Thursday, August 11, 2005
Online Scams Target ATMs
A new report says online thieves are increasingly getting to consumers' money in yet another way: through ATMs. An estimated 3 million U.S. consumers were victims of online "phishing" scams involving automated teller machines in the year ended in May, according to a study from technology research company Gartner .
The Web has long been a hot spot for cyber-thieves who set up fake Web sites and use fake e-mails to trick consumers into giving up credit card numbers and other personal information.
The latest twist is for the crooks to use software to monitor consumers' keystrokes as they type in bank account numbers and personal identification numbers. They use those numbers to craft counterfeit ATM cards that let them withdraw money right from consumers' bank accounts.
Gartner research director Avivah Litan estimates that ATM and debit card theft cost banks and their insurers US$2.75 billion in the 12-month period, with an average loss of more than $900.
Banking industry representatives were quick to dispute the report, saying actual bank losses are much lower and that most financial institutions have added security measures in the past year that have decreased ATM fraud dramatically. "We're a bit perplexed ... because the real numbers aren't even close" to $2.75 billion, said Nessa Feddis, senior federal counsel for the American Bankers Association. Feddis said for all of 2003, for example, the nation's biggest banks reported total fraud-related losses from checking and savings accounts of only $600 million, "and the trends show [losses from all fraud] are declining."
Gartner based its study in large part on a survey of 5,000 consumers who are active on the Internet . While credit card fraud and illegal checking account transfers were the most prevalent type of Internet thievery, according to the consumers surveyed, bank account information theft resulted in bigger monetary losses and was seen as a growing problem. Banks typically cover consumers' losses from fraud, meaning that typically it's banks, not consumers, that lose money in phishing scams.
Analyst Litan said the banks themselves were mainly to blame for the losses. That's because up until about a year ago, big banks didn't typically check all of the security ID data on the magnetic strips of ATM cards. That practice changed after the big banks experienced an increase in ATM fraud, but Litan said many smaller banks and credit unions still don't check the so-called Track 2 data on magnetic strips. "The security is all there. They just have to use it," she said. "And as soon as they [banks] find out they're getting defrauded, they do." Feddis of the bankers association acknowledged that many big banks didn't always check the extra ID information up until a year or so ago, because they didn't see the need.
"It's a bit like not locking your car doors if you live in a small town," she said. "There wasn't really a need ... because there wasn't really a lot of this type of fraud." In its report, Gartner predicted that by the end of this year, nearly 30 more financial institutions will face ATM fraud problems tied to phishing scams. But it also predicted that at least 75 percent of banks will learn their lesson and start checking the Track 2 data on magnetic cards.
Meanwhile, many banks also are taking other steps to increase online security to prevent phishing scams. Charlotte, N.C.-based Bank of America, for instance, recently rolled out a new security program called SiteKey that asks customers to verify a specific photograph or icon they chose previously before logging in. Other banks are adding different security measures. "Our members do see an increase in phishing and other scam efforts," said Fritz Elmendorf, spokesman for the Consumer Bankers Association, a trade group. "But they're also doing their best to stay ahead of it."
Brought to you by Guardian eCommerce.
The Web has long been a hot spot for cyber-thieves who set up fake Web sites and use fake e-mails to trick consumers into giving up credit card numbers and other personal information.
The latest twist is for the crooks to use software to monitor consumers' keystrokes as they type in bank account numbers and personal identification numbers. They use those numbers to craft counterfeit ATM cards that let them withdraw money right from consumers' bank accounts.
Gartner research director Avivah Litan estimates that ATM and debit card theft cost banks and their insurers US$2.75 billion in the 12-month period, with an average loss of more than $900.
Banking industry representatives were quick to dispute the report, saying actual bank losses are much lower and that most financial institutions have added security measures in the past year that have decreased ATM fraud dramatically. "We're a bit perplexed ... because the real numbers aren't even close" to $2.75 billion, said Nessa Feddis, senior federal counsel for the American Bankers Association. Feddis said for all of 2003, for example, the nation's biggest banks reported total fraud-related losses from checking and savings accounts of only $600 million, "and the trends show [losses from all fraud] are declining."
Gartner based its study in large part on a survey of 5,000 consumers who are active on the Internet . While credit card fraud and illegal checking account transfers were the most prevalent type of Internet thievery, according to the consumers surveyed, bank account information theft resulted in bigger monetary losses and was seen as a growing problem. Banks typically cover consumers' losses from fraud, meaning that typically it's banks, not consumers, that lose money in phishing scams.
Analyst Litan said the banks themselves were mainly to blame for the losses. That's because up until about a year ago, big banks didn't typically check all of the security ID data on the magnetic strips of ATM cards. That practice changed after the big banks experienced an increase in ATM fraud, but Litan said many smaller banks and credit unions still don't check the so-called Track 2 data on magnetic strips. "The security is all there. They just have to use it," she said. "And as soon as they [banks] find out they're getting defrauded, they do." Feddis of the bankers association acknowledged that many big banks didn't always check the extra ID information up until a year or so ago, because they didn't see the need.
"It's a bit like not locking your car doors if you live in a small town," she said. "There wasn't really a need ... because there wasn't really a lot of this type of fraud." In its report, Gartner predicted that by the end of this year, nearly 30 more financial institutions will face ATM fraud problems tied to phishing scams. But it also predicted that at least 75 percent of banks will learn their lesson and start checking the Track 2 data on magnetic cards.
Meanwhile, many banks also are taking other steps to increase online security to prevent phishing scams. Charlotte, N.C.-based Bank of America, for instance, recently rolled out a new security program called SiteKey that asks customers to verify a specific photograph or icon they chose previously before logging in. Other banks are adding different security measures. "Our members do see an increase in phishing and other scam efforts," said Fritz Elmendorf, spokesman for the Consumer Bankers Association, a trade group. "But they're also doing their best to stay ahead of it."
Brought to you by Guardian eCommerce.
