Does your bank have a cardless ATM? Cardless ATMs interact with your smartphone to let you withdraw cash from your bank’s enabled ATMs without inserting a card into a card reader.
With some ATMs, your smartphone app generates a QR code for your withdrawal, and the ATM scanner reads the QR code off your phone. Other ATMs use near-field communications (NFC), the same technology that allows you to avoid slot readers by tapping your card or phone against a receiving sensor (think Apple Pay and digital wallet apps).
In either case, your smartphone substitutes for your card. However, that adds another avenue for fraudsters to trick you out of personal information and drain your bank account.
From a technology standpoint, cardless ATMs are relatively safe. They use tokenization to provide a random number for each transaction, avoiding transmission of the card number. The process generally requires a PIN number, thus thieves who steal your card information also need the PIN to withdraw funds. Most smartphones have layers of security, ranging from passcodes to fingerprint or face recognition that prevent smartphone thieves from taking advantage of your account.
Unfortunately, you can render all of those safeguards useless when you give your information away via a phishing text scam.
One scamming method involves text verification of your personal information (account number, password, and PIN number if required) to supposedly unlock your account. With this information, thieves can set up a phone they control using your information and add that phone to your account – allowing cardless ATM withdrawals at any time.
The text may not ask for information, but instead direct you to a fake website. You’ll be asked to provide account information to allegedly unlock your account.
Fake websites can be extremely convincing, including official-looking logos, text, and pictures – and the web address is not necessarily a tipoff. (Look for a lock logo and “https” in the website, indicating a secure website – but don’t count completely on those steps to detect a fraudulent site.)
While a PIN makes the task more difficult, thieves are sophisticated enough to know which banks require PINs with cardless transactions and which banks don’t. If you fall for a phishing scam, any PIN required will be on the list of information you enter to allegedly unlock your account.
Whether or not you use cardless ATMS, if you receive a text from a source claiming to be your bank, exercise caution. Do not reply with any personal information, follow any included links, or use any phone number included in the text. Contact your bank directly through a known secure number such as the one on the back of your card or go to a branch to talk to somebody in person.
Cardless ATMs are convenient, saving transaction time and eliminating the possibility of your card getting inadvertently stuck in a reader – and overall, the process is secure. You just need to know your bank’s policies and practices on cardless ATM transactions and how to identify properly enabled ATMs.
Understand how cardless ATMs work at your bank, the situations in which banks will text you based on your account status (such as fraud alert or transaction information), and how the banks will contact you if they need further information about your account. They will never ask for personal information by text, email, or over the phone unless you have initiated communications.
Don’t open your accounts up by replying to suspicious bank texts. Let the thieves move on to easier targets. Evidence suggests they will find some.
If you would like to prevent identity theft, join MoneyTips and check out our free Identity Protector tool.