It's supposed to be impossible. Criminals aren't supposed to be able to print their own ATM cards and withdraw funds from your bank accounts at cash machines.
But a new report from the research firm Gartner Inc. says many banks are skipping an important security check, which makes it easier for criminals to forge ATM cards and walk off with thousands of dollars at a time.
Researcher Avivah Litan, author of the Gartner report, says one bank told her it had lost $1 million a month to such fraud. She said that payment processors have told her that up to half of all banks don't check to see if the ATM card used to withdraw money is really the ATM card they gave the consumer.
"Until recently ATM fraud was fairly limited,” Litan said. “This is a pretty new phenomenon that has caught banks off guard."
Litan composed her research note after conversations with several bank security experts while investigating cash machine fraud.
While some banking experts agree with Litan's conclusions, others say the problem is minimal, or contend the problems she cites have been fixed.
But the fraud is serious, says Tony Hayes, an ATM analyst with Dove Consulting -- serious enough to be the first real challenge to the PIN-based security of ATM cash machines,
Withdrawals with cloned cards are known as "white card" fraud in the banking industry, because stolen data are loaded onto the back of blank, white plastic cards that look like credit cards. Encoders that write data to the magnetic stripe on blank ATM cards are readily available and sell for as little as $50 on the Internet. They have legitimate purposes, such as for businesses that create consumer loyalty cards or make hotel keys, but, in the right hands can be used to forge cards.
Often, cloned ATM cards are the end result of a successful phishing e-mail, which tricks a consumer into divulging a PIN and account number. Numbers can also be obtained from receipts or "shoulder surfing" for PIN codes. But that information shouldn't be enough to let an ATM card be forged. Still, card hackers are making off with cash all around the world, experts claim.
Consumers aren't liable for criminal withdrawals from their accounts through ATM machines, but they must report the fraud within 60 days of receiving their bank statements. Otherwise, they have no legal right to a refund. And getting a refund for a fraudulent cash withdrawal is not as easy as disputing a fraudulent credit card charge. Consumers are out the money until it's refunded by the bank -- as opposed to a credit card dispute, in which the consumer never lays out funds.
"Consumers do get their money back, but until they do, they have no assurances. And it's incredibly disruptive to their daily life," Litan said.
How cards are cloned
For years, special security codes have been embedded in the magnetic stripes on the back of every ATM card -- secrets that allow the bank to verify the authenticity of the plastic being inserted into ATM machines. But many banks don't bother checking the codes, experts say. Instead, they rely on correctly-entered PINs to prove the ATM card is authentic.
But with the widespread success of phishing e-mails, which appear to come from banks and sometimes trick consumers into divulging account numbers and PINs, forgers are having an easy time getting the data they need to print up fake ATM cards.
The combination of stolen data and the lapsed security checks allows criminals to raid ATM machines, Litan says. Hackers generally know which banks aren't doing the checking, and call the easy targets "cashable," industry insiders say.
Until recently, most banks believed they didn't need to check the extra security information, because the PIN requirements limited fraud, Hayes said. "Most banks believed it was a very secure mechanism, and they were right," he said. "The level of fraud on ATMs has been historically miniscule."
But in the past twelve months, Hayes said, white card fraud has risen steadily thanks to phishing attacks. Individual bank losses are "in the millions, if not tens of millions," he said.
"This PIN mechanism that has worked so well for 30 years, this is the first time it has been seriously challenged," Hayes said. "It's a global phenomenon."
Because the ATM network operates around the world, withdrawals from a U.S. bank account, for example, are not limited by geography. "You'll see all of the sudden all these transactions coming from Romania. These crooks are incredibly smart," Hayes said.
ATM fraud rates rising
Nessa Feddis, senior federal counsel at the American Bankers Association, said U.S. banks she's spoken to concede there was a problem with white card fraud in the recent past, but say they've largely defeated it. She suggested information in the Gartner report about white card fraud was outdated.
"About a year ago ... they did see some problems with debit cards," Feddis said. "They all now say they do check the security code on magnetic stripes and debit cards losses are significantly down. This study may be based on old data ... They all seem to be verifying the code now and losses are down significantly."
