/ciol/media/agency_attachments/c0E28gS06GM3VmrXNw5G.png)
Follow UsAndy Sullivan
WASHINGTON: An unprecedented wave of Internet-based bank fraud has been enabled in part by banks that don't bother to check security codes on cash cards, according to a report.
Roughly half of U.S. banks in recent years have stopped checking codes embedded in the magnetic stripe of ATM and debit cards, making it easier for online con artists to suck cash out of consumers' accounts, Gartner Inc. analyst Avivah Litan said.
"The only reason they don't check these things is because they forgot about it," Litan said. "Really, I'm furious."
Litan found that con artists took $2.75 billion in cash from bank accounts over the past 12 months, often by tricking consumers to reveal their bank-account numbers and passwords in a technique known as "phishing."
Banks usually cover consumer losses due to fraud. About 70 percent of those losses could have been prevented if banks had verified magnetic-stripe information rather than relying only on account numbers and passwords known by consumers, Litan said.
But that would make it more difficult for customers to change their PIN numbers when they're worried about fraud, as they'd have to come into a branch office rather than simply picking up the phone or logging on to the bank's Web site, she said.
Another security code, the three-digit CVV code printed on the back of the card, can be easily guessed by fraud artists using an automated "brute force" attack, she said.
Litan based her report on a survey of 5,000 consumers conducted in May and discussions with industry professionals.
An industry spokesman questioned the accuracy of the report and said that banks rather than consumers had a better idea of the scope of the problem.
Banks themselves reported $700 million in fraud from debit cards and personal checks in 2003 and that figure has since fallen, said Nessa Feddis, senior federal counsel at the American Bankers Association.
During the period covered by the report, the 32 largest banks have all verified magnetic-stripe information, Feddis said.
"There are definitely financial institutions that were not checking it," said Dave Jevans, chairman of the Anti-Phishing Working Group. "I know some weren't this year. When they figured it out, it made a positive impact for them."