A Federal Bureau of Investigation liaison information report exposed in the Blue Leaks hack of sensitive law-enforcement data last July warned the financial services sector about scammers using cardless banking apps to commit account takeover (ATO) fraud and launder money. This also causes new concerns for Anti-Money Laundering (AML) efforts. 

Authored last May, the report was authored by the FBI’s Criminal Investigative Division and its Office of the Private Sector. The FBI issued the report to “inform the financial services sector about criminals using ‘cardless’ automated teller machine (ATM) access code vulnerabilities to commit fraud and evade financial institution policy restrictions,” according to the document.

Citing three cases, the FBI report explains how cybercriminals have exploited “existing mobile device ID security vulnerabilities” in cardless ATM technology “to conduct account takeover and place illicit proceeds into the U.S. banking system.” 

Now, “criminals are anonymously conducting suspicious financial transactions at multiple ATM locations outside of the geographic footprint of the account holders,” writes the FBI. 

Broadly, the cardless ATM attack vector can be classified as a new form of card-not-present (CNP) fraud, which has traditionally targeted online retailers, according to Andrei Barysevich, the chief executive of fraud intelligence firm Gemini Advisory.

By 2023, digital market consultants Juniper Research estimate that trailing five-year losses for retailers defrauded by CNP thieves will total $130 billion.

“Alongside an increased push by financial companies to migrate to the next generation of frictionless payment and ATM infrastructure, criminals are also exploring the benefits such technology presents,” said Barysevich, who previously worked as a private consultant for the FBI’s New York Cybercrime field office.   

“With the broader adoption of cardless ATMs, hacking into someone’s bank account could potentially allow criminals to forgo card cloning altogether, draining funds right through the mobile banking app instead,” he added.

The FBI did not respond to OODA LOOP’s request for comment.

How do Cardless ATMs Work?

The FBI’s advisory dovetails with the growing popularity of cardless ATMs, which allow customers to withdraw and deposit cash via mobile apps built on the following technology stacks: Near-field communications (NFC), one-time verification codes, quick-response (QR) codes, and biometrics.

“Cardless ATM transactions use a code and a mobile phone for authentication rather than a debit card’s magnetic strip or EMV chip,” according to a separate 2019 FBI “Private Industry Notification” also exposed in the Blue Leaks. 

In the U.S., cardless withdrawals rose 26 percent in 2019 compared to the previous year, according to a July research report authored by British strategic consulting firm RBR. Driving adoption is the growing emphasis on consumer convenience, says RBR.

Contactless ATMs reduce the amount of time customers spend at terminals and mitigate the risk of card skimming, an attack vector where scammers install malicious hardware at the point of sale to swipe cardholder data, according to RBR research.

Growing consumer awareness for personal hygiene during the COVID-19 pandemic, which has left customers leery of touching public surfaces, “has the potential to spur innovation in cardless withdrawal technology and accelerate its adoption at ATMs,” writes RBR in a press release for their report.

But “even before COVID, nearly all of the top banks in the U.S. had either rolled out or begun rolling out some variation of cardless ATM technology,” according to ATM consultant Sam Ditzion, chief executive of Boston-based Tremont Capital Group.

Cardless History

Cardless ATM technology has been around since at least 2012 when the Industrial and Commercial Bank of China rolled out its “cardless cash advance service.” In 2016, ICBC announced QR code-enabled ATM withdrawal for its entire network of 18,000 teller machines and 210-million customers. 

Stateside, BMO Harris was the first financial institution to deploy a QR-code enabled “mobile cash solution” in 2015, according to tech certification company Underwriter Laboratories. Bank of America followed suit in 2016, debuting an NFC-enabled solution at the annual Google IO Conference in Mountainview.

NFC is a technology that enables low-speed, short-range communications between connected devices. BoA’s cardless application thus allows NFC-ready smartphones and mobile wallets to access ATMs, enter their pins, and execute all the normal teller-machine transactions they would normally do with a card.

In 2017, Wells Fargo was next to upgrade its entire network of over 13,000 ATMs with cardless-access capability. This initiative gave Wells’ estimated 20-million mobile banking app users the option to select one-time, eight-digit passcodes to enter alongside their debit-card pins to make withdrawals at bank ATMs.

The same year, JPMorgan Chase and Capital One also launched their own cardless ATM initiatives. Additionally, PNC bank joined the cardless ATM club in 2018, according to RBR research. But with Wells retrofitting its entire network with NFC technology in 2019, they are the most prolific cardless ATM provider in the U.S.

While this technology mitigates the risk of credit card skimming, fraudsters are now targeting mobile devices themselves. As such, mobile bank app login information is increasingly at risk.

