SoylentNews is people
SoylentNews
Some financial institutions are now offering so-called "cardless ATM" transactions that allow customers to withdraw cash using nothing more than their mobile phones. But as the following story illustrates, this new technology also creates an avenue for thieves to quickly and quietly convert stolen customer bank account usernames and passwords into cold hard cash. Worse still, fraudulent cardless ATM withdrawals may prove more difficult for customers to dispute because they place the victim at the scene of the crime.
San Francisco resident Kristina Markula told KrebsOnSecurity that it wasn't until shortly after a vacation in Cancun, Mexico in early November 2016 that she first learned that Chase Bank even offered cardless ATM access. Markula said that while she was still in Mexico she tried to view her bank balance using a Chase app on her smartphone, but that the app blocked her from accessing her account.
[...] Upon returning to the United States, Markula called the number on the back of her card and was told she needed to visit the nearest Chase bank branch and present two forms of identification. At a Chase branch in San Francisco, she handed the teller a California driver's license and her passport. The branch manager told her that someone had used her Chase online banking username and password to add a new mobile phone number to her account, and then move $2,900 from her savings to her checking account.
The manager told Markula that whoever made the change then requested that a new mobile device be added to the account, and changed the contact email address for the account. Very soon after, that same new mobile device was used to withdraw $2,900 in cash from her checking account at the Chase Bank ATM in Pembroke Pines, Fla.
-- submitted from IRC
(Score: 3, Insightful) by bradley13 on Monday January 09 2017, @06:29PM
The current trend of turning your phone into your wallet is...not very intelligent. Your phone has far more access than, say, your wallet: If you lose your wallet, thieves may have your cards, but they don't have your PINs and passwords. With the phone, and stupid apps, they may get the complete package.
However, the main issue in this story is a different one:
- How did the thieves get her account number and password? TFA provides no information on this at all, but it seems possible that the Chase banking app was MITM'd. Heck, maybe it even sends stuff in plain text - banking software really is sometimes that bad.
- How did they then convince the bank to associate a completely different phone with her account? Where is the verification of identity? A simple password should not have sufficed for an important change like that.
- THen, TFA makes it clear that the banking app does not require any sort of 2FA; just an account and a password, which then permanently associates your phone with your account.
- Only the last step involves "cardless" ATM withdrawals. The security loopholes that opens up should give bank executives nightmares: I'm sure many of us can think of...interesting...ways to attack that, even without having any account information. I'd bet that even a simple replay attack has a pretty good chance of working.
So the real story is crappy security from beginning to end, on the part of Chase Bank.
Everyone is somebody else's weirdo.
(Score: 3, Interesting) by DannyB on Monday January 09 2017, @06:32PM
Crappy Security results in Bank Robbery.
Sir, I still have my identify, and my wallet, my phone, my bank cards, etc. It sounds like someone robbed your bank and you made it easy for them to do so.
To transfer files: right-click on file, pick Copy. Unplug mouse, plug mouse into other computer. Right-click, paste.
(Score: 3, Insightful) by pendorbound on Monday January 09 2017, @07:30PM
Depends on the phone. Assuming you've made it impossible for a thief to add another phone that isn't mine (which is where Chase failed), and we're only talking about the security risk if you get my actual phone, I'll take my phone over plastic cards any day. You need my finger print to unlock my iPhone and access any of my banking apps or use it for ApplePay. You just need to find my dropped wallet on the ground to be able to use any of my cards (even with chips) for as long as it takes me to call all the banks and cancel them.
(Score: 4, Informative) by frojack on Monday January 09 2017, @09:31PM
Seems to me you answered your own questions when posting your first point:
How did the thieves get her account number and password
Any number of ways. Once You get that, you log in and change whatever else you want on line.
As for your suggestion that Chase sends things over cleartext in its app, that is simply not true: From Chase Site:
What security features are in place to protect my account information on my Phone?
We use 128-bit Secure Socket Layer (SSL) technology to encrypt your personal information such as User IDs, Passwords and account information. The Chase Mobile® app will decode any encrypted information we send you. We also use multifactor authentication that verifies that you own the accounts you want to access when you first log in using the Chase Mobile app. To do this, you'll need to request an Identification Code, which you can receive by email, phone or text message.
Note that information was in TFS, as well:
in Mexico she tried to view her bank balance using a Chase app on her smartphone, but that the app blocked her from accessing her account.
You have to wonder what steps she THEN took after the app failed. Did she try her phone's browser and get re-directed to some cloned site where she had to key in her password and account number? I'm betting she did.
The story is weak, the timeline is incomplete. We don't know the full sequence of events, or how many dodgy Open WIFI routers she connected to in order to avoid international roaming fees. We also don't know how savvy she was about https vs http and cloned sites, links in email, etc. We don't know what else she tried after the Chase APP refused to operate.
Still, Blind trust in SSL/TLS has been unwarranted since Snowden revealed all the hacks used long ago and the newer ones found last year [thehackernews.com].
There really is a number of problem here. BUT had she STUCK TO THE CHASE APP, probably none of this would have happened.
No, you are mistaken. I've always had this sig.