Banks are leaving customers prey to theft by failing to validate security codes from the magnetic strip on the back of cash cards, IT industry analyst Gartner has warned.
Thieves who have conned customers into giving away account information using phishing techniques – fake bank e-mails requesting that recipients visit a website and enter their data – use the data to withdraw money from ATMs.
In a new report on US banking, Gartner estimates that that this fraud cost an estimated $2.75bn (£1.55bn) in the 12 months to May.
Avivah Litan, vice president and research director at Gartner, said the fraudsters could steal from accounts using just the account number and PIN. “They succeed when the card-issuing bank is not validating security codes on the magnetic stripe of the card while authorising transactions,” she said.
“These security codes are stored on Track 2 of the magnetic stripe and include Pin offsets and Card Verification Value (CVV) codes. The codes link the physical card to the customer's account number.”
The magnetic strip data is unknown to bank customers and so cannot be phished. But Litan added, “Surprisingly, perhaps as many as half of US-based financial institutions are not validating Track 2 security data while authorising ATM and Pin debit transactions.
“Most of these institutions are unaware that they, or the outsourced ATM transactions processor they rely on, should be doing so.”