So, how do cybercriminals trade in your stolen bank credentials into cash? We hear about these data breaches, some include compromised payment information, and this sensitive data is put up for sale on the Dark Web, but how do they convert this into money?
Financial institutions are offering cardless ATM transactions through individual’s phones. People can withdraw cash with their mobile device and nothing more!
This new perk creates a new playing field for hackers and cybercriminals. They just have to obtain account credentials and add a new phone number to the customer’s account — It’s that simple!
From there, hackers can upload that card unto their device corresponding with that phone number and visit cardless ATMs.
Something Smells Smishy
Recent arrests in Ohio shed light on how this scam is conducted. Fifth Third Bank customers complained about receiving a text message which appeared to be from their bank warning recipients that their accounts had been locked.
The text message included a link to a spoofed website that mimicked the original Fifth Third banking site. As usual, customers logged in using their credentials — username, password, one-time passcode, and PIN number — to unlock their account.
The Crime Spree
Around Cincinnati, Ohio there were 125 Fifth Third customers that fell victim to this SMS phish scam. The cybercriminals took their phished data and withdrew $68,000 from 17 ATMs in Illinois, Michigan, and Ohio in less than two weeks, by using Fifth Third‘s cardless ATM function.
Their smishing and fraudulent attack at cardless ATMs continued through October 2018, earning them an additional $40,000. Fifth Third bank zeroed in on these four suspicious individuals believed to be behind the crime spree. Shortly thereafter, the four individuals were arrested in connection to the crimes.
Old Scheme, New Technology
These schemes aren’t new, but with this new cardless ATM feature, they are becoming more prevalent. Never to respond to requests for personal or financial information sent by email, text message, or over the phone. SMS phishing attacks are getting trickier and more convincing. When in doubt, contact your bank directly either in person or by phone using the number on the back of your card. It’s always better to be safe than sorry!
Original Article Found Here.