By failing to scan security codes in the magnetic strips on ATM and debit cards, many banks are letting thieves get away with an increasingly common fraud at a cost of several billion dollars a year.
A report Tuesday from Gartner Inc., a technology analyst firm, estimates that 3 million US consumers were victims of ATM and debit-card fraud in the past year.
The fraud most commonly begins when a criminal engages in "phishing" -- sending a legitimate-seeming e-mail with a link to a phony Web site that appears to belong to a consumer's bank, Gartner analyst Avivah Litan believes. The e-mail recipients are asked to give their account information, including PIN numbers.
With that information "harvested," fraudsters can make their own cards for automated teller machines and withdraw huge sums.
This should be easily preventable, because the magnetic strips on cards contain multiple tracks. One track has data such as the user's name and account number. A second track contains special security codes that card users don't know. That means the information can't be squeezed out of them in a phishing attack.
Duplicating the codes would require inside knowledge of a bank's security procedures, Litan said. (The inclusion of another kind of security codes in records held by a credit and debit card processor, CardSystems Solutions Inc., made that company's massive data breach disclosed this spring especially dangerous.)
Surprisingly, Litan said, perhaps half of US financial institutions have not programmed their ATM systems to check the security codes. Con artists specifically 1/8seek out customers of banks that do not validate the second track on the strip, she said.
Litan believes many banks simply didn't know about the vulnerability. Others may have once scanned the codes but stopped because using the codes requires that customers go to a bank and have an ATM card rewritten whenever they want to change their PINs.
That was a costly step that many banks figured they could avoid in pre-phishing days when ATM fraud was rare.
"It's not negligence," Litan said. "It's just kind of being asleep at the wheel when business is running smoothly, and then you get hit."
Gartner estimates that annual losses from ATM fraud total $2.75 billion, or $900 per incident. Most of that is covered by the financial institutions that issued the hacked cards, but consumers sometimes have to struggle with bounced checks and other inconveniences when a criminal raids a bank account.
Although fixing the security hole is straightforward, it might not solve everything.
One of the codes is only three digits, meaning hackers can use brute-force attacks -- trying every possible combination -- over some online systems. Litan advises banks to lengthen the codes on newly issued cards.
A separate report Tuesday by the corporate services unit at International Business Machines Corp. noted a surge in Internet attacks that facilitate bank fraud, including phishing and the surreptitious installation of keystroke-logging programs that copy what a computer user types.
Network monitoring by IBM and other organisations led IBM to determine that, in the first half of this year, criminals sent 35 million e-mails designed to steal financial data.
Criminals are increasingly engaging in "spear phishing," a targeted attack at a specific person or organisation known to be vulnerable, IBM security analyst Jeremy Kelley said. That makes the phishers harder to detect and shut down.
Hackers demonstrate their skills in Vegas
Even the ATM machines were suspect at this year's Defcon conference, where hackers play intrusion games at the bleeding edge of computer security.
With some of the world's best digital break-in artists pecking away at their laptops, sending e-mails or answering cell phones could also be risky.
Defcon is a no-man's land where customary adversaries -- feds vs. digital mavericks -- are supposed to share ideas about making the Internet a safer place. But it's really a showcase for flexing hacker muscle.
This year's hot topics included a demonstration of just how easy it may be to attack supposedly foolproof biometric safeguards, which determine a person's identity by scanning such things as thumb prints, irises and voice patterns.
Banks, supermarkets and even some airports have begun to rely on such systems, but a security analyst who goes by the name Zamboni challenged hackers to bypass biometrics by attacking their backend systems networks. "Attack it like you would Microsoft or Linux," he advised.
Radio frequency identification tags that send wireless signals and that are used to track a growing list of items including retail merchandise, animals and US military shipments -- also came under scrutiny.
A group of twenty-somethings from Southern California climbed onto the hotel roof to show that RFID tags could be read from as far as 69 feet. That's important because the tags have been proposed for such things as US passports, and critics have raised fears that kidnappers could use RFID readers to pick traveling US citizens out of a crowd.
RFID companies had said the signals didn't reach more than 20 feet, said John Hering, one of the founders of Flexilis, the company that conducted the experiment.
"Our goal is to raise awareness," said Hering, 22. "Our hope is to spawn other research so that people will move to secure this technology before it becomes a problem."
Erik Michielsen, an analyst at ABI Research, chuckled when he heard the Flexilis claims. "These are great questions that need to be raised," he said, but RFID technology varies with the application, many of which are encrypted. Encryption technology uses an algorithm to scramble data to make it unreadable to everyone except the recipient.
Also on hand at the conference was Robert Morris Sr., former chief scientist for the National Security Agency, to lecture on the vulnerabilities of bank ATMs, which he predicted would become the next "pot of gold" for hackers.
The Internet has become "crime ridden slums," said Phil Zimmermann, a well-known cryptographer who spoke at the conference. Hackers and the computer security experts who make a living on tripping up systems say security would be better if people were less lazy.
To make their point, they pilfered Internet passwords from convention attendees.
Anyone naive enough to access the Internet through the hotel's unsecured wireless system could see their name and part of their passwords scrolling across a huge public screen.
It was dubbed the "The Wall of Sheep."
Among the exposed sheep were an engineer from Cisco Systems Inc., multiple employees from Apple Computer Inc. and a Harvard professor.
An annual highlight of the conference is the "Meet the Feds" panel, which this year included representatives from the FBI, NSA and the Treasury and Defense departments. Morris and other panel members said they would love to hire the "best and brightest" hackers but cautioned that the offer wouldn't be extended to lawbreakers.
During the session, Agent Jim Christy of the Defense Department's Cyber Crime Center asked the audience to stand.
"If you've never broken the law, sit down," he said. Many sat down immediately -- but a large number appeared to hesitate before everyone eventually took their seats.
OK, now we can turn off the cameras, Christy joked.
Some federal agents were indeed taking careful notes, though, when researcher Michael Lynn set the tone for the conference by publicizing earlier in the week a vulnerability in Cisco routers that he said could allow hackers to virtually shut down the Internet.
Lynn and other researchers at Internet Security Systems had discovered a way of exploiting a Cisco software vulnerability in order to seize control of a router. That flaw was patched in April, but Lynn showed that Cisco hadn't quite finished the repair job -- that the same technique could be used to exploit other vulnerabilities in Cisco routers.
Cisco and ISS went to court to try to stop Lynn from going public, but Lynn quit ISS and spoke anyway. In the wake of his decision, Lynn has become the subject of an FBI probe, said his attorney Jennifer Granick.
Many at the conference praised Lynn.
"We're never going to secure the Net if we don't air and criticize vulnerabilities," said David Cowan, a managing partner at venture capital firm Bessemer Venture Partners.
And the vulnerabilities are plenty.
During his session on ATM machines, Morris said thieves have been able to dupe people out of their bank cards and passwords by changing the software in old ATM machines bought off eBay for as little as $1,000 and placing the machines out in public venues.
Additional input by Greg Sandoval in Las Vegas.