.

One curi­ous wrin­kle involves the trick crim­i­nals used to “inter­cept” the cash-unlock­ing text intend­ed for Markula’s phone. She was told that a crim­i­nal had used stolen cre­den­tials to log into her online bank account and added a sec­ond cell phone to it. The crim­i­nal also changed the con­tact email on the account, pre­sum­ably so Marku­la wouldn’t receive any noti­fi­ca­tion about all this account activity.

Then, that sec­ond phone was used to get the text need­ed to with­draw the $2,900. If you are like me, you are won­der­ing, “On what plan­et can some­one with­draw $2,900 in one day from a sin­gle account at an ATM?” On the plan­et where eATMs are regard­ed as more secure, one would suppose.

One could imag­ine that the roll-out of per­haps the biggest change to ATMs in decades could be bumpy. But the kick­er to this sto­ry is that Chase:
• Was in the mid­dle of a big new test
• Was active­ly being exploited
• And yet gave a vic­tim, who lost $2,900, a hard time

Let­ting down customers

How could Chase fraud inves­ti­ga­tors not be primed and ready to imme­di­ate­ly assist vic­tims of this new crime? How could Marku­la, and a bunch of oth­er yet unknown vic­tims, not be on some list some­where, des­tined for pref­er­en­tial treatment?
eATMs can be great, for as long as cash stays rel­e­vant in the Unit­ed States. It sure would be a shame if they led to infe­ri­or, instead of supe­ri­or, security.

Mean­while, con­sumers, here’s a real­ly impor­tant mes­sage: when your bank turns on eATM func­tion­al­i­ty, main­tain­ing strong pass­words becomes more impor­tant than ever. Because here’s the harsh real­i­ty: If you can get cash from your check­ing account with­out your deb­it card, so can a criminal.

Posted in Cybersecurity, Featured Story, Identity Theft