Cybercriminals use “SMS and email phishing campaigns to collect victims’ banking credentials, or SIM swapping to intercept communication, which criminals then used to withdraw cash,” according to the 2019 FBI document.

 Additionally, 2019 FBI reporting showed, “a significant decrease in the duration of this fraud scheme, from credential acquisition to ATM withdrawal, indicating criminals are quickly adapting to financial institution security measures.”

Three Cases

The 2020 FBI report cites three recent cases where cybercriminals exploited vulnerabilities in cardless ATM infrastructures. In 2018, threat actors “used stolen cardless ATM access codes to deposit money obtained from an elaborate business email compromise scheme” that targeted a U.S. construction company the previous year, the report says. 

The FBI says that this cybercrime group took the construction company for a score in excess of a million dollars.

Next, the FBI report cites 11 related incidents, where “criminals used stolen cardless ATM access codes to deposit counterfeit checks into a U.S. bank account.” What’s more, “transaction notifications were sent to the legitimate account holder’s phone number, who was neither aware of the fraud, nor had they shared their bank information,” according to the report. 

Lastly, the FBI report says that a “U.S. bank experienced more than $100,000 in fraud losses through the use of cardless ATM access codes after funds were withdrawn from approximately 125 customer accounts at 17 different ATM locations in three different U.S. states.”

Four men were indicted for stealing bank customers’ usernames, PINs, and passwords, according to the FBI. The bureau is referring to a 2018 case that was prosecuted in Cincinnati. Cybercriminals targeted customers of Fifth Third Bank in this case, according to Krebs on Security reporting. 

Krebs reported that thieves obtained users bank login credentials via SMS-based phishing attacks. In May 2018, the bank began registering complaints from customers, who said they had received text messages saying that their phones had been locked, reported Krebs.

The text messages embedded a malicious link for customers to unlock their accounts and led them to a website that mimicked the bank’s. “That phishing site prompted visitors to enter their account credentials — including usernames, passwords, one-time passcodes and PIN numbers — to unlock their accounts,” wrote Krebs.

All four defendants in this case were sentenced to time served in 2019 or 2020, according to court documents. 

Heightened AML Risk?

The ability to anonymously deposit illicit funds into the banking system, as illustrated by the first two case citations in the report, raises anti-money-laundering concerns. Beyond sophisticated cybercriminals, could widely adopted cardless-ATM technology thus create ideal conditions for drug and human trafficking networks and terrorists to stealthily place and transfer money between unsuspecting funnel accounts? 

Take the 2017 money laundering scandal at Commonwealth Bank of Australia, for example. In 2012, CBA launched so-called intelligent deposit machines (IDMs). While not cardless, these IDMs autonomously counted currency that consumers deposited into machines. 

Not only did CBA’s machines fail to limit the number of transactions a customer could conduct in a day, according to Australian Transaction Reports and Analysis Centre (AUSTRAC), but they also allowed anonymous cash deposits. 

The anonymous nature of these transactions enabled both terrorists and drug trafficking networks to launder millions through CBA. One Hong Kong-based, meth-trafficking syndicate, which secreted most of its product in “Chinese tea packaging” – the trademark of the notorious Sam Gor syndicate – laundered A$21 million via CBA’s IDMs.

In 2018, AUSTRAC fined CBA A$700 million for it AML and counter-terrorism-financing violations, which was the largest regulatory penalty in Australian corporate history until this year.

Asked if Wells Fargo could be absorbing similar AML risk exposures with its sprawling cardless ATM network, Ditzion said he views this attack vector as “higher risk than much easier and less trackable methods.”

“You would need someone’s mobile app credentials, including fingerprint or facial ID in most cases.  Then, you would need to have someone bold enough to deposit actual cash, which is an unusual aspect of fraud, as the goal is generally to steal money,” said Ditzion.

“That said, if someone was willing to do all of the above, and then transfer cash to an account, in theory the fraudster could convert cash into a balance in another electronic account.  All of this would be quite rare,” he added.  

“There are easier ways to launder money,” Ditzion said.

Mitigation

To mitigate the risk of cardless ATM fraud, the FBI advises financial institutions to add four new suspicious indicators to their fraud alert rules, according to the 2020 report. First, the FBI advises banks to flag “multiple requests for mobile access codes by the account holder.” Secondly, the FBI says that recurring “deposits of the same or similar amount” can also indicate illicit activity.

Thirdly, the FBI warns banks of “multiple deposits outside of the geographic area of the account holder.” And fourthly, rapid “movement (i.e. wire transfers) of funds deposited into account(s)” are also suspicious, according to the FBI report.

Still, the FBI notes that organizations “ should evaluate the totality of suspicious ATM transactions and other relevant circumstances before notifying security/law enforcement personnel,” according to the report.