But another financial industry trade group, the Anti-Phishing Working Group, said white card fraud is still a real issue for banks.
"Yes, it's happening," said Dave Jevans, a spokesman for the group, which is sponsored by Visa, Mastercard, and other financial firms, along with a host of software companies. "It stands to reason if you can phish somebody's ATM and PIN you can make an ATM card and make withdrawals if the mag stripe security information is not being checked."
It's hard to peg just how common white card fraud is. In a separate report published in June, Gartner's Litan estimated that $2.75 billion has been stolen from 3 million bank accounts through various kinds of ATM and debit card fraud in the past 12 months. That report was based on a consumer survey.
Banks are tight-lipped about the problem. But there are signs that ATM fraud has increased around the world. Last year, the Association of Payment Clearing Services in the United Kingdom announced that counterfeit ATM card fraud had cost the banks $230 million in 2004, up from about $195 million last year. Jemma Smith, a spokeswoman for the association, says UK banks have largely stemmed the tide of counterfeit ATM fraud by introducing new cards that include a computer chip for extra identification.
Hidden security code
The magnetic stripe on the back of a credit card is similar to magnetic tape used for cassette recordings, or to back up computer data. Every ATM card stripe is loaded with a three-digit security code, known as either CVV (Card Verification Value) or CVC (Card Verification Code). The characters are different from the CVV2 value that's actually printed on the card, and often requested of consumers when shopping online.
These CVV or CVC codes are invisible to consumers, so they can't be tricked into divulging the information. The secret data is supposed to prove the plastic inserted into an ATM machine is really the plastic issued to the consumer by the bank.
But many banks don't check the codes. They just skip the process, assuming that if the PIN is accurate, the card must be authentic.
"Banks are not checking the magnetic stripe data as they should ... It's not clear why," Litan said. "It's not an expensive process. It doesn't add much to the cost of the transaction."
Jevans said most banks just didn't think it was necessary until recently.
"Tons of people don't set up their ATMs to check (the security codes)," he said. "They never thought to turn it on. It was never a problem."
Banks targeted by such fraud can spend months trying to figure out what's happening, Litan said. But once they do, adding the security code check stops the thieves cold, she said.
"They are often quickly able to stop the crime with a relatively simple solution," she said. Would-be thieves then just move to the next "cashable" bank.
SunTrust Bank Inc. ATMs were described as "cashable" until last December in an online bulletin board devoted to ATM fraud. On the bulletin board pages, described by a bank security expert as a discussion between con artists talking about ATM white card fraud, criminals lament SunTrust's upgrade.
"Hey everyone. Again, really bad news," one bulletin board participant writes. "SunTrust is not cashable anymore, anywhere in the world. So I think we should start some other banks."
Responding to a question regarding the bulletin board, Hugh Suhr, a spokesman for SunTrust said: "(We) don’t have any input as this appears to pertain to security-related matters and we don’t publicly discuss as we see that as counterproductive to those efforts."
Going after smaller fish
Jevans, of the Anti-Phishing Working Group, says most big U.S. banks have fixed the problem. "The bigger guys are way farther ahead on these things. So the bad guys move on to smaller targets who are less sophisticated," he said.
A spokesman for a small-bank interest group denied white card fraud was a problem for those institutions.
"We're not seeing much if any of this," said Dave Petro, executive vice president for the Independent Community Bankers Association Bankcard division, which helps smaller banks process ATM transactions. "Eight or nine years ago there were some programs that didn't do CVC or CVV validations, but they do that validation now. ... I wouldn't be surprised that some of the smaller processors may not be doing it. But I would be very surprised, shocked if it was widespread."
Either way, there's not much consumers can do to protect themselves, other than follow the standard advice: don't reveal your PIN to anyone, even over e-mail; and check your bank statement each month for signs of fraud.
In this case, it's up to banks to turn up the protection, Litan said. Implementing the added step of checking all the magnetic stripe information will largely stop the crime, she said.
But Feddis said the cat-and-mouse game with criminals will simply continue.
"Nothing is infallible," she said. "First there were cards with account numbers, then magnetic strips, then we put holograms on the cards. You are always trying to stay one step ahead."
Bob Sullivan is author of Your Evil Twin: Behind the Identity Theft Epidemic