Online identity thieves are exploiting security flaws in ATMs to steal funds from US bank accounts, according to research by Gartner.
Gartner estimates that ATM card fraud cost US banks $2.75 billion in losses and affected an estimated three million consumers in the year ending May 2005.
The latest research suggests that criminals are increasingly obtaining account details and passwords by online phishing and keystroke logging attacks, and then using this information to clone cards and withdraw money from accounts at ATMs.
Avivah Litan, VP and research director at Gartner, says criminals succeed when the card-issuing bank is not validating security codes - which are stored on Track 2 of the magnetic stripe and include PIN offsets and Card Verification Value (CVV) codes - while authorising transactions.
"As many as half of US-based financial institutions are not validating Track 2 security data while authorising ATM and PIN debit transactions. Most of these institutions are unaware that they, or the outsourced ATM transactions processor they rely on, should be doing so," she says.
Litan says criminals are now seeking out customers of banks that are not validating mag-stripe security data during cash withdrawal transactions: "The hackers call these banks 'cashable'. The prime candidates are banks with high cash withdrawal limits."
Gartner says banks have the ability to stop these attacks, but many have not taken the steps needed to prevent them. Banks can modify ATM host systems to check for security data on a card's magnetic strip. This data is unknown to bank customers and therefore cannot be phished. Thieves generally cannot duplicate this security data unless they have insider knowledge of the bank's algorithms and security codes.
"The best defence is a transaction anomaly detection system that compares incoming transactions with profiles of what is expected from the user," says Litan. "Anomalies are flagged for further investigation and/or subsequent interactive authentication of the user, perhaps through a phone call to the user."