August 3, 2005
Last year nearly three million consumers had $2.75 billion lifted from their bank accounts by thieves, most of whom used the Internet to trick people into revealing account numbers and PINs. An industry analyst says banks could have prevented much of the theft with a little extra security.
A report by Avivah Litan, director of research at Gartner, Inc., says there is a big hole in the security system. About half the nations banks, she says, dont have secondary security codes on their ATM and debit cards magnetic strip.
"Criminals sometimes counterfeit ATM/debit cards with just account numbers and PINs in hand, and they can use this stolen information at ATMs to withdraw cash from a cardholder's account," said Litan. "They succeed when the card-issuing bank is not validating security codes on the magnetic stripe of the card while authorizing transactions." PINs are personal-identification numbers.
"These security codes are stored on Track 2 of the magnetic stripe and include PIN offsets and Card Verification Value (CVV) codes," Litan said. "The codes link the physical card to the customer's account number.
ATM and debit card fraud is quickly surpassing credit card fraud, according to the report. When criminals obtain a PIN, they encode blank cards and use them at ATM machines or at retail businesses where they can get cash back with a purchase.
"Criminals are seeking out customers of banks that are not validating ATM cards' Track 2 magnetic stripe security data during cash withdrawal transactions," Litan said. "The hackers call these banks 'cashable.' The prime candidates are banks with high cash withdrawal limits."
Litan says an easy fix and one banks are beginning to employ more often is to include PIN offsets and Card Verification Value codes on the magnetic strips on the backs of ATM and debit cards. The consumer doesnt know what that number is, so it cant be revealed in a phishing scam.
Litan says larger banks were quick to learn the lesson and adapt, so thieves have moved on to target many smaller banks. Those using small, local banks should be extra careful, she says, not to reveal PINs to anyone for any reason.
The findings are based on a Gartner survey in May of 5,000 U.S. adults who are active online and demographically representative of the U.S. online adult population.
Gartner analysts said banks must protect against all types of fraud committed against checking accounts, regardless of the channel used, such as insider theft, online banking, phone banking, and automated clearing house (ACH) transfers.
"The best defense is a transaction anomaly detection system that compares incoming transactions with profiles of what is expected from the user," Litan said. "Anomalies are flagged for further investigation and/or subsequent interactive authentication of the user, perhaps through a phone call to the user."
