Phishers cash in on ATM cards

Online scams lead to an estimated $2.75 billion in losses related to ATM and debit cards over the past 12 months, Gartner says.

Dawn Kawamoto Former Staff writer, CNET News

Dawn Kawamoto covered enterprise security and financial news relating to technology for CNET News.

See full bio

Dawn Kawamoto

Aug. 4, 2005 6:19 a.m. PT

2 min read

Phishing attacks have led to an estimated $2.75 billion in losses related to ATM and debit cards over the past 12 months, according to a new Gartner report.

The report, released Tuesday, includes a recent survey of 5,000 U.S. bank customers. From the survey, Gartner estimates that 3 million Americans have lost an average of more than $900 each due to online scams over the past year.

Scam artists are gleaning bank account numbers and personal identification numbers (PINs) through the use of phishing attacks and keystroke logging technology, according to the report. They are then creating fake ATM and debit cards and using the cards to steal money and make purchases.

Criminals "succeed when the card-issuing bank is not validating security codes on the magnetic strip of the card while authorizing transactions," Avivah Litan, Gartner research director, said in a statement.

Banks, as a result, have it within their control to minimize their losses, Litan noted.

On the magnetic strip of every ATM card, security codes are stored on Track 2. These codes tie the physical card with the customer's account number and add an additional layer of security beyond validating a customer's PIN.

But up to half of U.S. banks fail to validate Track 2 data and only rely on customer PINs to authorize ATM transactions, according to Litan, who based that estimate on conversations with banks and transaction processors.

"Criminals are seeking out customers of banks that are not validating ATM cards' Track 2 magnetic stripe security data," Litan said. "Hackers call these banks 'cashable.'"

Banks could curtail this type of attack by modifying their ATM host systems, which would require the systems to review Track 2 security data, Litan noted.

Because customers are not aware of the Track 2 data housed on their ATM's magnetic strip, phishers cannot dupe them into providing this sensitive information, the report said. And unless a hacker were familiar with a bank's algorithms and security codes, Track 2 data generally could not be duplicated, according to the Gartner report.

Phishing is on a steep rise, according to a report released Tuesday by security software company Postini. The company found nearly 19.3 million phishing attempts in the month of July as it processed customers email--marking a 16 percent increase over June.

The July phishing attempts marked the highest levels the company has seen to date.