The findings were collected from a survey of 5,000 adults in the U.S. and covered the 12-month period ending in May.
The study showed that online criminals are stealing banking account data and passwords through phishing and keystroke logging attacks, and using the data for online bank transactions or shopping, or to create counterfeit cards. The average loss was more than $900.
"Criminals sometimes counterfeit ATM/debit cards with just account numbers and PINs in hand, and they can use this stolen information at ATMs to withdraw cash from a cardholder's account," Avivah Litan, Gartner security analyst, said in a statement. "They succeed when the card-issuing bank is not validating security codes on the magnetic stripe of the card while authorizing transactions."
Those security codes are stored in Track 2 of the magnetic stripe and link the physical card to the customer's account number, she said. About half of U.S.-based financial institutions are not validating that data while authorizing bank debit transactions, she said.
Banks can prevent attacks by modifying their ATM host systems to check for the security data, according to Litan. The Track 2 data is unknown to bank customers so it cannot be phished, and criminals generally cannot duplicate it.