Q: On Nov. 7, my son had $3,000 taken out of an ATM in a city he doesn’t live in. He discovered this within days, when he tried to log in to his online banking account but found he had been locked out. He drove to his local branch and was told he’d been locked out because his billing address and password had been changed on his account. My son asked how this, and the theft of $3,000, could happen.
At first, Chase told him someone had written a check on the account. Then Chase said someone had “hacked” (their word) his account through his Chase phone banking application and one of Chase’s new eATMs that don’t use ATM cards. The following day, my son filled out police reports in his city and the city where this occurred and indicated he would prosecute if the thief was apprehended. Chase immediately issued my son a conditional $3,000 credit while they investigated.
The next day, my son tried to log into his account but was unable to, due to “too many attempts.” Once again, he drove his local Chase branch and was told someone on an “Android phone” had made repeated attempts to access the account. My son stated he does not have an Android phone and at that point they changed his password again.
Later that day, he received a letter that the case was resolved and closed. My son incorrectly assumed that it was resolved in his favor. He found out later by email that the $3,000 had been removed by Chase.
This is when I came into the picture. I also bank at Chase and I am a Preferred Chase Private client. I called my branch manager and filled him in. He said he would get involved and was “on our side on this.”
My branch manager called my son and gave him an 800 global security number for the police to call so officers could get the security videotape from Chase. It’s funny that the police previously told my son that Chase wouldn’t provide the videotape and tried to push back again to the police, until the officer told Chase she had just had a young couple come in who had $7,000 wiped out from their account using the same eATM hacking through a mobile app.
My son immediately met with the bank and took all the right steps such as closing his cards, filing Chase paperwork, filing police reports (and at added cost to him, purchased identity theft insurance) but not once, until I intervened, did anyone contact him or give him any consideration of the facts. It doesn’t seem he could have done anything more.
My questions are:
- How could Chase not verify a transaction at an eATM for $3,000, especially when that amount was so out of his normal transaction history? Not even a text or call to my son.
- How can Chase not be required to supply the information that their decision was based on?
J.E., Hudson
A: Thankfully, Chase refunded your son’s $3,000 again, and hopefully for the last time, just as I was getting involved. Hats off to your branch manager for intervening as well on your son’s behalf.
It’s interesting — and very scary — that the officer handling your son’s case had not just the additional $7,000 case, but said there had been 10 more Chase customers who filed police reports over the same issue in a two-week period. The police told your son this FBI is now involved.
I’m writing about this to raise a bright red flag about this type of hacking, not just with Chase, but potentially with other banks. After more than 15 years of writing about banking, I’m not often surprised by anything when it comes to fraud. This, however, is disturbing to me.
I’ve written about some of the new ATM technology, including Chase’s eATMs, which started rolling out a year ago. This technology sounded to me like an improvement, not a step back. With an eATM, if you have the Chase app on your phone, you can log into your Chase account through the app on your phone and receive on your phone a six-digit code that will work one time, for just a few minutes.
Then, in order to withdraw money from an ATM, you need that six-digit code sent to your phone AND your traditional four-digit PIN.
Essentially, the code sent to your phone takes the place of your ATM card — if you want it to. You can still use your ATM card and PIN that you have memorized, if you like, instead of the code sent from your mobile app.
Some argue that codes sent to phones or ATMs that use thumbprints to verify your identity are more secure because ATM cards can be duplicated. Your phone, presumably, cannot. Your thumbprint, presumably, cannot. (I do have images of the TV show “24” going through my mind.)
To answer your first question, Chase spokesman Jeff Lyttle said the bank does offer free text and email alerts that allow customers to receive messages related to all types of transactions, including being notified of any transaction higher than whatever dollar amount they choose. You could choose to be notified of withdrawals or debit card transactions of more than $100 or if your balance drops below $500 or whatever.
I would urge every consumer — no matter where you bank — do two things:
- Check what your ATM withdrawal limit is. If it’s higher than you ever use, reduce it.
- Sign up for email or text alerts related to your account. This way, you can find out within minutes possibly, or certainly within hours, about withdrawals or transactions that meet your criteria. In contrast, it could take days to find out from your bank if it flags possible fraud. Or you may not find out at all until the next time you try to withdraw money or you open a notice about a bounced check or get a bank statement that shows a bunch of fraudulent transactions.
I will be writing more about this issue. If any of you have had similar problems with fraud involving any bank, let me know. But for now, if your bank uses “cardless ATM” technology (PNC is another local bank making use of this technology), then you may want to delete the app from your phone until your bank can assure your this sort of fraud couldn’t happen to you.
Our editors found this article on this site using Google and regenerated it for our readers.
