News

TowerGroup study downplays impact of phishing

In response to Gartner Inc.'s highly publicized study, TowerGroup has come out with its own study.

August 29, 2005

When major media outlets began reporting on a Gartner Inc. study contending that phishing in the ATM and POS channels costs financial institutions $2.75 billion a year, Jerry Silva's phone immediately began to ring.

Silva, senior analyst of delivery channels at research firm TowerGroup, said several large financial institutions that were clients of the Needham, Mass.-based TowerGroup contacted him and questioned the validity of Gartner's findings.

And just less than three weeks later Silva released a report of his own.

What's Important Large FIs questioned the validity of Gartner Inc.'s Aug. 2 study. TowerGroup conducted a study in response to Gartner's findings and released its results three weeks later. TowerGroup expects to revise its findings this week.

But even Silva is going to update his study's findings, he told ATMmarketplace Aug. 22.

"I originally talked with the top banks, and that represents 50 or 60 million cardholders," Silva said, adding that he surveyed the top 100 banks in the United States. "But after I finished that, I went back and started talking to smaller banks, and what I found was that phishing is a much different phenomenon with smaller banks."

A division based on size

In contrast to the Gartner study, Silva found that more than 90 of the 100 largest banks in the U.S. do check the card verification value or the card validation code on ATM/debit cards' magnetic stripes.

But in talking with representatives from small to mid-sized banks, he found that the percentage checking magnetic stripes is substantially lower.

With his new insight, Silva released a report revision Aug. 24. In his revised version, Silva said, he will increase the estimated amount lost annually at the ATM or POS by almost $30 million, from $5.6 million to $35.5 million.

While the TowerGroup study was based on interviews with bank officials, the Gartner study was based on a survey of 5,000 consumers. Silva said he could not speculate as to why the two studies arrived at such dramatically different conclusions.

Silva's study also found that incidents of fraud at the ATM that resulted from online-phishing are relatively rare. "There were two things we looked at," he said. "First, can you successfully create a card through phishing and if so, to what extent is it going on?

"When you talk about phishing, you first must contact consumers (via e-mail) and get them to give up enough information to produce a card, and then you have to target an institution that is not checking CVV or CVC," he added.

Silva's preliminary report, released Aug. 22, found that less than 1 percent of fraud losses at the ATM or POS result from phishing. The revision released two days later increased that figure to 3.5 percent.

"Most debit card fraud occurs when a card is stolen or 'borrowed' by a family member or friend with knowledge of the PIN," Silva states in the report. "It stands to reason that this kind of fraud is the easiest to commit and thus represents the highest incident of total debit card fraud."

Given the high percentage of banks that check magnetic stipes, Silva said, most phishing schemes are not likely to succeed.

Although the numbers in the TowerGroup study are dramatically lower than Gartner's findings, the report does caution FIs, and the industry as a whole, to take the problem seriously.

In his report, Silva writes that his research "should not lull … banks into a false state of relaxation. Phishing may not lead to the same scale of loss overall as credit card and check fraud do, but any victim of identity theft through phishing will attest to the enormous amount of damage it causes."