Just because we consider our smartphones to be secure, doesn't mean we should be less vigilant when using them to access bank accounts and new eATMs
Do you use Chase Bank’s eATM machines, the ones which operate using your smartphone as identification? There are reports gathering criminals may have figured out a way to circumvent security measures, and steal money from your account. While not widespread, the stories do involve large sums of money, and should serve as a reminder about the importance of good information security.
The most recent story to come to light actually happened in November last year, where $3,000 was fraudulently taken from a Chase bank account via an eATM and the Chase mobile banking app. In a letter to local news site cleveland.com, the Chase customer, on finding the money missing from his account, was informed his account had been “hacked” using these services. The customer was also locked out of his account, which Chase said was due to multiple attempts to access it with an Android smartphone, a device he didn’t use.
Chase’s eATM machines differ from a traditional ATM by not requiring a card. You can access them using codes provided in the Chase phone app, a two-step verification style method which many may already be familiar with from for their Google account, Twitter account, and many others. That sounds more secure than a simple card and PIN system, so how was the account compromised?
It’s not absolutely clear, but another case does suggest the eATM may make it easier for thieves already attacking an online banking account to get their hands on cash. In this report from January, a customer lost $2,900 through an eATM after the victim’s online banking details, and associated phone number, were all altered, which then facilitated the theft using a card-less ATM. The similarity in the amount stolen in each case here is due to the higher, $3,000 daily withdrawal limit offered by some Chase eATM machines. A larger case featuring card-less ATM fraud was recently cracked, and anecdotal evidence of other eATM fraud cases appears on Reddit.
Should you be worried about using these machines, or smartphones, for banking generally? No, not if you remember the basics of protecting your identity and accounts. Criminals will always try to find ways into our bank accounts. Card-less ATM machines are becoming more common, with Chase, Bank of America, Wells Fargo, and other international banks all introducing the system. Chase Bank has also made alterations to improve security.
There’s a danger, due to our growing familiarity and comfort in using smartphones to make transactions either online, in-app, or through a mobile payment system, that we will forget all the usual advice on security still applies. Strong passwords, avoiding public Wi-Fi, lowering withdrawal limits, adding two-factor authentication where possible, and opting to receive message and email alerts of account activity all help avoid becoming victims of this type of crime.