Banks are losing $1 million a month to scams targeting automated teller machine cards, but many of these crimes could easily be thwarted using security features already built into the cards, a report says.
The report’s author, Avivah Litan, a vice president and research director at the Stamford, Conn., market research firm Gartner Inc., estimates that only half of all U.S. banks are using the features written on one of the tracks on an ATM card’s magnetic stripe.
The first track, which all banks use, includes the customer’s name, the card number, and the expiration date. If a bank’s ATMs read only the first track, a criminal needs only that information to manufacture a counterfeit card, according to the report, which Gartner will release today.
The second track includes additional data that is not revealed to the customer, such as the PIN offset number, which is used to verify a customer’s PIN, and the Card Verification Value.
Some bankers say that using the data on the second track poses a classic argument of convenience versus security.
Mike Marzac, the manager of electronic banking at First Horizon National Corp. of Memphis, said it does not use the PIN offset number to verify cards, because doing so presents customer service issues.
Because the PIN offset number must be changed at a branch or by the card manufacturer, banks that use the number cannot offer some common ATM card management services, Mr. Marzac said. For example, “if you allow a customer to change their PIN at an ATM, an Internet banking site, or … [by phone], you can’t put that PIN offset” on the stripe.
First Horizon lets its customers change their PIN online or by phone, he said.
However, it does use the CVV to verify that a card is not counterfeit, Mr. Marzac said. Customers do not know that code, so they cannot inadvertently reveal it, he said. (The code is different from the CVV2 code, which is printed on the card and is commonly used to authenticate online purchases.)
In an interview last week, Ms. Litan said that phishers, who ask for ATM card numbers and other personal information in fake e-mails and on Web sites that impersonate bank sites, know which banks, and even which customers, to target.
“When you do ATM fraud, you can’t go to the ATM a million times with a million cards,” Ms. Litan said. “The crooks know exactly which banks check their mag-stripe data. The crooks know it better than the banks do.”
Banks can stop much of this fraud by using any of the features written on the second track of ATM cards, she said. “It’s just so easy to turn it on.” The banks can also write their own authentication codes for their cards, she said.
But Mr. Marzac said that even second-track data can be stolen by criminals who install readers on ATMs to steal the information when customers swipe their cards.
“With the escalating fraud, we need to look at more secure ways of validating cards because the criminals out there are pretty adept at getting entire track 2 information,” he said.
Rob Drozdowsky, the vice president of payments and technology policy for America’s Community Bankers, said that when people use ATMs that do not belong to their bank, the authentication process may be handled by the ATM network operator.
In some fraud cases, the banks determined that the networks had authorized the transaction and had not been looking at the data on the second track, he said. “All cards have these features,” but some networks do not check for them.
