By BRIAN BERGSTEIN, AP Technology Writer
By failing to scan security codes in the magnetic strips on ATM and
debit cards, many banks are letting thieves get away with an
increasingly common fraud at a cost of several billion dollars a year.
A report Tuesday from Gartner Inc., a technology analyst firm,
estimates that 3 million U.S. consumers were victims of ATM and
debit-card fraud in the past year.
The fraud most commonly begins when a criminal engages in "phishing" --
sending a legitimate-seeming e-mail with a link to a phony Web site that
appears to belong to a consumer's bank, Gartner analyst Avivah Litan
believes. The e-mail recipients are asked to give their account
information, including PIN numbers.
With that information "harvested," fraudsters can make their own cards
for automated teller machines and withdraw huge sums.
This should be easily preventable, because the magnetic strips on
cards contain multiple tracks. One track has data such as the user's
name and account number. A second track contains special security
codes that card users don't know. That means the information can't be
squeezed out of them in a phishing attack.
Duplicating the codes would require inside knowledge of a bank's
security procedures, Litan said. (The inclusion of another kind of
security codes in records held by a credit and debit card processor,
CardSystems Solutions Inc., made that company's massive data breach
disclosed this spring especially dangerous.)
Surprisingly, Litan said, perhaps half of U.S. financial institutions
have not programmed their ATM systems to check the security codes. Con
artists specifically seek out customers of banks that do not validate
the second track on the strip, she said.
Litan believes many banks simply didn't know about the vulnerability.
Others may have once scanned the codes but stopped because using the
codes requires that customers go to a bank and have an ATM card
rewritten whenever they want to change their PINs.
That was a costly step that many banks figured they could avoid in
pre-phishing days when ATM fraud was rare.
"It's not negligence," Litan said. "It's just kind of being asleep at
the wheel when business is running smoothly, and then you get hit."
Gartner estimates that annual losses from ATM fraud total $2.75
billion, or $900 per incident. Most of that is covered by the
financial institutions that issued the hacked cards, but consumers
sometimes have to struggle with bounced checks and other
inconveniences when a criminal raids a bank account.
Although fixing the security hole is straightforward, it might not
solve everything.
One of the codes is only three digits, meaning hackers can use
brute-force attacks -- trying every possible combination -- over some
online systems. Litan advises banks to lengthen the codes on newly
issued cards.
A separate report Tuesday by the corporate services unit at
International Business Machines Corp. noted a surge in Internet
attacks that facilitate bank fraud, including phishing and the
surreptitious installation of keystroke-logging programs that copy
what a computer user types.
Network monitoring by IBM and other organizations led IBM to determine
that, in the first half of this year, criminals sent 35 million
e-mails designed to steal financial data.
Criminals are increasingly engaging in "spear phishing," a targeted
attack at a specific person or organization known to be vulnerable,
IBM security analyst Jeremy Kelley said. That makes the phishers
harder to detect and shut down.
Copyright 2005 The Associated Press.
NOTE: For more telecom/internet/networking/computer news from the
daily media, check out our feature 'Telecom Digest Extra' each day at
http://telecom-digest.org/td-extra/more-news.html . Hundreds of new
articles daily.
[TELECOM Digest Editor's Note: Phishing has indeed gotten much, much
worse in the past year or so. There have been some days I have
received a hundred phish things on PayPal in a single day. At one time
I was batching them up (five, ten or twenty at a time in the day's
incoming email) and sending them off to 'spoof@paypal.com'. I would
specifically read through the 'source' on an HTML message looking for
the real sender.
For example, the source code will often times do a pretty good
imitation of PayPal, and give a URL to go to for doing the 'required'
updates in order to have your account 'unrestricted' once again, which
looks something like
http://somewhere.com/cgi-bin/something/www.paypal.com "Security Team"
or some such nonsense. I was taking several of these incoming mails
all at one time, putting them in a larger cover letter and sending
them on to 'spoof@paypal.com'. PayPal kept asking me to please forward
'any I recieved'; so if I got fifty in a day, which was typical, I
would send all fifty.
All I would ever get back from PayPal was an auto-ack saying "thanks
for passing it along; our review shows it is not a bonafide PayPal
page, we will deal with it. If you gave any personal information to
that site, you may get trouble." I had a stack of those auto-acks from
Paypal almost as large as the collection of spoofs I would mail them
each day; I do not see where it ever did any good; the 'spoofs' just
contine, unabated, so I finally quit sending them in, as I have better
things to do also. They _claim_ they shut those sites down but I do
not see any progress at it. Maybe they are like many netters, and
'horrified' at the prospect of shutting down an offensive web site.
Maybe they figure like a lot of netters that if they shut down those
jackals they 'may get sued', etc. Who knows, maybe PayPal bought into
that line of malarkey also. PAT]
Brian Bergstein (ap@telecom-digest.org)