Online theft of ATM data increasing, study says

Software used to monitor keystrokes, steal numbers

August 03, 2005|By COX NEWS SERVICE

Online thieves are increasingly getting to consumers' money through ATMs, according to a report yesterday from a Boston technology research company.

An estimated 3 million U.S. consumers were victims of online "phishing" schemes involving automated teller machines in the year that ended in May, said the study from Gartner Inc.

The Web has long been a hot spot for cyber thieves who set up fake Web sites and use fake e-mails to trick consumers into giving up credit-card numbers and other personal information.

The latest twist is for the crooks to use software to monitor consumers' keystrokes as they type in bank account numbers and personal identification numbers. They use those numbers to craft counterfeit ATM cards that let them withdraw money from consumers' bank accounts.

Gartner research director Avivah Litan estimates that ATM and debit-card theft cost banks and their insurers $2.75 billion in the 12-month period, with an average loss of more than $900 per incident.

Banking industry representatives were quick to dispute the report, saying that actual bank losses are much lower and that most financial institutions have added security measures in the past year that have decreased ATM fraud sharply.

"We're a bit perplexed ... because the real numbers aren't even close" to $2.75 billion, said Nessa Feddis, senior federal counsel for the American Bankers Association.

Feddis said for all of 2003, for example, the nation's biggest banks reported total fraud-related losses from checking and savings accounts of $600 million, "and the trends show [losses from all fraud] are declining."

Gartner based its study largely on a survey of 5,000 consumers who are active on the Internet. While credit card fraud and illegal checking account transfers were the most prevalent type of Internet thievery, according to the consumers surveyed, bank account information theft resulted in bigger monetary losses and was seen as a growing problem.

Banks typically cover consumers' losses from fraud, meaning that typically it's banks, not consumers, that lose money in phishing scams.

Analyst Litan said the banks themselves were mainly to blame for the losses. That's because up until about a year ago, big banks didn't typically check all of the security ID data on the magnetic strips of ATM cards. That practice changed after the big banks experienced an increase in ATM fraud, but Litan said many smaller banks and credit unions still don't check the so-called "Track 2" data on magnetic strips.

"The security is all there. They just have to use it," she said. "And as soon as they [banks] find out they're getting defrauded, they do."

Feddis of the bankers association acknowledged that many big banks didn't always check the extra ID information up until a year or so ago, because they didn't see the need.

"It's a bit like not locking your car doors if you live in a small town," she said. "There wasn't really a need ... because there wasn't really a lot of this type of fraud."

The Gartner report predicts that, by the end of this year, nearly 30 more financial institutions will face ATM fraud problems tied to phishing scams. But it also predicts that at least 75 percent of banks will learn their lesson and start checking the Track 2 data on magnetic cards.

Meanwhile, many banks also are taking other steps to increase online security to prevent phishing schemes.

Charlotte, N.C.-based Bank of America, for instance, recently rolled out a new security program called SiteKey that asks customers to verify a specific photograph or icon they chose previously before logging in.

Other banks are adding different security measures.

"Our members ... do see an increase in phishing and other scam efforts," said Fritz Elmendorf, spokesman for the Consumer Bankers Association trade group. "But they're also doing their best to stay ahead of it."

Baltimore Sun Articles
|
|
|
Please note the green-lined linked article text has been applied commercially without any involvement from our newsroom editors, reporters or any other editorial staff.