A debate is on in the financial services industry regarding how much of an impact phishing — or soliciting customer information through the Internet for the purpose of fraud — is having on ATM and point-of-sale (POS) debit card locations. TowerGroup believes there is a misconception in the marketplace that ATM / debit fraud from phishing is a runaway phenomenon.
TowerGroup believes the true effect is minimal, with less than 1% of fraud losses in the ATM and POS channels actually coming from phishing- based fraud.
Based on recent discussions with the largest card-issuing US banks, TowerGroup estimates that, on average, one out of 15,600 ATM and POS debit transactions today are fraudulent, almost all of which originates from stolen cards and card skimming. Given an annual ATM and PIN-based POS transaction volume of just over 17 billion in the US last year, this means there were just over 1.1 million fraudulent debit transactions in 2004. TowerGroup believes that withdrawal and debit purchase limits on retail accounts helped to restrict total ATM and POS fraud losses to not more than $990 million in the US in 2004.
In order to successfully create plastic cards, which could be used to retrieve cash at the ATM, criminals need to recreate the Code Verification Value (CVV) or Card Validation Code (CVC), authentication codes created by Visa and MasterCard. TowerGroup estimates that over 90% of the top 100 banks in the US check for CVV and CVC today.
“Although fraud from phishing, across all channels, is a serious crime, and one that has the potential to cause great damage to its victims, the dollar loss to the industry it is a relatively small problem,” said Jerry Silva, service director of the Retail Banking and Delivery Channels research services at TowerGroup. “We estimate the dollar loss from fraud that originates in phishing at $81 million annually in the US, across all areas.”