Some Experts Question Gartner’s $2.75 Billion Debit Fraud Estimate

A major research firm's estimate this week that fraud losses on debit cards in the U.S. hit an estimated $2.75 billion for the 12 months ending in May might have struck a nerve, especially in the absence of hard data on the problem, but it also has experts raising questions about the number and some of the firm's other conclusions. According to a report this week from research and consulting firm Gartner Inc., Stamford, Conn., many banks?up to 50%?have, at least until recently, failed to employ all the security features on a debit card's magnetic stripe during authorizations, providing an opening for fraudsters to access victims' demand-deposit accounts. These features include the Card Verification Code (CVV), a three-digit security code. “Criminals sometimes counterfeit ATM/debit cards with just account numbers and PINs in hand and use these at ATMs to withdraw cash because the card-issuing bank is not validating security codes on the magnetic stripe of the card while authorizing transactions,” the report says. “These codes are stored on track 2 of the magnetic stripe and include PIN offsets and Card Verification Value (CVV) codes. They bind the physical card to the customer's account number. Surprisingly, many?perhaps as many as half of?financial institutions are not validating Track 2 security data while authorizing ATM and PIN debit transactions, and they are unaware that they, or their outsourced processor, should be doing so.” But some in the card industry question Gartner's conclusions. After news accounts of the Gartner report came out, Jerry Silva, service director for the retail banking and delivery channel practices at TowerGroup, a Needham, Mass.-based research firm now owned by MasterCard International, says he talked to four major banks representing about one-third of the nation's bank-owned ATMs. “They all check CVV when authorizing a transaction,” Silva says. He would not identify the banks. Avivah Litan, vice president and research director at Gartner, counters that some big banks?she won't identify them?did not check the CVV until eight or 10 months ago in the wake of the boom in phishing, the use by fraudsters of Web sites that mimic banks' real Web sites in an effort get consumers to divulge private personal and financial information, including PINs. Many small banks are only now catching up, she says. “It's a recent phenomena that they've all started checking,” she says. Gartner arrived at its fraud-loss estimates based on responses from 5,000 online consumers demographically representative of the U.S. online population. The survey covered several varieties of fraud and asked consumers if they had been subject to unauthorized use of their debit cards. Debit card fraud includes fraud on both signature-based and PIN-based debit cards for use at automated teller machines and at the point of sale. Based on the responses, Gartner estimates that 3 million Americans were victims of debit card fraud over the year ending in May, and pegs the average loss at about $900, or $2.75 billion in all. The survey has a margin of error of plus or minus three percentage points, according to Litan. But another TowerGroup analyst, John Gould, director of bank card research, questions the estimate of $2.75 billion in debit card losses when worldwide credit card fraud is about $2.5 billion a year, he estimates. Credit cards typically have higher fraud rates than debit cards. “I believe those (Gartner) numbers are grossly inflated,” he says. Litan defends the validity of the survey and notes that retailers, banks, and other entities all have their own ways of estimating fraud. “You can question my numbers, that's fine,” she says. “There's no way to get a handle on fraud because no one reports it comprehensively.” Indeed, Gartner's is only the latest study that shows the difficulty in getting an accurate picture of card fraud, especially when it's linked to relatively new forms of criminal activity such as identity theft. Some experts have claimed the Federal Trade Commission overstates the extent of identity theft because the agency has used consumers' self-reported incidents of crime. Many consumers now label as identity theft old-fashioned forms of card fraud that card-industry security veterans would not consider to be true ID theft.