Report: Banks Make Theft Easy for Phishers

U.S. banks are putting customer convenience ahead of security and, in the process, making it much easier for online "phishers" to create counterfeit bank cards, according to a Gartner report. And with the Internet now a common source of stolen account information, phishers are accounting for a growing portion of the estimated $2.75 billion in annual losses that bank card abuse is costing U.S. banks, the Stamford, Connecticut, research firm said.

Though U.S. banks are aware that both bank card fraud and phishing--the criminal practice of tricking people into entering confidential information into fake Web sites--are problems, the link between these two phenomena is not always well understood, said Avivah Litan, a Gartner vice president and research director.

And with bank card fraud on the rise, this can make things harder on the victims of identity theft, she said.

"It's a nightmare for consumers, and they don't always get their money back," she said. "Some banks say, 'We have no proof that a criminal did this.'"

Easy Phishing?

Part of the problem is that about half of U.S. banks no longer use a security feature that would make phishing attacks much less effective, Litan said.

At a minimum, banks in the U.S. require an account number and personal information number in order for funds to be withdrawn from an account. But banks are also capable of storing on a card's magnetic strip a third number, unknown to the consumer, that can be used to further authenticate its validity.

Though this third number, called a PIN offset, was widely used when cash machine cards were first introduced, only about one half of U.S. banks still use this type of security today, because it generally requires that a card be brought into the bank every time its PIN number is changed. Customers prefer to be able to change their PIN numbers via telephone, and so many U.S. banks have simply dropped the PIN offset, she said.

The unintended side-effect of this change is that things are now much easier for phishers, who no longer need to read that third number directly from bank cards to make counterfeits.

Attacks on the Rise

Based on a survey of 5000 U.S. adults conducted in May, Gartner estimates that about 3 million U.S. consumers were the victims of bank card fraud over the past year. The most common way for thieves to get access to bank card information was either by stealing a wallet, or stealing information from the Internet, Litan said.

Phishing is particularly popular among cash machine card fraudsters, she said. "I would say it's probably the cause of 70 percent of (cash machine card) fraud," Litan said.

That may be one reason why phishing attacks have been on the rise lately.

E-mail security vendor Postini said that e-mail containing links to phishing Web sites reached an all-time high in July. The company intercepted more than 19 million phishing emails during the month, nearly double the amount that it saw in April of this year.

"We have seen it start to ratchet up," said Andrew Lochart, a senior director of marketing at Postini. In April, his company intercepted 9.7 million phishing e-mails, he added.

Skilled Spammers

Still, phishing spam accounts for a relatively small percentage of the 8 billion e-mail messages that Postini quarantines and examines every month, he said.

"It's a harder kind of spam to engage in," Lochart said. "You have to make your message look good and you have to craft a landing page that you're going to direct the victim to. . . . It's harder than blasting out a million copies of a spam for toner cartridges or preapproved mortgages."