Stories
Slash Boxes
Comments

SoylentNews is people

posted by on Monday January 09 2017, @05:43PM   Printer-friendly
from the customer-convenience dept.

Some financial institutions are now offering so-called "cardless ATM" transactions that allow customers to withdraw cash using nothing more than their mobile phones. But as the following story illustrates, this new technology also creates an avenue for thieves to quickly and quietly convert stolen customer bank account usernames and passwords into cold hard cash. Worse still, fraudulent cardless ATM withdrawals may prove more difficult for customers to dispute because they place the victim at the scene of the crime.

San Francisco resident Kristina Markula told KrebsOnSecurity that it wasn't until shortly after a vacation in Cancun, Mexico in early November 2016 that she first learned that Chase Bank even offered cardless ATM access. Markula said that while she was still in Mexico she tried to view her bank balance using a Chase app on her smartphone, but that the app blocked her from accessing her account.

[...] Upon returning to the United States, Markula called the number on the back of her card and was told she needed to visit the nearest Chase bank branch and present two forms of identification. At a Chase branch in San Francisco, she handed the teller a California driver's license and her passport. The branch manager told her that someone had used her Chase online banking username and password to add a new mobile phone number to her account, and then move $2,900 from her savings to her checking account.

The manager told Markula that whoever made the change then requested that a new mobile device be added to the account, and changed the contact email address for the account. Very soon after, that same new mobile device was used to withdraw $2,900 in cash from her checking account at the Chase Bank ATM in Pembroke Pines, Fla.

-- submitted from IRC


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by gringer on Monday January 09 2017, @06:48PM

    by gringer (962) on Monday January 09 2017, @06:48PM (#451561)

    Had there been a bit more information provided, this might not have happened. I know of a few web services that will email both accounts when there is a change of email address. The same could (and should) be done for other forms of contact. No mention of the other contact, just something saying something like "Hi $firstName, it's $bank here. Your contact details have recently changed; if this change was not made by you or is not correct, please contact the bank immediately (having ready additional personal details that we haven't specified in this letter), as it could indicate fraudulent access to the account."

    --
    Ask me about Sequencing DNA in front of Linus Torvalds [youtube.com]
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2