Phishing-related ATM and POS Debit Fraud: A Growing Concern?
e've heard about e-mail phishing scams that aim to takeover accounts and steal identities: Fraudsters posing as banks send e-mail that "phishes" for account and personal information and hope that unsuspecting consumers will provide it. But to what extent are these scams contributing to ATM and debit-based fraud at the POS?
In 2004, losses from overall ATM and PIN-based POS debit fraud in the United States totaled $990 million, according to research and consulting firm TowerGroup. ATM/POS fraud directly connected to phishing resulted in about 75,000 transactions in 2004. Direct losses from these attacks totaled $39.6 million that year; 2005 losses may reach $100 million.
To commit ATM or POS PIN-based fraud, someone needs a consumer's account number and PIN. They also "need to know how to write a track 2," Jerry Silva, TowerGroup's Service Director, Retail Banking and Delivery Channels said in a recent Webinar, "Turning Phishing Into Cash: Criminal Convenience at the ATM."
Track 2 data are stored on a card's magnetic stripe and contain cardholder number, expiration date, PIN offset and service code. Due to the complexity of these data, "much of this type of fraud is committed by insiders, folks who have been in the industry," he said. Fraudsters steal the information to create counterfeit plastic cards. They use the cards for cash withdrawals or to make purchases at the POS. ATM losses are 30 to 40 times more likely to occur than POS losses because obtaining cash is a bigger priority for fraudsters than say, a television set.
Most large financial institutions (more than 90%) check for counterfeit cards when authorizing ATM and POS transactions. To do this, they use card value code (CVC) and card verification value (CVV) data. Smaller card issuers, however, are 30 times more likely to be victims of this fraud because they tend not to check these data. The good news: The speed at which technology solutions for fighting this are advancing and "should keep the gap narrow and limit the extent of the phishing problem," Silva said.
|