Cardless ATMs allow customers to access bank accounts using their phones instead of a card. These transactions are not only faster than those requiring a card, they are generally more secure. They eliminate the risk of scammers getting your card data with skimmers and they use the security features of your phone (such as fingerprint scanners and facial recognition) to secure your account. However, cardless ATMs cannot control the greatest security danger of all: the user.
How do cardless ATM transactions work? The customer opens the banking app on their smartphone and generates a code. After punching the code in at the ATM, scanning the code or tapping the phone against a sensor, they get their cash. It is more convenient for the customer because they don’t have to carry a card and remember a PIN and, because customers are not swiping their ATM cards, the risk of card data being stolen by a skimmer is eliminated. But they are not without risk. If they get your login credentials fraudsters can register a mobile phone that they own to your account, then use it to make withdrawals.
In May 2018 Fifth Third Bank began hearing from customers that they were receiving text messages informing them their accounts were locked and directing them to a phishing site where they were asked to enter their account credentials. Enough bank customers complied that the scammers were able to withdraw a total of more than $100,000 from 125 accounts.
Al Pascual, head of fraud and security at Javelin Strategy and Research, points out that, “When banks offer a new way to move money, it’s a clarion call for criminals to punch giant holes through it.” He recommends that there should be low limits on the amount of cash that can be withdrawn by a newly-registered phone number and that banks add more steps to verify the user’s identity when they add a mobile phone number to an account. He also suggests that when a new number is added, an alert should go out to all other devices related to that account.
You can avoid cardless ATM fraud by keeping banking credentials secret and not responding to texts or emails directing you to follow a link to verify or modify your account information. Enable two-factor authentication on your banking accounts, and turn on email alerts so that you are notified about every ATM transaction.
