According to the research firm, ATM fraud is on the rise,
affecting an estimated three million US consumers in the year to
May 2005, and generating losses of $2.75 billion. The figures were
based on a survey of 5,000 US adults.
Magnetic stripes on credit and debit cards tend to contain three
'tracks' of information. Track 1 holds up to 79 alphanumeric
characters that usually encode the account number, customer name
and card expiry date. Track 2 contains up to 40 numeric characters
and is used to store certain encrypted security data. Track 3 holds
up to 107 numeric characters but is rarely used.
Avivah Litan, vice president and research director at Gartner,
explained that the security codes stored in Track 2 link the
physical card to the customer's account number. But she warned that
banks are neglecting this important security check.
"Surprisingly, perhaps as many as half of US-based financial
institutions are not validating Track 2 security data while
authorising ATM and PIN debit transactions," she said. "Most of
these institutions are unaware that they, or the outsourced ATM
transactions processor they rely on, should be doing so."
Ms Litan explained that criminals were targeting the customers
of banks that are not validating the Track 2 data. "The hackers
call these banks 'cashable,'” she said. “The prime candidates are
banks with high cash withdrawal limits."
Gartner says the banks have the ability to stop these attacks by
modifying their ATM host systems to check for security on a card's
magnetic stripe. These data are unknown to bank customers and
therefore cannot be phished, while thieves generally cannot
duplicate the data unless they have insider knowledge of the bank's
algorithms and security codes.
