 |
 Back to 2005 Press Releases
|
Gartner Says ATM/Debit Card Fraud Resulted in $2.75 Billion in Losses in Past Year |
|
| Criminals Create Phishing Attacks for Consumer ATM Card Numbers and PINs to Penetrate Unguarded Bank Systems |
STAMFORD, Conn., August 2, 2005 — Thieves increasingly are exploiting vulnerabilities in consumer bank account systems, with an estimated 3 million U.S. consumers victimized by fraud involving automated teller machine (ATM)/debit cards in a recent 12-month period, according to Gartner, Inc.
Gartner estimates that in the 12 months ending in May 2005, ATM/debit card fraud in the U.S. generated losses of $2.75 billion, with an average loss of more than $900. Criminals secretly are obtaining consumer banking account and password information by online phishing and keystroke logging attacks, and then using this information to hack into consumers' ATM accounts.
Most of the losses were covered by banks and other financial institutions that issued the specific ATM/debit cards exploited by thieves.
The findings are based on a Gartner survey in May of 5,000 U.S. adults who are active online and demographically representative of the U.S. online adult population.
"Criminals sometimes counterfeit ATM/debit cards with just account numbers and PINs in hand, and they can use this stolen information at ATMs to withdraw cash from a cardholder's account," said Avivah Litan, vice president and research director at Gartner. "They succeed when the card-issuing bank is not validating security codes on the magnetic stripe of the card while authorizing transactions." PINs are personal-identification numbers.
"These security codes are stored on Track 2 of the magnetic stripe and include PIN offsets and Card Verification Value (CVV) codes," Ms. Litan said. "The codes link the physical card to the customer's account number. Surprisingly, perhaps as many as half of U.S.-based financial institutions are not validating Track 2 security data while authorizing ATM and PIN debit transactions. Most of these institutions are unaware that they, or the outsourced ATM transactions processor they rely on, should be doing so."
Banks have the ability to stop these attacks, but many have not taken the extra steps needed to prevent them. Banks can modify their ATM host systems to check for security data on a card's magnetic strip. This data is unknown to bank customers and, therefore, cannot be phished. Thieves generally cannot duplicate this security data unless they have insider knowledge of the bank's algorithms and security codes.
Phishing occurs when a cyber thief sends an e-mail with a link to a false Web site. The false sites typically are disguised to look like sites of banks or well-known e-commerce merchants. Recipients of these e-mail attacks are asked to provide personal account information.
"Criminals are seeking out customers of banks that are not validating ATM cards' Track 2 magnetic stripe security data during cash withdrawal transactions," Ms. Litan said. "The hackers call these banks 'cashable.' The prime candidates are banks with high cash withdrawal limits."
Gartner analysts said banks must protect against all types of fraud committed against checking accounts, regardless of the channel used, such as insider theft, online banking, phone banking, and automated clearing house (ACH) transfers.
"The best defense is a transaction anomaly detection system that compares incoming transactions with profiles of what is expected from the user," Ms. Litan said. "Anomalies are flagged for further investigation and/or subsequent interactive authentication of the user, perhaps through a phone call to the user."
More information is available in the Gartner report Criminals Exploit Consumer Bank Account and ATM System Weaknesses. The report can be accessed on Gartner's Web site.
About Gartner Financial Services Technology Summit
Gartner analysts will examine the state of the financial services industry during the Gartner Financial Services Technology Summit, to be held August 29-31, 2005, at the New York Marriot Marquis Hotel. The inaugural Gartner Financial Services Technology Summit is the most comprehensive event of its kind designed exclusively for Financial Services Industry IT executives and their business counterparts with a keen interest in the business value of IT. Gartner Financial Services Technology Summit hits the critical spot between strategic planning and tactical advice for IT organizations in banking, investments, and insurance. This 3-day forum looks at the state of IT in the financial services industry, a view of the future, what it takes to be prepared, and tackles the complex IT issues while laying out the manageable actions needed for success. In addition, many of the 30-plus content sessions will feature case studies and panel discussions presented by end-users and industry professionals.
For complete event details, please visit the Gartner Financial Service Technology Summit Web site at www.gartner.com/us/fstechsummit. Members of the media can register by contacting Christy Pettey at christy.pettey@gartner.com.
|
About Gartner:
Gartner, Inc. is the leading provider of research and analysis on the global information technology industry. Gartner serves more than 10,000 clients, including chief information officers and other senior IT executives in corporations and government agencies, as well as technology companies and the investment community. The Company focuses on delivering objective, in-depth analysis and actionable advice to enable clients to make more informed business and technology decisions. The Company's businesses consist of Research and Events for IT professionals; Gartner Executive Programs, membership programs and peer networking services; and Gartner Consulting, customized engagements with a specific emphasis on outsourcing and IT management. Founded in 1979, Gartner is headquartered in Stamford, Connecticut, and has over 3,900 associates, including more than 1,100 research analysts and consultants, in more than 75 locations worldwide. For more information,
visit www.gartner.com.
|
|
|
|
|
