ATM Fraud Jumps, Banks Could Stop It
Over three million consumers a year are now being affected by ATM card fraud resulting in losses of $2.75 billion, according to a report released Tuesday by research firm Gartner. The average loss per person was $900.
Criminals are able to access the bank account and password information through phishing and keystroke attacks on users. Since bank personal identification numbers (PINs) are often the same for both the online banking application and ATM card, a hacker can easily obtain access to a user's ATM account by looking for this information.
The increasing problem is also costing banks money. Most of the losses incurred by these attacks end up being covered by the bank of the customer who had his account information compromised.
"Criminals sometimes counterfeit ATM/debit cards with just account numbers and PINs in hand, and they can use this stolen information at ATMs to withdraw cash from a cardholder's account," said Avivah Litan, vice president and research director at Gartner.
Another part of the problem is some banks do not use the security code that is included on the card when authorizing a transaction. That means a fake ATM card can be used without the machine being able to detect it.
"Perhaps as many as half of U.S.-based financial institutions are not validating Track 2 security data while authorizing ATM and PIN debit transactions," Litah added.
Since this data cannot be phished, it would practically end the problem of ATM fraud. Criminals are looking for the banks who are not taking these steps to protect their customers, Litan said, and especially those with high withdrawal limits.
Litan also suggested that banks use a process with ATM cards that already is used by many credit card companies to prevent fraudulent transactions.
"The best defense is a transaction anomaly detection system that compares incoming transactions with profiles of what is expected from the user," she said. "Anomalies are flagged for further investigation and/or subsequent interactive authentication of the user, perhaps through a phone call to the user."