ATM Hack

ATM HackMore troubling evidence that banks and retailers push convenience on consumers to boost profits—while knowingly making it easier for criminals to steal—arose this week.
Case in point: the terribly bungled rollout of newfangled “eATM” cash machines by Chase. Last year, you may recall, Chase promised to upgrade all its ATMs to this fun new technology.

The so-called eATMs use smartphones instead of debit cards to authenticate users. Smartphones, indeed, are a very reliable way to make sure someone is who they say they are. And consumers now are pretty used to the smartphone text two-factor authentication game. With chip-enabled ATMs hopelessly far off, this new technology is seen as upgrade over magnetic-stripe debit cards.

Chase, Wells Fargo and Bank of America are all moving to new eATMs. Their promotions herald how customers can even use apps to pick the denominations of cash they want with their withdrawals. Plus, it’s sort of cool. Eventually, consumers will use “tap-and-pin” to get cash, simply waving their phones near a machine and entering a code to get money.

Holes in system emerge

But now comes an example of Chase turning smartphone authentication into a very dumb system: The sad fate of San Francisco resident and Chase patron Kristina Markula was disclosed by investigative blogger Brian Krebs.

It seems Markula had never even heard of eATMs. She had no idea someone could withdraw cash from her account at an ATM without her debit card. So there she was, a California resident traveling in Mexico, when she spotted a $2,900 hole in her balance, created by a withdrawal from a Chase machine in Florida.

Far worse, when she called Chase to complain, the bank denied her dispute several times. “We confirmed that the disputed charges were correct and we will not be making an adjustment to your account,” says a letter she received from Chase, according to Krebs’ site.

There are several disturbing elements to this story. Criminals were able to get the bank to send them text messages that unlocked cash at Chase ATMs. With the text messages and little (nothing?) else, the bad guys were raiding consumers’ bank accounts.

Smart tech, dumb security

This shows how a really sophisticated authentication technology was truly dumbed down by Chase for this trial. As Krebs describes it, it seems only a text message was required to dispense cash. So much for fancy multi-data-point authentication.

One curious wrinkle involves the trick criminals used to “intercept” the cash-unlocking text intended for Markula’s phone. She was told that a criminal had used stolen credentials to log into her online bank account and added a second cell phone to it. The criminal also changed the contact email on the account, presumably so Markula wouldn’t receive any notification about all this account activity.

Then, that second phone was used to get the text needed to withdraw the $2,900. If you are like me, you are wondering, “On what planet can someone withdraw $2,900 in one day from a single account at an ATM?” On the planet where eATMs are regarded as more secure, one would suppose.

One could imagine that the roll-out of perhaps the biggest change to ATMs in decades could be bumpy. But the kicker to this story is that Chase:
• Was in the middle of a big new test
• Was actively being exploited
• And yet gave a victim, who lost $2,900, a hard time

Letting down customers

How could Chase fraud investigators not be primed and ready to immediately assist victims of this new crime? How could Markula, and a bunch of other yet unknown victims, not be on some list somewhere, destined for preferential treatment?

eATMs can be great, for as long as cash stays relevant in the United States. It sure would be a shame if they led to inferior, instead of superior, security.

Meanwhile, consumers, here’s a really important message: when your bank turns on eATM functionality, maintaining strong passwords becomes more important than ever. Because here’s the harsh reality: If you can get cash from your checking account without your debit card, so can a criminal.

This article originally appeared on ThirdCertainty.com and was written by Bob Sullivan.