Digital Edition

SYS-CON.TV
"Phishing" Attacks for Consumer ATM Card Numbers and PINs Still Rife, Says Gartner
3 Million US Customers Victimized From June 2004 - May 2005

3 million U.S. consumers were in the past 12 months victimized by fraud involving automated teller machine (ATM)/debit cards, according to Gartner, Inc. The findings are based on a Gartner survey in May of 5,000 U.S. adults who are active online and demographically representative of the U.S. online adult population. Techniques used include "phishing" - when a cyber thief sends an e-mail with a link to a false Web site.

Gartner estimates that in the 12 months ending in May 2005, ATM/debit card fraud in the U.S. generated losses of $2.75 billion, with an average loss of more than $900. Criminals secretly are obtaining consumer banking account and password information by online phishing and keystroke logging attacks, and then using this information to hack into consumers' ATM accounts.

Most of the losses were covered by banks and other financial institutions that issued the specific ATM/debit cards exploited by thieves.

"Criminals sometimes counterfeit ATM/debit cards with just account numbers and PINs in hand, and they can use this stolen information at ATMs to withdraw cash from a cardholder's account," said Avivah Litan (pictured), vice president and research director at Gartner. "They succeed when the card-issuing bank is not validating security codes on the magnetic stripe of the card while authorizing transactions."

According to Litan, banks have the ability to stop these attacks, but many have not taken the extra steps needed to prevent them. "Banks can modify their ATM host systems to check for security data on a card's magnetic strip. This data is unknown to bank customers and, therefore, cannot be phished. Thieves generally cannot duplicate this security data unless they have insider knowledge of the bank's algorithms and security codes."

Phishing occurs when a cyber thief sends an e-mail with a link to a false Web site. The false sites typically are disguised to look like sites of banks or well-known e-commerce merchants. Recipients of these e-mail attacks are asked to provide personal account information.

"Criminals are seeking out customers of banks that are not validating ATM cards' Track 2 magnetic stripe security data during cash withdrawal transactions," Litan said. "The hackers call these banks 'cashable.' The prime candidates are banks with high cash withdrawal limits," she added.

Gartner analysts said banks must protect against all types of fraud committed against checking accounts, regardless of the channel used, such as insider theft, online banking, phone banking, and automated clearing house (ACH) transfers.

"The best defense is a transaction anomaly detection system that compares incoming transactions with profiles of what is expected from the user," Litan continued. "Anomalies are flagged for further investigation and/or subsequent interactive authentication of the user, perhaps through a phone call to the user."

About Jeremy Geelan
Jeremy Geelan is Chairman & CEO of the 21st Century Internet Group, Inc. and an Executive Academy Member of the International Academy of Digital Arts & Sciences. Formerly he was President & COO at Cloud Expo, Inc. and Conference Chair of the worldwide Cloud Expo series. He appears regularly at conferences and trade shows, speaking to technology audiences across six continents. You can follow him on twitter: @jg21.

In order to post a comment you need to be registered and logged in.

Register | Sign-in

Reader Feedback: Page 1 of 1

How about phishing blogs? Earlier this year came a report that there were over 200 active bogus blogs, with an average lifespan of just three or four days. Once a person arrives at the blog, which can be posted on a legitimate host site, the victim's computer becomes infected with software designed to steal sensitive information, such as passwords and bank account information.

Can it really have been as long ago as 2003 that saw the proliferation of the phishing scam in which users received e-mails supposedly from eBay? Remember, they claimed that the user's account was about to be suspended unless you clicked on the provided link and updated the credit card information that the genuine eBay already had. Or was it only in 2004?

Treasury department auditors recently posed as network technicians and attempted to get IRS employees to reveal their usernames and passwords and/or change the password to one suggested by the 'technician.' The result: over one-third shared their passwords. If there is any good news in the story it is that the 35% figure represents a substantial reduction from the 71% who fell for the ruse in 2001.




ADS BY GOOGLE
Subscribe to the World's Most Powerful Newsletters

ADS BY GOOGLE

DXWordEXPO New York 2018, colocated with CloudEXPO New York 2018 will be held November 11-13, 2018, ...
In an era of historic innovation fueled by unprecedented access to data and technology, the low cost...
DXWorldEXPO LLC announced today that All in Mobile, a mobile app development company from Poland, wi...
Everyone wants the rainbow - reduced IT costs, scalability, continuity, flexibility, manageability, ...
DXWorldEXPO | CloudEXPO are the world's most influential, independent events where Cloud Computing w...
Founded in 2000, Chetu Inc. is a global provider of customized software development solutions and IT...
DevOpsSummit New York 2018, colocated with CloudEXPO | DXWorldEXPO New York 2018 will be held Novemb...
Today, we have more data to manage than ever. We also have better algorithms that help us access our...
The standardization of container runtimes and images has sparked the creation of an almost overwhelm...
CloudEXPO New York 2018, colocated with DXWorldEXPO New York 2018 will be held November 11-13, 2018,...
Most DevOps journeys involve several phases of maturity. Research shows that the inflection point wh...
@DevOpsSummit at Cloud Expo, taking place November 12-13 in New York City, NY, is co-located with 22...
Dynatrace is an application performance management software company with products for the informatio...
SYS-CON Events announced today that DatacenterDynamics has been named “Media Sponsor” of SYS-CON's 1...
A valuable conference experience generates new contacts, sales leads, potential strategic partners a...
Digital Transformation: Preparing Cloud & IoT Security for the Age of Artificial Intelligence. As au...
DXWorldEXPO LLC announced today that ICOHOLDER named "Media Sponsor" of Miami Blockchain Event by Fi...
SYS-CON Events announced today that IoT Global Network has been named “Media Sponsor” of SYS-CON's @...
"We do one of the best file systems in the world. We learned how to deal with Big Data many years ag...
The best way to leverage your Cloud Expo presence as a sponsor and exhibitor is to plan your news an...