Complain about a product or service

Analyst: Banks Make It Easy For Cyber-Thieves

August 3, 2005

Online Banking • ChexSystems Gets Into Online Banking • FDIC: Banks Must Improve Online Security • Analyst: Banks Make It Easy For Cyber-Thieves • Consumers Losing Confidence in Online Commerce, Banking • More on this topic ...

Last year nearly three million consumers had $2.75 billion lifted from their bank accounts by thieves, most of whom used the Internet to trick people into revealing account numbers and PINs. An industry analyst says banks could have prevented much of the theft with a little extra security.

A report by Avivah Litan, director of research at Gartner, Inc., says there is a big hole in the security system. About half the nation’s banks, she says, don’t have secondary security codes on their ATM and debit cards’ magnetic strip.

"Criminals sometimes counterfeit ATM/debit cards with just account numbers and PINs in hand, and they can use this stolen information at ATMs to withdraw cash from a cardholder's account," said Litan. "They succeed when the card-issuing bank is not validating security codes on the magnetic stripe of the card while authorizing transactions." PINs are personal-identification numbers.

"These security codes are stored on Track 2 of the magnetic stripe and include PIN offsets and Card Verification Value (CVV) codes," Litan said. "The codes link the physical card to the customer's account number.

ATM and debit card fraud is quickly surpassing credit card fraud, according to the report. When criminals obtain a PIN, they encode blank cards and use them at ATM machines or at retail businesses where they can get cash back with a purchase.

"Criminals are seeking out customers of banks that are not validating ATM cards' Track 2 magnetic stripe security data during cash withdrawal transactions," Litan said. "The hackers call these banks 'cashable.' The prime candidates are banks with high cash withdrawal limits."

Litan says an easy fix – and one banks are beginning to employ more often – is to include PIN offsets and Card Verification Value codes on the magnetic strips on the backs of ATM and debit cards. The consumer doesn’t know what that number is, so it can’t be revealed in a phishing scam.

Litan says larger banks were quick to learn the lesson and adapt, so thieves have moved on to target many smaller banks. Those using small, local banks should be extra careful, she says, not to reveal PINs to anyone for any reason.

The findings are based on a Gartner survey in May of 5,000 U.S. adults who are active online and demographically representative of the U.S. online adult population.

Gartner analysts said banks must protect against all types of fraud committed against checking accounts, regardless of the channel used, such as insider theft, online banking, phone banking, and automated clearing house (ACH) transfers.

"The best defense is a transaction anomaly detection system that compares incoming transactions with profiles of what is expected from the user," Litan said. "Anomalies are flagged for further investigation and/or subsequent interactive authentication of the user, perhaps through a phone call to the user."

Report Your Experience
If you've had a bad experience -- or a good one -- with a consumer product or service, we'd like to hear about it. All complaints are reviewed by class action attorneys and are considered for publication on our site. Knowledge is power! Help spread the word. File your consumer report now.

Follow us on Twitter.

Back to the top |