Customers across India are asking themselves this question after an increase in the number of credit card frauds. Everyone knows at least one person whose card has been misused in the past few months.
Suneel Bandhu, a Mumbai executive received a message on his phone at 3pm on January 7, alerting him that he had used his Visa card issued by the Hongkong and Shanghai Banking Corp. Ltd's (HSBC's) Mumbai branch to buy $790.97 (around ` 42,633) worth of products at a Wal-Mart store in Romeoville, Illinois. A call from the bank followed to find out whether he was in the US or had given his card to someone who was. He answered in the negative to both the questions.
Instances such as this are becoming common, going by complaints on consumer rights' forum Grahak Seva , anecdotal evidence, the reaction of the banking regulator, and the number of complaints with so-called police cyber cells that deal with credit card fraud.
There has been a steady increase in fraud cases in the last one year, said Niket Kaushik, Additional Commissioner of Police, Crime, Mumbai. The government has started a training programme for officers across the country to help them deal with such cases, he said.
“We have been running a seven-day capsule course on cyber crimes for police stations across the country in association with NASSCOM. It's mandatory for police officers other than those who are already a part of the cyber crime cell to take the course,” he said. This has helped local police stations as they are now equipped to investigate cases related to cyber crime, including credit card fraud, without support from the cyber crime cell.
Various explanations have been proffered for the increase in instances of card fraud, including the fact that most overseas websites do not insist on either CVV or the additional “Secure” layer.
“In India, while all domestic transactions are authenticated through the Secure protocol, as per an RBI mandate, many international merchants do not use the Secure protocol for ‘card not present' transactions,” said an HSBC spokesperson.
None of these explanations is entirely satisfactory and experts say that the current situation reflects the inability of card issuers, banks, the regulator, and merchants to deal with card fraud. No one is safe.
Security experts say banks cannot claim to be hack-proof. “Even though Indian banks have done well to increase their security, there is no foolproof method to avoid hacking. Banks and users have to be continually vigilant,” said N. Jagannath Patnaik, Director, Channel Sales, South Asia, Kaspersky Lab, a maker of anti-virus software.
Indeed, almost two years back, in March 2011, Brian Krebs, who writes a blog on security, claimed that hackers had figured out a way to break 3D Secure (Visa) or SecureCode (MasterCard). “What's interesting is that the thieves could defeat these security systems by gathering personal data on victim cardholders, which they appear to have done here,” Krebs illustrated with screenshots on his blog in March 2011:
“3D Secure is a good marketing slogan. Of what use can it be if a user's machine is compromised?”
Card issuers don't agree. “With 3D Secure technology, the merchant is unable to see sensitive card details which are securely entered and verified directly with the issuing banks. The success of second-factor authentication in controlling e-commerce fraud in India has been noticed by other regulators around the world,” said Uttam Nayak, group country Manager, India and South Asia of Visa Inc.
“MasterCard has a comprehensive fraud management programme in place to protect consumers worldwide,” a spokesperson for the company said in an email. “We work closely with our banks to ensure that consumers are protected. When MasterCard determines that account data is at risk, we notify our customers to take action to protect cardholders. Cardholders are also protected by MasterCard's zero liability policy for protection against transactions that they did not authorize.”
Still, Nayak admitted that fraudsters were getting smarter. “In today's environment, we're all up against criminals who use increasingly sophisticated attacks to gain personal and sensitive information. As always, constant vigilance and consumer education remains a key component of personal security.”
Indeed, fraudsters seem to have moved on from basic techniques such as skimming. Online crooks are using far more sophisticated methods to gather information without being anywhere near the scene of the crime.
Some fraudsters send out millions of Trojans and even if 10% manage to reside undetected on a host computer, that means information on 100,000 cards, if not more. These are then sold as ‘card dumps' to international fraudsters with all the details, including the 3D password.
However, bank, merchant, and card issuer networks aren't as impermeable as they would like everyone to believe. In March last year, Visa and MasterCard said in the US that up to 1.5 million numbers had been stolen, technology website ZDNet reported. “Visa Inc. is aware of a potential data compromise incident at a third party entity affecting card account information from all major card brands. There has been no breach of Visa systems, including its core processing network VisaNet,” Visa said at the time, adding that in the US it follows a zero-liability fraud protection policy. MasterCard in its statement at the time said the breach had taken place at a US-based entity. ZDNet said the hack may have taken place between January 21 and February 25 last year and may involve more than 10 million compromised card numbers.
In June last year, a hacker with the Twitter handle Reckz0r claimed to have hacked 79 banks globally and gained access to more than 50 gigabytes of personal data. “Today's target is VISA & Mastercard, I will be only leaking a portion of the credit card information, as I cannot leak the entire data, it's too large....” The targeted banks were not named except US-based Chase Bank. As proof of the theft, details of 1,700 accounts were released and Reckz0r said this was a fraction of what he possessed. Reckz0r could not be contacted. However, global hacking group Anonymous said at the time that Reckz0r was taking credit for an old hack by a hacker collective known as Zero for Owned.
Visa and MasterCard together dominate the card payment system in India, with 96% being processed through their network, said A.P. Hota, Managing Director and CEO of National Payment Corporation of India (NPCI), set up by banks in 2008 as an “umbrella institution” for all retail payment systems in the country. “Visa is the highest with 60% of cards followed by MasterCard with 36%.” “American Express has 2.3% of cards. In terms of spends, Visa and MasterCard would be processing 99% of the transactions.”
India has a total of 333.2 million cards, both credit and debit. HDFC Bank Ltd has 6.21 million credit cards, followed by ICICI Bank Ltd with 2.82 million. State Bank of India-GE with 2.5 million credit cards and Citibank with 2.34 million credit cards were at number three and four as of December 2012, according to RBI's website.SBI Cards said that it hasn't detected any breach of its data. It also put forward the 3D Secure/SecureCode defence. “We quickly identify a common fraud trend and possible compromise point and pro-actively build fraud control strategy in our 24x7 globally acknowledged transaction monitoring tool so that transactions of our customers happen in a safe and secure environment and they are not inconvenienced in any way.”
Visa and MasterCard are promptly informed in such instances. “For the fraudulent transactions done in a non-3D Secure Internet environment, we usually have a charge-back recourse to the merchant ensuring the customer does not have to bear any loss.” Citibank said it is continuously boosting security with measures such as “Chip+PIN credit cards”. “The bank provides additional security in the form of second-factor authentication for e-commerce transactions and offers choice of static or dynamic passwords to the customers,” it said.
Bandhu's story had a happy ending. “As requested by the bank, I went to complain at the nearest branch. They were not surprised by the complaint.” HSBC told him he wouldn't be liable for the transaction and the money was credited back to his card account, the entry being identified as “Skim Cases SK”. A few days after he got the first text about the US transaction, Bandhu got an SMS from SBI Cards saying his MasterCard (issued by SBI-GE) was being blocked “as a precautionary measure to prevent misuse”. “This appears to be a preventive proactive step as I do not see any unauthorized transaction on this card yet.”
No comments:
Post a Comment