A lot of the new technology surrounding financial transactions is aimed at reducing the threat of fraud while improving consumers’ security and convenience. Of course, anything that can make the process more streamlined and more cost-effective for the banks is good, too, considering their operating costs have an impact on their customers. But a new technology that was recently piloted by Chase has already come under attack from identity thieves who’ve successfully stolen customers’ money.

The so-called “cardless” ATM option allows consumers to use their smartphones at an ATM to withdraw cash from their accounts. It’s similar to the new mobile wallets that let you store your card information on your phone and pay at the register instantly through an app. In much the same way, you would take your phone to the ATM, open your banking app, select the amount of money you want to withdraw from your account, and wait for a unique code to appear on your phone’s screen. The ATM will then ask for the code, and after punching it in or scanning it, your cash is dispensed from the machine.

Mobile wallets and cardless ATM transactions work on the notion that your phone is a highly protected device. Most of us dedicated users would never let it out of our sight, and to be honest, it’s practically as important as your wallet already…if your wallet cost hundreds of dollars and was made by a major tech company!

The fraud works like this: by gaining access to your online banking username and password, thieves open your bank’s app on their phones. They add their own mobile phone number to your account and then conduct the transaction at an ATM from anywhere they choose. It’s hard to prove your innocence when your account is drained because “you” added the phone number and “you” made the withdrawal at an ATM.

KrebsOnSecurity recently posted a detailed report of one victim’s experience, not only in having her money stolen but in the frustration of trying to prove she wasn’t the one who withdrew almost $3,000 out of her account not once but twice. Fortunately, Krebs was able to speak to Chase for an explanation, and the company provided additional information on a fraud ring in Florida that had stolen from multiple victims. They’ve also stated that the victim in this example was not at fault after all.

With any new technology, consumers have to decide if it is right for them or not. Ironically, in this case, not setting up a mobile number in their accounts may have contributed to the victims being targeted. Without their mobile number or text alerts enabled, the bank couldn’t automatically contact them when someone added another number to their accounts.

Of course, one of the key ways to prevent this type of crime is to change your password routinely on all of your sensitive accounts and to make sure that you’re only using strong, unique passwords. The more numbers, letters, and symbols your password contains, the less likely someone is to steal it. If you’re using the same password on multiple accounts—or using the, unfortunately, common password, “password1”—you’re at higher risk of someone gaining access to your accounts.  It is also important to consider implementing two-step or two-factor authentication with your financial institution when available.


How much information are you putting out there? It’s probably too much. We are here to help you stop sharing Too Much Information. Sign up for the TMI Weekly.