ATMs may be an easy target for thieves

Bob Sullivan Technology correspondent • Profile • E-mail

It's supposed to be impossible. Criminals aren't supposed to be able to print their own ATM cards and withdraw funds from your bank accounts at cash machines.

But a new report from the research firm Gartner Inc. says many banks are skipping an important security check, which makes it easier for criminals to forge ATM cards and walk off with thousands of dollars at a time.

Researcher Avivah Litan, author of the Gartner report, says one bank told her it had lost $1 million a month to such fraud. She said that payment processors have told her that up to half of all banks don't check to see if the ATM card used to withdraw money is really the ATM card they gave the consumer.

"Until recently ATM fraud was fairly limited,” Litan said.  “This is a pretty new phenomenon that has caught banks off guard."

Litan composed her research note after conversations with several bank security experts while investigating cash machine fraud.

While some banking experts agree with Litan's conclusions, others say the problem is minimal, or contend the problems she cites have been fixed.

But the fraud is serious, says Tony Hayes, an ATM analyst with Dove Consulting -- serious enough to be the first real challenge to the PIN-based security of ATM cash machines,

Withdrawals with cloned cards are known as "white card" fraud in the banking industry, because stolen data are loaded onto the back of blank, white plastic cards that look like credit cards. Encoders that write data to the magnetic stripe on blank ATM cards are readily available and sell for as little as $50 on the Internet. They have legitimate purposes, such as for businesses that create consumer loyalty cards or make hotel keys, but, in the right hands can be used to forge cards.

Often, cloned ATM cards are the end result of a successful phishing e-mail, which tricks a consumer into divulging a PIN and account number.  Numbers can also be obtained from receipts or "shoulder surfing" for PIN codes. But that information shouldn't be enough to let an ATM card be forged. Still, card hackers are making off with cash all around the world, experts claim.

Consumers aren't liable for criminal withdrawals from their accounts through ATM machines, but they must report the fraud within 60 days of receiving their bank statements. Otherwise, they have no legal right to a refund. And getting a refund for a fraudulent cash withdrawal is not as easy as disputing a fraudulent credit card charge. Consumers are out the money until it's refunded by the bank -- as opposed to a credit card dispute, in which the consumer never lays out funds.

"Consumers do get their money back, but until they do, they have no assurances. And it's incredibly disruptive to their daily life,"  Litan said.

MORE FROM SECURITY

Security Section Front

Facebook to overhaul privacy structure Avoid flirty patients on Facebook, doctors told ‘Black screen of death’ for some Windows users Red Tape: Will piracy crackdown bring iPod border checks? Internet activists push for greater democracy EU assembly adopts Internet, phone user rights 'Mr. Right' grifts widow's $50K in Web scam U.K. cops arrest people ‘just for the DNA’ Virus attacks ‘jail broken’ iPhones China attacks ‘biased’ U.S. cyber-spying report Security Section Front   Add Security headlines to your news reader: