[IP] Analysts say ATM systems highly vulnerable to fraud
Begin forwarded message:
From: EEkid@xxxxxxx
Date: August 3, 2005 10:47:28 PM EDT
To: dave@xxxxxxxxxx
Subject: Analysts say ATM systems highly vulnerable to fraud
Analysts say ATM systems highly vulnerable to fraud
By BRIAN BERGSTEIN AP Technology Writer
(AP) - BOSTON-By failing to scan security codes in the magnetic
strips on ATM and debit cards, many banks are letting thieves get
away with an increasingly common fraud at a cost of several billion
dollars a year.
A report Tuesday from Gartner Inc., a technology analyst firm,
estimates that 3 million U.S. consumers were victims of ATM and debit-
card fraud in the past year.
The fraud most commonly begins when a criminal engages in "phishing"
- sending a legitimate-seeming e-mail with a link to a phony Web site
that appears to belong to a consumer's bank, Gartner analyst Avivah
Litan believes. The e-mail recipients are asked to give their account
information, including PIN numbers.
With that information "harvested," fraudsters can make their own
cards for automated teller machines and withdraw huge sums.
This should be easily preventable, because the magnetic strips on
cards contain multiple tracks. One track has data such as the user's
name and account number. A second track contains special security
codes that card users don't know. That means the information can't be
squeezed out of them in a phishing attack.
Duplicating the codes would require inside knowledge of a bank's
security procedures, Litan said. (The inclusion of security codes in
records held by a credit and debit card processor, CardSystems
Solutions Inc., made that company's massive data breach disclosed
this spring especially dangerous.)
Surprisingly, Litan said, perhaps half of U.S. financial institutions
have not programmed their ATM systems to check the security codes.
Con artists specifically seek out customers of banks that do not
validate the second track on the strip, she said.
Litan believes many banks simply didn't know about the vulnerability.
Others may have once scanned the codes but stopped because using the
codes requires that customers go to a bank and have an ATM card
rewritten whenever they want to change their PINs.
That was a costly step that many banks figured they could avoid in
pre-phishing days when ATM fraud was rare.
"It's not negligence," Litan said. "It's just kind of being asleep at
the wheel when business is running smoothly, and then you get hit."
Gartner estimates that annual losses from ATM fraud total $2.75
billion (euro2.25 billion), or $900 (euro737) per incident. Most of
that is covered by the financial institutions that issued the hacked
cards, but consumers sometimes have to struggle with bounced checks
and other inconveniences when a criminal raids a bank account.
Although fixing the security hole is straightforward, it might not
solve everything.
One of the codes is only three digits, meaning hackers can use brute-
force attacks - trying every possible combination - over some online
systems. Litan advises banks to lengthen the codes on newly issued
cards.
A separate report Tuesday by the corporate services unit at
International Business Machines Corp. noted a surge in Internet
attacks that facilitate bank fraud, including phishing and the
surreptitious installation of keystroke-logging programs that copy
what a computer user types.
Network monitoring by IBM and other organizations led IBM to
determine that, in the first half of this year, criminals sent 35
million e-mails designed to steal financial data.
Criminals are increasingly engaging in "spear phishing," a targeted
attack at a specific person or organization known to be vulnerable,
IBM security analyst Jeremy Kelley said. That makes the phishers
harder to detect and shut down.
-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
http://v2.listbox.com/member/?listname=ip
Archives at: http://www.interesting-people.org/archives/interesting-people/