They stole $2,900 at an ATM without her debit card; how the smartphone ‘eATM’ rollout got dumb

Stealing money is easy as entering this code.

I’ve long said that identity theft is a just marketing program for banks and retailers. Corporations make it easy for criminals to steal so they can sell convenience to consumers, and if a few customers get hurt along the way, well, that’s a shame.  That can always be fixed later.

More clear evidence of this arose this week with the terribly bungled rollout of newfangled “eATM” cash machines by Chase.  Turns out criminal gangs have already raided them, and Chase didn’t believe its own customer when she lost $2,900.  

Chase told me the firm made an error, and that the number of victims was limited to a pilot program.

“This is why we have pilots,” spokesman Mike Fusco said. “To test and learn put safeguards in place.”  More from Chase later.

Last year, Chase promised to upgrade all its ATMs to this fun new technology, and other banks aren’t far behind, so watch those bank statements!

The so-called eATMs use smartphones instead of debit cards to authenticate users. That’s a good thing.  Smartphones are a far more reliable way to make sure someone is who they say they are than one of those old magnetic stripe cards.  And consumers are now familiar with the smartphone text two-factor authentication game. Also, chip-enabled ATMs seem hopelessly far off, so this new technology is certainly an upgrade over those old magnetic stripe debit cards.

I wrote about this promising development last year, when Chase, Wells Fargo, and Bank of America were all racing to brag about how high-techy their new eATMs were going to be.  Heck, customers can even use apps to pick the denominations of cash they want with their withdrawals! Plus, it’s sort of cool. Eventually, consumers will use “tap-and-pin” to get cash, simply waving their phones near a machine and entering a code to get money.  For the moment, banks are implementing an intermediate version of the technology that requires account holders to entered a text message code sent to the smartphone to get cash.

At the time, Gartner analyst Avivah Litan explained to me why eATMs held out the promise of much safer transactions.

“Smartphones provide a much more secure form factor than chip cards do, as there are many sensors on smartphones to help with authentication and fraud detection,” Litan said. “Fingerprint readers, cameras, the phone chip itself, the phone’s movements, its location.”

My headline seems a bit foolish now: “Your smartphone is your new ‘debit’ card, and why that’s probably safer.”

Instead, Chase somehow turned smartphone authentication — at least temporarily — into a very dumb system.  Journalist Brian Krebs wrote this week about the sad fate of San Francisco resident Kristina Markula and her bank account.  She had never even heard of eATMs, and had no idea someone could withdraw cash from her account at an ATM without her debit card.

But there she was, a California resident traveling in Mexico, when she spotted a $2,900 hole in her balance, created by a withdrawal from a Chase machine in Florida.

Far worse, when she called Chase to complain, the bank denied her dispute several times.

“We confirmed that the disputed charges were correct and we will not be making an adjustment to your account,” says a letter she received from Chase, according to Krebs’ site.

Later, a banks spokesman told Krebs she was denied in error.  The bank also pointed Krebs to a story in Ohio about the arrests of a gang of 6 criminals who were actively exploiting Chase eATMs.  That story is vague on details, but in both cases, here’s what seems obvious:

Criminals were able to get the bank to send them text messages that unlocked cash at Chase ATMs. With the text messages and little (nothing?) else, the bad guys were raiding consumers’ bank accounts.

There are several disturbing elements to this story than can be observed empirically.  First is the obvious: A really sophisticated authentication technology was really dumbed down during this trial. As Krebs describes it, it seems only a text message was required to dispense cash. So much for fancy multi-data-point authentication.

The curious wrinkle in the Krebs story involves the trick criminals used to “intercept” the cash-unlocking text intended for Markula’s phone. She was told that a criminal had used stolen credentials to log into her online bank account and added a second cell phone to it.  The criminal also changed the contact email on the account, presumably so Markula wouldn’t receive any notification about all this account activity.

Then, that second phone was used to get the text needed to withdraw the $2,900.

If you are like me, you are wondering on what planet someone can withdraw $2,900 in one day from a single account at an ATM.   On the planet where eATMs are regarded as more secure, one would suppose. Chase did brag about higher limits on eATMs when it announced the program last year.

It’s possible that Chase did some location-based authentication and, because the phone controlled by the criminals was near the ATM they used in Florida, the transaction was approved.  Or, it’s possible Chase just coughed up the money when the bad guys produced the text message.

Either way, one has to wonder how security rules didn’t recognize the obviously suspicious behavior of a) adding a new phone to an account and b) making a huge withdrawal 3,000 miles from the consumer’s home.  You would expect such pattern-based fraud detection to be dialed up higher, not lower, during the test of a new technology.  See my first sentence if you are wondering how that might happen.

One could imagine that the roll-out of perhaps the biggest change to ATMs in decades could be bumpy.  So, perhaps these are growing pains to be expected. But the kicker to this story is that Chase was a) in the middle of a big new test and b) it was actively being exploited and yet c) they gave a victim who lost $2,900 a hard time.  How could Markula, and a bunch of other yet unknown victims, not be on some list somewhere, destined for preferential treatment? How could Chase fraud investigators not be primed and ready to immediately assist victims of this brand new crime? Because the bank was happy to use her as a guinea pig.

Because features trump security.  And marketing trumps consumers.

“This was an error on our end. We apologized and she’s been reimbursed,” Fusco said.  “We have put measures in place to prevent this.”

eATMs can be great, for as long as cash stays relevant in the United States.  It sure would be a shame if they led to inferior, instead of superior, security.

“This is a technology consumers want,” Fusco said. “This why we have pilots. To test…We want to make sure it is safe when we roll it out.” While he couldn’t discuss details of security enhancements Chase has made, he said only a limited number of Chase customers’ accounts can currently be used in the eATM trial.

Meanwhile, consumers, here’s a really important message. When your bank turns on eATM functionality, maintaining strong passwords becomes more important than ever. Because here’s the harsh reality: If you can get cash from your checking account without your debit card, so can a criminal.

If you’ve read this far, perhaps you’d like to support what I do. That’s easy. Sign up for my free email list, or click on an advertisement, or just share the story.





About Bob Sullivan 1144 Articles

BOB SULLIVAN is a veteran journalist and the author of four books, including the 2008 New York Times Best-Seller, Gotcha Capitalism, and the 2010 New York Times Best Seller, Stop Getting Ripped Off! His latest, The Plateau Effect, was published in 2013, and as a paperback, called Getting Unstuck in 2014. He has won the Society of Professional Journalists prestigious Public Service award, a Peabody award, and The Consumer Federation of America Betty Furness award, and been given Consumer Action’s Consumer Excellence Award.

3 Comments

  1. I telephoned Bank of America customer support to make sure that BoA does NOT have an eATM deployment in the works. They assured me that they do not. (I don’t believe them, but I thought it worth providing here to hoist them by their own ignorance if/when they do…)

  2. Perhaps smartphones do offer better authentication possibilities than a mag-strip or chip-and-pin card. But smartphones also present a huge attack surface, and risk leaking all kinds of personal data to ISPs, the government, device manufacturers, whoever wrote all the apps that you’ve installed, and clever thieves. I’d much rather use a card and risk a little money from my account than rely on a smartphone and all the vulnerabilities and tracking opportunities it poses.

Leave a Reply

Your email address will not be published.


*