When will banks give us easy biometrics?

News comes to us from Ohio, where fraudsters stole more than $100,000 from bank accounts, via ATM withdrawals. But no debit cards were stolen.

That’s right, thieves have worked out how to subvert the “cardless” ATM systems some banks are using. It’s very convenient for customers, but also very insecure.

It’s yet another nail in the coffin of the password. In this week’s ID Blogwatch, we phish for cash.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: long long long…



What’s the craic? Brian Krebs cycles in, with Phishing + Cardless ATM = Profit:

A number of financial institutions are now offering cardless ATM transactions that allow customers to withdraw cash using nothing more than their mobile phones. But this also creates an avenue of fraud.

…

Recent arrests in Ohio shed light on how this scam works. … The text messages contained a link to unlock their accounts and led customers to a Web site that mimicked the legitimate [bank] site.

…

[It] prompted visitors to enter their account credentials — including usernames, passwords, one-time passcodes and PIN numbers. [These] scams aren’t new, but they are becoming more prevalent as more banks turn to cardless ATM technology as a convenience for customers.

…

Phone-based phishing attacks are getting way more clever and are even snaring technology experts.



How? Kim Komando commands you refer to her as Digital Goddess:

Have you heard of cardless ATMs yet? A growing number of banks are now allowing customers to withdraw money from these machines with just their smartphones.

…

It’s convenient, for sure. … However, it comes with its own set of loopholes. The problem is that criminals … with the help of SMS text-based phishing (also known as smishing) [are] now able to use stolen credentials to quickly drain an account.

…

The thieves will log in to your bank as you, add their own phone number to your account and then use it to withdraw your funds from cardless ATMs with just their smartphones. … In fact last year, a woman in California had almost $3,000 stolen from a cardless ATM when thieves were able to add a phone number to her account by merely providing her username and password.

…

Cardless ATMs offer … conveniences to customers, but unless banks shore up their security against phishing scams, they are likewise convenient to criminals.



Who? Here’s Sarah Brookbank—Man faces federal wire fraud charges:

In connection to the theft of more than $106,000 … Ciprian-Raducu Antoche-Grecu has been charged with wire fraud. He is one of four individuals arrested in connection to the thefts from ATMs in Michigan, Illinois and Ohio.

…

Affected customers received texts with a link to a site that mimicked [the bank’s] actual site. … This led to about 125 customers’ private information being compromised.

…

Court documents said probable cause was found. Now the case will be sent to a federal grand jury.



Given that, nimble2 alleges an allegation:

The scammers were apparently caught, presumably because they were morons who probably didn’t realize that they could be identified by cameras located in or near the ATMs and/or by their cell phones.



When phishers phish, we all lose, says Jonathan Lydall:

When I was working Customer Service for Blizzard Europe … around 2010, about half of CS cases were in regards to customers having been victims of their account being compromised and cleaned out. … In all cases it was the “fault” of the customer [mainly because they] fell for phishing scams.

…

Back in 2010, Blizzard easily spent €1M monthly (in Europe alone) on Customer Service and if half of that was dealing with compromised accounts (for a non-financial institution), we can only imagine how much money gets lost globally.

…

I acknowledge that saying this is the “fault” of the customer seems unfair. … While the fault does ultimately lie with the bad actors, the fact is that while material things (such as money, or food) are important, there will always be bad actors … at the expense of the rest of society.



Along similar lines, here’s Ferity2:

[It’s] been a headache at work recently. We are having to close out their old account and reopen a new one to just completely wash the client.

…

Clients are also being forced to add a verbal password when they call in.



And LOL TLA BBQ! JLW is troubled:

It’s troubling that as we approach 2019, organizations are still rolling-out “new and improved” security implementations based on SMS. It’s been over two years since NIST “saw the light” as to how SMS really wasn’t a good idea.

…

This is nothing more than an attempt … by the financial industry … to reduce their OWN costs by eliminating the card-based infrastructure.



But still we let them, grumbles newnewpdro:

One day the public will better appreciate physical isolation of separate concerns. Until then, expect more of this kind of thing with your single devices used for everything.



The bottom line:

Passwords and PINs are not safe. And most two-factor auth is insecure. Banks need to offer simple-to-use biometrics—and they need to do it now.



And Finally…

More mayhem from bill wurtz



You have been reading ID Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites… so you don’t have to. Hatemail may be directed to @RiCHi or idbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: Garry Knight (cc:by)