Recently, Chennai Police have busted a huge Card Cloning racket, which ultimately forced ICICI Bank to recall lots of cards. And to make the matters worse a HR manager’s bank account was wiped clean with the account having only 600 INR as balance and the remainder 54000+ INR being transferred for online shopping by an unknown entity.
The reason for this is a simple one, Most of the Credit Card companies like MasterCard / Visa or Ammex do not have additional authentication feature and the only Card which provides additional authentication feature is Maestro Card.
The users of Maestro card are protected against card-swipe crimes, because after the swipe, the card-holder has to input an additional security code, which is known only to the card holder.
The down-side of this card is, it is available only for Debit Cards and is not available for Credit cards. Nor is this card widely accepted and very few online merchants have registered themselves to accept payments from this card. Hence the footprint of this card is very small.
Secondly, consumers/card holders are not aware about the additional safety provided by Maestro Card.
The security which surrounds the transactions made by Master Card / Visa card holders is based on Merchant machine verification only. Due to which logically, fake machines are not available in the market but fake cards are , as there is no way to verify the card-holder has supervised the all important card-swipe.
After speaking with a few banks, I was made to understand that, upon request we can convert our existing Master Card / Visa to Maestro but not all merchant outlets are in a position to accept this card. Whether Indian Merchants or International Merchants, it just doesn’t matter.
Now something about the Security features provided, but to understand this, we have to categorize our transaction methods
A: Card Swipe
C: Mobile Banking
A: Card Swipe doesn’t require the card holder to authentic his card by inserting additional code but is supposed to authentic the receipt. Which effectively means, in case the signature is wrong, the bank may decline the transaction, as the signature doesn’t match. But in the past many times I have provided a wrong signature and yet the merchant was able to claim his amount. So where do we stand ? we need a credit card which has an authentication mechanism like the Maestro Card and at the same time be accepted all over.
Second crime is related with Skimming – i.e. procuring Card Details from a swipe, some merchants may deploy a card – reader device also known as a skimmer and swipe your card two times 1: For the actual transaction and second for collecting your card details, which are further utilized by Card Cloning Devices.
It may also happen, that the POS terminals in a retail store are connected on LAN and are authenticating the Card via Internet, now it is upto the Retailer whether they store the card details are not but in case their system does get compromised then every person who has taken all the precautions as mentioned in this document (specifically related to Card Swipe Section only) is at risk. the best example for this type of crime is the intrusion of HeartLand Payment System in which 130 MILLION Credit card and Debit Card data was stolen.
B: Internet based transactions are the trickiest of all, the security for these transaction is manifold and the Card holder needs to have an innate understanding of the security procedures which have been put into place by the Bank. These security procedures vary from bank to bank and may not always conform to the strictest standards which is essentially the need of the hour.
As an internet banking customer, you have to take certain precautions which have been outlined as follows
1: OTP – One Time Password , is for the particular transaction during a specific session. Enable your Internet Banking account to provide OTP.
2: IPIN – Internet Pin is Different from APIN (ATM PIN). IPin will protect your account and is similar to the email password. Take precaution and keep the password difficult and DO NOT ACCESS Internet banking from unknown PCs or cyber cafes or as a matter of fact not even from your friend’s home PC. This IPIN is known only to the card holder.
3: Two factor authentication – This feature will enable sending out an SMS containing the 6 digit code after a successful login has been initiated. Only those who have registered their mobile number and having access to the mobile number can access the account.
Due to this feature of TWO-Factor Authentication, it is recommended never to store your IPIN, APIN, Card Number, Account Number on your phone. With the advent of Smart Phone this becomes difficult but – safety first.
Not every bank offers this, hence be extra careful.
During online shopping or while conducting Internet based Card transactions, it is imperative that before inserting your card number or other details, you should be on your banks web-site. Sounds confusing? Well let me elaborate, the merchants provide the names of the banks or the type of activity (eg. netbanking) based on your card type. After selecting the name of the bank, ensure that you are redirected to your Bank’s websites and the Bank’s website should ask for your IPIN and account number along-with the Amount which will be deducted from your account, should be displayed and verified. Many times merchants will take advantage of the bank’s flaw in not displaying the amount to be deducted and you will end up paying more.
Secondly, if you have chosen netbanking, then most probably, you will be redirected to a payment gateway of a known bank and from these you will be redirected to your bank’s website , PROVIDED the bank has IPIN feature and you as a customer have enabled it.
Now a days, due to RBI’s notification most of the banks have enabled this feature but since this is a new feature, some of the banks allow 2-3 translations after which it is locked down. i.e. Unless and until you register your account for IPIN your account will not allow Internet banking.
Enable your OTP, Enable IPIN, enable Two factor authentication, Do not store your banking details on your mobile cause it can be stolen and if you have deleted the data then there is a possibility that data can be recovered.
Many of the Financial institutions have KYC – Know your Customer, times are such that we as consumers have to KYB – Know your Bank.
Computers are vulnerable to various kinds of Malware and Viruses, and to make the matters worse, some of the malwares are written specifically targetted at banking customers. hence, the card-holder should always ensure that Antivrus with HTTP/s content scanner is being used, also the Antivirus should have Phish detection algorithm inbuilt. Update your Antivirus regularly and be an alert and a responsible card-holder.
Some of the fake merchants may also try to entice you with lowest prices, in these scenarios always use the option of Cash on Delivery. Never provide your residence address but your office address.
C: Mobile banking. For mobile banking users only one word of caution – DO NOT SAVE / Store Passwords and be-aware of the fact that, mobile viruses are on the rise, due to which you yourself are to blame if there is an intrusion in your account.
Even though limited technology is available to protect the consumer against card-swipe crimes and internet banking but not everyone knows about it and not every bank / merchant supports it. Its a pity that even though this generation has woken up against Credit card / Online Banking related crimes but Banks and Card Providers offer almost nothing to protect our savings and investments.
In the past we used to wish everyone a Safe and Happy Diwali, due to fire-carcker related accidents, but now with Credit Card clones and Internet Banking available, We at eScan, with this very thought in our minds –
Wish every one a Happy and Safe Diwali