Study: ATM/debit card fraud in U.S. costs $2.75 billion in losses

Study: ATM/debit card fraud in U.S. costs $2.75 billion in losses
Tags: Bank / Credit Union, Debit / Credit, Security
August 2, 2005

STAMFORD, Conn. - Thieves increasingly are exploiting vulnerabilities in consumer bank account systems, with an estimated 3 million U.S. consumers victimized by fraud involving ATM/debit cards in a recent 12-month period, according to findings from a study conducted by Gartner Inc., which provides research and analysis about the global information technology industry. The findings are based on a Gartner survey in May of 5,000 U.S. adults who are active online.

Gartner estimates that in the 12 months ending May 2005, ATM/debit card fraud in the United States generated losses of $2.75 billion, with an average loss of more than $900.

According to a news release issued by Gartner, criminals are secretly obtaining consumer banking account and password information by online phishing and keystroke logging attacks, and then using that information to hack into consumers' ATM accounts.

Most of the losses were covered by banks and other financial institutions that issued the specific ATM/debit cards exploited by thieves.

"Criminals sometimes counterfeit ATM/debit cards with just account numbers and PINs in hand, and they can use this stolen information at ATMs to withdraw cash from a cardholder's account," said Avivah Litan, vice president and research director at Gartner. "They succeed when the card-issuing bank is not validating security codes on the magnetic strip of the card while authorizing transactions."

"These security codes are stored on Track 2 of the magnetic stripe and include PIN offsets and card verification value codes," Litan added. "The codes link the physical card to the customer's account number. Surprisingly, perhaps as many as half of U.S.-based financial institutions are not validating Track 2 security data while authorizing ATM and PIN debit transactions. Most of these institutions are unaware that they, or the outsourced ATM transactions processor they rely on, should be doing so."

FIs have the ability to stop these attacks, but many have not taken the extra steps needed to prevent them, according to Gartner's findings. FIs can modify their ATM host systems to check for security data on a card's mag-strip. This data is unknown to bank customers and, therefore, cannot be phished.

Thieves generally cannot duplicate this security data unless they have insider knowledge of the bank's algorithms and security codes.

"Criminals are seeking out customers of banks that are not validating ATM cards' Track 2 magnetic stripe security data during cash withdrawal transactions," Litan said. "The hackers call these banks 'cashable.' The prime candidates are banks with high cash withdrawal limits."

Gartner analysts said FIs must protect against all types of fraud committed against checking accounts, regardless of the channel used, such as insider theft, online banking, phone banking, and automated clearinghouse transfers.

"The best defense is a transaction anomaly detection system that compares incoming transactions with profiles of what is expected from the user," Litan said.

More information is available in the Gartner report "Criminals Exploit Consumer Bank Account and ATM System Weaknesses," on Gartner's Web site, www.gartner.com.